From freeipa at noboost.org Wed Feb 1 04:31:15 2012 From: freeipa at noboost.org (Craig T) Date: Wed, 1 Feb 2012 15:31:15 +1100 Subject: [Freeipa-users] Firewalling IPA 2 Message-ID: <20120201043114.GA7425@noboost.org> Hi, I'd like to restict which hosts have access to port 389 on the IPA server. How does SSSD connect to the IPA 2.x server for user name queries? I half expected it to need port 389 or 636 open on the server, but my testing is showing this is not the case. cya Craig From jhrozek at redhat.com Wed Feb 1 06:56:00 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Feb 2012 07:56:00 +0100 Subject: [Freeipa-users] Firewalling IPA 2 In-Reply-To: <20120201043114.GA7425@noboost.org> References: <20120201043114.GA7425@noboost.org> Message-ID: <20120201065600.GB5727@hendrix.redhat.com> On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote: > Hi, > > I'd like to restict which hosts have access to port 389 on the IPA server. > How does SSSD connect to the IPA 2.x server for user name queries? I half expected it to need port 389 or 636 open on the server, but my testing is showing this is not the case. > > cya > > Craig > SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is Kerberos with the exception of client side password migration that does a one-time TLS bind. Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps:// (which would be port 636 by default) in the IPA provider at all. As per why your testing looked like port 389 does not need to be open, my guess is that SSSD simply returned entries from cache. Does an identity lookup (getent passwd admin) work when you remove or expire the caches and restart SSSD? From johnny.westerlund at atea.se Wed Feb 1 07:51:36 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Wed, 1 Feb 2012 08:51:36 +0100 Subject: [Freeipa-users] IPA Sudo - RHEL5 Message-ID: Hey all, I've been running IPA on a RHEL6.2 and so far it's looking great. HBAC is awsome. The other machines in the domain is another RHEL 6.2 and one RHEL 5.7. I've also configured SUDO and it was working great on all machines. But thats changed now. The RHEL 6.2 and the ipaserver itself (also rhel6.2) works great. But the RHEL 5.7 stopped working the other day, and nothing i do can make it work again. I've followed the documentation at: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html But i just cant seem to find the problem, so i'm starting to wonder if it broke when i patched the system the other day. Both login and HBAC rules seem to work fine on the 5.7 box, but not SUDO. I've tried running the sssd daemon interactivly and in debug mode (sssd -i -d6) but it's hard to know what to look for. Anyone able to give some troubleshooting tips? From sigbjorn at nixtra.com Wed Feb 1 10:02:07 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 1 Feb 2012 11:02:07 +0100 (CET) Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> Hi, Is this more like the expected output? :) #0 0x00000039a1ad4ce3 in __epoll_wait_nocancel () from /lib64/libc.so.6 No symbol table info available. #1 0x00000039a2e0514e in ?? () from /usr/lib64/libtevent.so.0 No symbol table info available. #2 0x00000039a2e02690 in _tevent_loop_once () from /usr/lib64/libtevent.so.0 No symbol table info available. #3 0x00000039a2e026fb in ?? () from /usr/lib64/libtevent.so.0 No symbol table info available. #4 0x0000000000435771 in server_loop (main_ctx=0x16211b10) at src/util/server.c:526 No locals. #5 0x000000000040ef2f in main (argc=6, argv=0x7fff66702d88) at src/providers/data_provider_be.c:1333 opt = pc = 0x1620f5e0 be_domain = 0x1620f9c0 dns.local" srv_name = conf_entry = main_ctx = 0x16211b10 ret = long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6496a0, val = 0, descrip = 0x43a7d2 "Help options:", argDescrip = 0x0}, {longName = 0x43a7e0 "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x649778, val = 0, pc = 0x1620f5e0 be_domain = 0x1620f9c0 "dns.local" srv_name = conf_entry = main_ctx = 0x16211b10 ret = long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6496a0, val = 0, descrip = 0x43a7d2 "Help options:", argDescrip = 0x0}, {longName = 0x43a7e0 "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x649778, val = 0, descrip = 0x43a7b1 "Debug level", argDescrip = 0x0}, { longName = 0x43a7ec "debug-to-files", shortName = 102 'f', argInfo = 0, arg = 0x64977c, val = 0, descrip = 0x43b448 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x43a7fb "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg = 0x649680, val = 0, descrip = 0x43a7bd "Add debug timestamps", argDescrip = 0x0}, { longName = 0x43bd90 "domain", shortName = 0 '\000', argInfo = 1, arg = 0x7fff66702c48, val = 0, descrip = 0x43b480 "Domain of the information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} __FUNCTION__ = "main" (gdb) cont Continuing. Program received signal SIGTERM, Terminated. 0x00000039a1ad4ce3 in __epoll_wait_nocancel () from /lib64/libc.so.6 Rgds, Siggi On Tue, January 31, 2012 13:40, Stephen Gallagher wrote: > On Tue, 2012-01-31 at 13:35 +0100, Sigbjorn Lie wrote: > >> >> >> Ok, please see below for the output from gdb. >> >> >> I notice that it's not happening every time. All this morning I could unlock without any >> issues. Around lunchtime the issue started occouring again, but it's different each time how >> many times I have to restart sssd before I can successfully unlock my desktop. >> >> >> >> warning: no loadable sections found in added symbol-file system-supplied DSO at >> 0x7fff3fbfd000 >> 0x00002b104670cce3 in __epoll_wait_nocancel () from /lib64/libc.so.6 >> (gdb) cont >> Continuing. >> >> >> Detaching after fork from child process 22008. >> Detaching after fork from child process 23608. >> Detaching after fork from child process 28122. >> Detaching after fork from child process 32315. >> >> >> Program received signal SIGSEGV, Segmentation fault. >> sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", alloc=true, >> el=0x7fff3fafbb18) at src/db/sysdb.c:254 254 for (i = 0; i < attrs->num; i++) { >> (gdb) >> Continuing. >> > > Don't do "continue" here. This is where we needed the 'bt full'. Once > you continue from here, it just exits and we lose the state. > > Please rerun this test. > > >> >> Program terminated with signal SIGSEGV, Segmentation fault. >> The program no longer exists. >> (gdb) bt full >> No stack. >> (gdb) >> >> >> >> Regards, >> Siggi >> >> >> > > > From sgallagh at redhat.com Wed Feb 1 12:28:42 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Feb 2012 07:28:42 -0500 Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> Message-ID: <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: > Hi, > > Is this more like the expected output? :) > No, I'm afraid it's not. That's a log of a legitimate shutdown, not a segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). Possibly this happened if the time between attaching to the process and typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process isn't responding and will kill and restart it. You will know you got the correct results if you see "Program received signal SIGSEGV, Segmentation fault." and then you can immediately perform the 'bt full' -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Wed Feb 1 12:33:24 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Feb 2012 07:33:24 -0500 Subject: [Freeipa-users] Firewalling IPA 2 In-Reply-To: <20120201065600.GB5727@hendrix.redhat.com> References: <20120201043114.GA7425@noboost.org> <20120201065600.GB5727@hendrix.redhat.com> Message-ID: <1328099604.2240.216.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-01 at 07:56 +0100, Jakub Hrozek wrote: > On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote: > Hi, > > I'd > like to restict which hosts have access to port 389 on the IPA server. > > How does SSSD connect to the IPA 2.x server for user name queries? I > half expected it to need port 389 or 636 open on the server, but my > testing is showing this is not the case. > SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is > Kerberos with the exception of client side password migration that does > a one-time TLS bind. > > Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps:// > (which would be port 636 by default) in the IPA provider at all. > > As per why your testing looked like port 389 does not need to be open, my > guess is that SSSD simply returned entries from cache. Does an identity > lookup (getent passwd admin) work when you remove or expire the caches > and restart SSSD? Yeah, I agree with Jakub. SSSD performs caching on the client side so that if the FreeIPA server is unreachable for a time, it can still return resutls locally. If the server is unavailable, the cached results will never expire, so you can't just wait it out (or use the sss_cache tool to any great effect). In terms of your firewall rules, you only want to allow access on port 389 for your hosts. It's also worth noting that because SSSD clients bind with their host entry, you can also opt to disable anonymous access to the FreeIPA LDAP server for added security. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Wed Feb 1 12:35:33 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Feb 2012 07:35:33 -0500 Subject: [Freeipa-users] IPA Sudo - RHEL5 In-Reply-To: References: Message-ID: <1328099733.2240.218.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-01 at 08:51 +0100, Westerlund Johnny wrote: > Hey all, > > I've been running IPA on a RHEL6.2 and so far it's looking great. HBAC > is awsome. The other machines in the domain is another RHEL 6.2 and one > RHEL 5.7. > > I've also configured SUDO and it was working great on all machines. But > thats changed now. The RHEL 6.2 and the ipaserver itself (also rhel6.2) > works great. But the RHEL 5.7 stopped working the other day, and > nothing i do can make it work again. > > I've followed the documentation at: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html > But i just cant seem to find the problem, so i'm starting to wonder if > it broke when i patched the system the other day. > > Both login and HBAC rules seem to work fine on the 5.7 box, but not > SUDO. I've tried running the sssd daemon interactivly and in debug > mode (sssd -i -d6) but it's hard to know what to look for. Anyone able > to give some troubleshooting tips? SUDO support doesn't go through SSSD[1]. It uses its own internal LDAP driver to talk to FreeIPA. So if you're suddenly having trouble there, I'd look into the sudo package. [1] This is a feature we're working on for Fedora and will be coming in future versions of RHEL 6, but probably not for RHEL 5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From johnny.westerlund at atea.se Wed Feb 1 12:43:15 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Wed, 1 Feb 2012 13:43:15 +0100 Subject: [Freeipa-users] IPA Sudo - RHEL5 In-Reply-To: <1328099733.2240.218.camel@sgallagh520.sgallagh.bos.redhat.com> References: , <1328099733.2240.218.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: You pointed me in the correct direction. I only needed to setup ldap.conf in a correct way and it worked perfectly. the documentation for setting up sudo on rhel6 describes how to setup the nslcd.conf, i just did ldap.conf a symlink of that file and it worked. Thanks alot for your input. Regards johnny ________________________________________ Fr?n: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] för Stephen Gallagher [sgallagh at redhat.com] Skickat: den 1 februari 2012 13:35 Till: freeipa-users at redhat.com ?mne: Re: [Freeipa-users] IPA Sudo - RHEL5 On Wed, 2012-02-01 at 08:51 +0100, Westerlund Johnny wrote: > Hey all, > > I've been running IPA on a RHEL6.2 and so far it's looking great. HBAC > is awsome. The other machines in the domain is another RHEL 6.2 and one > RHEL 5.7. > > I've also configured SUDO and it was working great on all machines. But > thats changed now. The RHEL 6.2 and the ipaserver itself (also rhel6.2) > works great. But the RHEL 5.7 stopped working the other day, and > nothing i do can make it work again. > > I've followed the documentation at: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html > But i just cant seem to find the problem, so i'm starting to wonder if > it broke when i patched the system the other day. > > Both login and HBAC rules seem to work fine on the 5.7 box, but not > SUDO. I've tried running the sssd daemon interactivly and in debug > mode (sssd -i -d6) but it's hard to know what to look for. Anyone able > to give some troubleshooting tips? SUDO support doesn't go through SSSD[1]. It uses its own internal LDAP driver to talk to FreeIPA. So if you're suddenly having trouble there, I'd look into the sudo package. [1] This is a feature we're working on for Fedora and will be coming in future versions of RHEL 6, but probably not for RHEL 5 From simo at redhat.com Wed Feb 1 14:04:33 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Feb 2012 09:04:33 -0500 Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1328105073.21059.23.camel@willson.li.ssimo.org> On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: > On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: > > Hi, > > > > Is this more like the expected output? :) > > > > No, I'm afraid it's not. That's a log of a legitimate shutdown, not a > segmentation fault. (Receiving SIGTERM means that the monitor told the > process to exit). > > Possibly this happened if the time between attaching to the process and > typing 'cont' was more than about 30 seconds. The monitor will assume > the sssd_be process isn't responding and will kill and restart it. > > You will know you got the correct results if you see > > "Program received signal SIGSEGV, Segmentation fault." > > and then you can immediately perform the 'bt full' For better results with gdb I suggest to kill SIGSTOP the monitor before attaching gdb to any of the reponders or the providers, this way the monitor will be prevented from sending termination signals to the children. However, don't do this for long, only for short periods and kill SIGCONT back the monitor immediately after. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Feb 1 14:06:14 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Feb 2012 09:06:14 -0500 Subject: [Freeipa-users] Firewalling IPA 2 In-Reply-To: <1328099604.2240.216.camel@sgallagh520.sgallagh.bos.redhat.com> References: <20120201043114.GA7425@noboost.org> <20120201065600.GB5727@hendrix.redhat.com> <1328099604.2240.216.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1328105174.21059.24.camel@willson.li.ssimo.org> On Wed, 2012-02-01 at 07:33 -0500, Stephen Gallagher wrote: > On Wed, 2012-02-01 at 07:56 +0100, Jakub Hrozek wrote: > > On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote: > Hi, > > I'd > > like to restict which hosts have access to port 389 on the IPA server. > > > How does SSSD connect to the IPA 2.x server for user name queries? I > > half expected it to need port 389 or 636 open on the server, but my > > testing is showing this is not the case. > > > SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is > > Kerberos with the exception of client side password migration that does > > a one-time TLS bind. > > > > Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps:// > > (which would be port 636 by default) in the IPA provider at all. > > > > As per why your testing looked like port 389 does not need to be open, my > > guess is that SSSD simply returned entries from cache. Does an identity > > lookup (getent passwd admin) work when you remove or expire the caches > > and restart SSSD? > > Yeah, I agree with Jakub. SSSD performs caching on the client side so > that if the FreeIPA server is unreachable for a time, it can still > return resutls locally. If the server is unavailable, the cached results > will never expire, so you can't just wait it out (or use the sss_cache > tool to any great effect). > > In terms of your firewall rules, you only want to allow access on port > 389 for your hosts. It's also worth noting that because SSSD clients > bind with their host entry, you can also opt to disable anonymous access > to the FreeIPA LDAP server for added security. When freeIPA install it tells you the list of ports you should leave open, LDAP, Krb, and possibly other like DNS, NTP, etc... should all be made available to clients. Simo. -- Simo Sorce * Red Hat, Inc * New York From nsollars at gmail.com Wed Feb 1 16:03:40 2012 From: nsollars at gmail.com (Nigel Sollars) Date: Wed, 1 Feb 2012 11:03:40 -0500 Subject: [Freeipa-users] Added user password expire fails change Message-ID: Hello, I have the server up, a FC system enrolled as a client and the WebUI available. When I create a user ( set the password ), kadmin.local always shows the password expired. When trying to login as the IPA user it asks for me to change the password this fail with Cannot contact any KDC for requested realm while getting initial credentials ( even using kinit on my ipaserver ) I have looked at several pages to solve this one but to no avail, the admin account works flawlessly. Any help would be greatly appreciated. I am using the latest and greatest from FC 16 as my IPA Server, ( 2.1.4 iirc ), Again thanks in advance Nige -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Feb 1 16:36:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Feb 2012 11:36:15 -0500 Subject: [Freeipa-users] Added user password expire fails change In-Reply-To: References: Message-ID: <4F2969FF.90400@redhat.com> On 02/01/2012 11:03 AM, Nigel Sollars wrote: > Hello, > > I have the server up, a FC system enrolled as a client and the WebUI > available. When I create a user ( set the password ), kadmin.local > always shows the password expired. When trying to login as the IPA > user it asks for me to change the password this fail with > Hi Nigel, How do you set the password? Are you using ipa passwd command or IPA UI? kadmin.local should not be used with IPA. IPA porvides other means to access the information about user accounts. Most preferable are "ipa ..." set of commands and IPA UI but you can also see a lot via a plain ldapsearch command. Thanks Dmitri > Cannot contact any KDC for requested realm while getting initial > credentials > > ( even using kinit on my ipaserver ) > > I have looked at several pages to solve this one but to no avail, the > admin account works flawlessly. Any help would be greatly appreciated. > > I am using the latest and greatest from FC 16 as my IPA Server, ( > 2.1.4 iirc ), > > Again thanks in advance > > Nige > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From erinn.looneytriggs at gmail.com Wed Feb 1 18:16:40 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 01 Feb 2012 09:16:40 -0900 Subject: [Freeipa-users] IPA Sudo - RHEL5 In-Reply-To: References: , <1328099733.2240.218.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4F298188.6010701@gmail.com> On 02/01/2012 03:43 AM, Westerlund Johnny wrote: > You pointed me in the correct direction. I only needed to setup ldap.conf in a correct way and it worked perfectly. > the documentation for setting up sudo on rhel6 describes how to setup the nslcd.conf, i just did ldap.conf a symlink of that file and it worked. > > Thanks alot for your input. > > Regards > johnny > > ________________________________________ > Fr?n: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] för Stephen Gallagher [sgallagh at redhat.com] > Skickat: den 1 februari 2012 13:35 > Till: freeipa-users at redhat.com > ?mne: Re: [Freeipa-users] IPA Sudo - RHEL5 > > On Wed, 2012-02-01 at 08:51 +0100, Westerlund Johnny wrote: >> Hey all, >> >> I've been running IPA on a RHEL6.2 and so far it's looking great. HBAC >> is awsome. The other machines in the domain is another RHEL 6.2 and one >> RHEL 5.7. >> >> I've also configured SUDO and it was working great on all machines. But >> thats changed now. The RHEL 6.2 and the ipaserver itself (also rhel6.2) >> works great. But the RHEL 5.7 stopped working the other day, and >> nothing i do can make it work again. >> >> I've followed the documentation at: >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html >> But i just cant seem to find the problem, so i'm starting to wonder if >> it broke when i patched the system the other day. >> >> Both login and HBAC rules seem to work fine on the 5.7 box, but not >> SUDO. I've tried running the sssd daemon interactivly and in debug >> mode (sssd -i -d6) but it's hard to know what to look for. Anyone able >> to give some troubleshooting tips? > > SUDO support doesn't go through SSSD[1]. It uses its own internal LDAP > driver to talk to FreeIPA. So if you're suddenly having trouble there, > I'd look into the sudo package. > > > > [1] This is a feature we're working on for Fedora and will be coming in > future versions of RHEL 6, but probably not for RHEL 5 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Just wanted to add here, that the Red Hat docs for 5.8 beta include and identity management doc that specifies how to set this up under RHEL 5. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5-Beta/html/Configuring_Identity_Management/configuring-rhel5.html#Setting_up_sudo_Rules-Client_Configuration_for_sudo_Rules -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From loris at lgs.com.ve Wed Feb 1 18:21:20 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Wed, 01 Feb 2012 13:51:20 -0430 Subject: [Freeipa-users] DNS zone delegation Message-ID: <1328120480.23084.19.camel@arepa.pzo.lgs.com.ve> Hi, I have a dns zone managed by IPA and I'm trying to delegate a zone managed by Active Directory. The IPA managed zone is called "corpfbk", and the AD one is "ad.corpfbk". I started by adding the proper glue records: ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36 ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241 Then I add what I consider should be the zone delegation: ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk. Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone, except ns1 and ns2. Recursion is enabled in named.conf. Dig results: dig @localhost ad.corpfbk NS +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862 ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;ad.corpfbk. IN NS ;; ANSWER SECTION: ad.corpfbk. 86400 IN NS ns1.ad.corpfbk. ad.corpfbk. 86400 IN NS ns2.ad.corpfbk. ;; AUTHORITY SECTION: corpfbk. 86400 IN NS ipa01.central.corpfbk. corpfbk. 86400 IN NS ipa02.central.corpfbk. ;; ADDITIONAL SECTION: ns1.ad.corpfbk. 86400 IN A 192.168.3.36 ns2.ad.corpfbk. 86400 IN A 192.168.3.241 ipa01.central.corpfbk. 86400 IN A 192.168.3.6 ipa02.central.corpfbk. 86400 IN A 192.168.3.16 It seems to me, and after testing with other non-IPA based DNS servers, that the response shouldn't have and "Answer section", but it should have an "authority section" pointing to ad.corpfbk. I am doing something wrong? Should I file a bug? Thanks -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford From Steven.Jones at vuw.ac.nz Wed Feb 1 19:47:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 1 Feb 2012 19:47:07 +0000 Subject: [Freeipa-users] Firewalling IPA 2 In-Reply-To: <1328099604.2240.216.camel@sgallagh520.sgallagh.bos.redhat.com> References: <20120201043114.GA7425@noboost.org> <20120201065600.GB5727@hendrix.redhat.com>, <1328099604.2240.216.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB8013F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Thanks, useful tip......though I assume most sites will also use DNS and NTP.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><--------- In terms of your firewall rules, you only want to allow access on port 389 for your hosts. It's also worth noting that because SSSD clients bind with their host entry, you can also opt to disable anonymous access to the FreeIPA LDAP server for added security. 8><------ From atkac at redhat.com Thu Feb 2 09:23:16 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 02 Feb 2012 10:23:16 +0100 Subject: [Freeipa-users] DNS zone delegation In-Reply-To: <1328120480.23084.19.camel@arepa.pzo.lgs.com.ve> References: <1328120480.23084.19.camel@arepa.pzo.lgs.com.ve> Message-ID: <4F2A5604.9040605@redhat.com> On 02/01/2012 07:21 PM, Loris Santamaria wrote: > Hi, > > I have a dns zone managed by IPA and I'm trying to delegate a zone > managed by Active Directory. > > The IPA managed zone is called "corpfbk", and the AD one is > "ad.corpfbk". > > I started by adding the proper glue records: > > ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36 > ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241 > > Then I add what I consider should be the zone delegation: > > ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk. > > Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone, > except ns1 and ns2. Recursion is enabled in named.conf. Dig results: > > dig @localhost ad.corpfbk NS +norecurse > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862 > ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;ad.corpfbk. IN NS > > ;; ANSWER SECTION: > ad.corpfbk. 86400 IN NS ns1.ad.corpfbk. > ad.corpfbk. 86400 IN NS ns2.ad.corpfbk. > > ;; AUTHORITY SECTION: > corpfbk. 86400 IN NS ipa01.central.corpfbk. > corpfbk. 86400 IN NS ipa02.central.corpfbk. > > ;; ADDITIONAL SECTION: > ns1.ad.corpfbk. 86400 IN A 192.168.3.36 > ns2.ad.corpfbk. 86400 IN A 192.168.3.241 > ipa01.central.corpfbk. 86400 IN A 192.168.3.6 > ipa02.central.corpfbk. 86400 IN A 192.168.3.16 > > It seems to me, and after testing with other non-IPA based DNS servers, > that the response shouldn't have and "Answer section", but it should > have an "authority section" pointing to ad.corpfbk. > > I am doing something wrong? Should I file a bug? > You are right, ad.corpfbk. records should be in auth section. This seems like a bug in the bind-dyndb-ldap plugin. Please fill it with reference to this thread to bugzilla.redhat.com. Thank you in advance! Regards, Adam From nsollars at gmail.com Thu Feb 2 14:59:30 2012 From: nsollars at gmail.com (Nigel Sollars) Date: Thu, 2 Feb 2012 09:59:30 -0500 Subject: [Freeipa-users] Other distro clients Message-ID: Hi All, I notice online people have already asked about Clients for other linux distributions, my addition to this is how far ( if any ) along is the effort?. Is there an svn / git repo I can grab sources / test packages for say Debian or SuSE?. Any info would be most welcomed Nigel Sollars -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Feb 2 15:44:33 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Feb 2012 10:44:33 -0500 Subject: [Freeipa-users] Other distro clients In-Reply-To: References: Message-ID: <4F2AAF61.8060403@redhat.com> On 02/02/2012 09:59 AM, Nigel Sollars wrote: > Hi All, > > I notice online people have already asked about Clients for other > linux distributions, my addition to this is how far ( if any ) along > is the effort?. Is there an svn / git repo I can grab sources / test > packages for say Debian or SuSE?. > > Any info would be most welcomed > Some time ago SSSD was built for Suse. I am not sure it was maintained. I am not aware of any effort to port ipa-client to Suse. There is some effort to port ipa-client to Debian and Ubuntu but I do not know where the code for this is. > Nigel Sollars > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Thu Feb 2 15:49:46 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 02 Feb 2012 10:49:46 -0500 Subject: [Freeipa-users] Other distro clients In-Reply-To: <4F2AAF61.8060403@redhat.com> References: <4F2AAF61.8060403@redhat.com> Message-ID: <1328197786.6025.1.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote: > On 02/02/2012 09:59 AM, Nigel Sollars wrote: > > Hi All, > > > > > > I notice online people have already asked about Clients for other > > linux distributions, my addition to this is how far ( if any ) > > along is the effort?. Is there an svn / git repo I can grab > > sources / test packages for say Debian or SuSE?. > > > > > > Any info would be most welcomed > > > > > > Some time ago SSSD was built for Suse. I am not sure it was > maintained. I am not aware of any effort to port ipa-client to Suse. > There is some effort to port ipa-client to Debian and Ubuntu but I do > not know where the code for this is. The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen (CCed). He has a PPA with a reasonably recent version of SSSD available that can be used with FreeIPA v2. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From refrainia at gmail.com Thu Feb 2 21:39:03 2012 From: refrainia at gmail.com (re frain) Date: Thu, 2 Feb 2012 13:39:03 -0800 Subject: [Freeipa-users] Authenticating From Windows 7 Host Message-ID: Hi, I'm trying to login to the realm from a windows host as a valid user. My user is able to authenticate, however I then get this message: "Server does not have a computer account for workstation trust". The windows 7 client has been configured correctly, however I'm uncertain if I have configured the "host" correctly within the FreeIPA UI (permissions?). -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at ubuntu.com Thu Feb 2 23:01:29 2012 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 03 Feb 2012 01:01:29 +0200 Subject: [Freeipa-users] Other distro clients In-Reply-To: <1328197786.6025.1.camel@sgallagh520.sgallagh.bos.redhat.com> References: <4F2AAF61.8060403@redhat.com> <1328197786.6025.1.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4F2B15C9.1060008@ubuntu.com> 02.02.2012 17:49, Stephen Gallagher kirjoitti: > On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote: >> On 02/02/2012 09:59 AM, Nigel Sollars wrote: >>> Hi All, >>> >>> >>> I notice online people have already asked about Clients for other >>> linux distributions, my addition to this is how far ( if any ) >>> along is the effort?. Is there an svn / git repo I can grab >>> sources / test packages for say Debian or SuSE?. >>> >>> >>> Any info would be most welcomed >>> >>> >> >> Some time ago SSSD was built for Suse. I am not sure it was >> maintained. I am not aware of any effort to port ipa-client to Suse. >> There is some effort to port ipa-client to Debian and Ubuntu but I do >> not know where the code for this is. > > The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen > (CCed). He has a PPA with a reasonably recent version of SSSD available > that can be used with FreeIPA v2. Yeah, trying to get it all ready for the next release (12.04), and hoping to squeeze in SSSD 1.8 too. Have had less time lately to work on these, but it's still possible to get most of it in before feature freeze (feb 16th) and the rest as a freeze exception. Here are links to the related launchpad teams, in case folks are willing to test the packages (and file bugs!), once there's more to test: https://launchpad.net/~ubuntu-389-directory-server https://launchpad.net/~freeipa https://launchpad.net/~sssd t From freeipa at noboost.org Fri Feb 3 04:33:20 2012 From: freeipa at noboost.org (Craig T) Date: Fri, 3 Feb 2012 15:33:20 +1100 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? Message-ID: <20120203043320.GA12646@noboost.org> hi, Has anyone setup Dovecot IMAP to work with IPA 2.x yet? I'm thinking the best config would be to use; * IMAPS between the mail clients and Dovecot server * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA? ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds cya Craig From dale at themacartneyclan.com Fri Feb 3 07:31:33 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 03 Feb 2012 07:31:33 +0000 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: <20120203043320.GA12646@noboost.org> References: <20120203043320.GA12646@noboost.org> Message-ID: <4F2B8D55.6000803@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Craig I am actually working on this very thing at the moment. there is a very basic config here (http://freeipa.org/page/Dovecot_Integration), however this is using pam for everything The end goal of course is sso in which I have managed to get gssapi for authentication working and pam is used for the user lookups.. Here is what I have in a working state on rhel 6.2 ##### yum install -y oddjob-mkhomedir chkconfig oddjobd on service oddjobd start ipa-client-install -U -p admin -w redhat123 --mkhomedir # configure dovecot chkconfig dovecot on sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g' /etc/dovecot/dovecot.conf sed -i "s-#mail_location-mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u-g" /etc/dovecot/conf.d/10-mail.conf echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf echo " driver = static" >> /etc/dovecot/conf.d/10-auth.conf echo " args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >> /etc/dovecot/conf.d/10-auth.conf echo "}" >> /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g' /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g" /etc/dovecot/conf.d/10-auth.conf sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/dovecot/krb5.keytab-g" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname --domain)/g" /etc/dovecot/conf.d/10-auth.conf kinit admin ipa service-add imap/$(hostname) ipa service-add imaps/$(hostname) ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k /etc/dovecot/krb5.keytab ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k /etc/dovecot/krb5.keytab chown dovecot:dovecot /etc/dovecot/krb5.keytab service dovecot restart #### By having the system tapped into the ipa domain, pam allows dovecot to pass user lookups successfully. With the gssapi changes to /etc/dovecot/conf.d/10-auth.conf and using a keytab for the service principles, users can log in successfully without issue (i have only tested this with gssapi only at the moment) successful authentication appears in /var/log/maillog as follows Feb 2 22:50:45 mail04 dovecot: imap-login: Login: user=, method=GSSAPI, rip=192.168.122.61, lip=192.168.122.44, mpid=2216, TLS the only issue I am presently facing is with the mail_location directive in dovecot.. unless the users homedir actually exists you will get errors like this. Feb 2 21:52:34 mail04 dovecot: imap(user1): Error: user user1: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/home/user1/mail) failed: Permission denied (euid=1201600003(user1) egid=1201600003(user1) missing +w perm: /home, euid is not dir owner) I have been experimenting with how best to address this, however I am constantly being pushed back to the only way of having a userdir that actually exists would be a homdir which would be created when a user first logs in. Yes, if you ssh to the dovecot server as the user (with oddjobd running in the background) it will create the homedir with no problems and the issue is resolved, however users should not *have to* interactively log into a server just to allow them to access mail. my only thinking here is shared homedirs (nfs?) between clients and servers, however my thoughts on this are "if dovecot is redirecting a users mail to their homedir, then why do we need dovecot to access it via imap when the mail will already appear in their homedir?" does anyone have any thoughts on this? Dale On 02/03/2012 04:33 AM, Craig T wrote: > hi, > > Has anyone setup Dovecot IMAP to work with IPA 2.x yet? > I'm thinking the best config would be to use; > * IMAPS between the mail clients and Dovecot server > * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA? > ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds > > cya > > Craig > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256 pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm 1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1 j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0 lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ UyJHArk5RJ4NDxTM34OjIvzlwwsKP9kGNw3RB1IyEv4iDBkcf9hBtwqHMN4F0rd5 cnXJyulO0T4fDU5iFXxb =tYFH -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From natxo.asenjo at gmail.com Fri Feb 3 08:02:08 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 3 Feb 2012 09:02:08 +0100 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: <4F2B8D55.6000803@themacartneyclan.com> References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney wrote: > I have been experimenting with how best to address this, however I am > constantly being pushed back to the only way of having a userdir that > actually exists would be a homdir which would be created when a user > first logs in. > > Yes, if you ssh to the dovecot server as the user (with oddjobd running > in the background) it will create the homedir ?with no problems and the > issue is resolved, however users should not *have to* interactively log > into a server just to allow them to access mail. > > my only thinking here is shared homedirs (nfs?) between clients and > servers, however my thoughts on this are "if dovecot is redirecting a > users mail to their homedir, then why do we need dovecot to access it > via imap when the mail will already appear in their homedir?" > > does anyone have any thoughts on this? If you have an imap server instead of local mail, people do not have to login a desktop/text session to check their e-mail. They can access it from any imap client, even webmail. -- Groet, Natxo From dale at themacartneyclan.com Fri Feb 3 08:09:03 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 03 Feb 2012 08:09:03 +0000 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: <4F2B961F.6030902@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/03/2012 08:02 AM, Natxo Asenjo wrote: > On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney > wrote: > >> I have been experimenting with how best to address this, however I am >> constantly being pushed back to the only way of having a userdir that >> actually exists would be a homdir which would be created when a user >> first logs in. >> >> Yes, if you ssh to the dovecot server as the user (with oddjobd running >> in the background) it will create the homedir with no problems and the >> issue is resolved, however users should not *have to* interactively log >> into a server just to allow them to access mail. >> >> my only thinking here is shared homedirs (nfs?) between clients and >> servers, however my thoughts on this are "if dovecot is redirecting a >> users mail to their homedir, then why do we need dovecot to access it >> via imap when the mail will already appear in their homedir?" >> >> does anyone have any thoughts on this? > > If you have an imap server instead of local mail, people do not have > to login a desktop/text session to check their e-mail. They can access it > from any imap client, even webmail. > agreed, however the issue at hand, is that dovecot is failing to store the mail anyway in order to make it accessible in the first place. does anyone have any thoughts on how to have the homedirs auto created (with the correct perms and selinux contexts) by a process/service that is not initiated by the login process? oddjob and pam_mkhomedir do not get involved here as it is not an interactive login. (i could be wrong however this is what I am seeing). Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPK5YVAAoJEAJsWS61tB+qdyYP/1oTLFXYFminTNhV/kOmFaCe j3w6tn5VyIqrBm4Qis8tZ3FCh7LxkoLyY+8Z4F0z0wh6yIjDGFdIMahiQw+0OhuQ dR5RxQMAAF5Zv0DfNH+rKHgy1pSlZN8X/nJKggQQGr9b4ehjUQqC039zRKqO5gh+ IF5ZIbwpoiimyFyppLsEdbaEYbH5Fsxifub2efY+thc3z72o5QZ+qaFsMXxoeCnr F+LXuckCyHN2SlU4B0ChwpaUd8uO3XS4tKqZOnJhFQqK2fBYDL7OXjSo94dpY8+2 KSYx2nOXwIX0QtnoEfr5NbVkKAh7eWfDJAcZjywciP2xwkhwHQXAVRPFSF3T9f0/ nmHGdxchfjIgO7Nr60fjLQSdmVnhFWOIAPSPIiGyE6xCsukzonExiTjRUOVqiGRN Fvcup3oF794IHwfhzIUC6cOlTKxq+YwChMBuiMrV+1raKM0dVYRSCFp3HxpGXZwZ GEJXmrRNZ0KDFT/Jye73wQQdepmrKb/kqakrtwxpvp7AxCkrgdUHLEaZ5sUH0ldr 6BF/TJ0NPBaRa9eBK+D7Lv4gy7OcsPiTbU5q3H9rkOm4Q8AY/9kSBYGAwcSbLML4 sQSgbRc2opZwndQ3gdxRPwRFH/olPiFtwDcl8Ha7hubDdjQ13dxGicQLkYuSt/sB ygTO8TlH2z+nAjcebWFH =oLBa -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From natxo.asenjo at gmail.com Fri Feb 3 08:13:06 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 3 Feb 2012 09:13:06 +0100 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo wrote: > On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney > wrote: > >> I have been experimenting with how best to address this, however I am >> constantly being pushed back to the only way of having a userdir that >> actually exists would be a homdir which would be created when a user >> first logs in. >> >> Yes, if you ssh to the dovecot server as the user (with oddjobd running >> in the background) it will create the homedir ?with no problems and the >> issue is resolved, however users should not *have to* interactively log >> into a server just to allow them to access mail. >> >> my only thinking here is shared homedirs (nfs?) between clients and >> servers, however my thoughts on this are "if dovecot is redirecting a >> users mail to their homedir, then why do we need dovecot to access it >> via imap when the mail will already appear in their homedir?" >> >> does anyone have any thoughts on this? further you do not need to have the Maildirs on the users' homedirs: http://wiki.dovecot.org/Authentication/Kerberos If you only want to use Kerberos ticket-based authentication: auth default { mechanisms = gssapi userdb static { args = uid=vmail gid=vmail home=/var/vmail/%u } } I have not tested it, but then you could have all the Maildirs in the imap server. -- natxo From dale at themacartneyclan.com Fri Feb 3 08:35:19 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 03 Feb 2012 08:35:19 +0000 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: <4F2B9C47.1060704@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/03/2012 08:13 AM, Natxo Asenjo wrote: > On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo wrote: >> On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney >> wrote: >> >>> I have been experimenting with how best to address this, however I am >>> constantly being pushed back to the only way of having a userdir that >>> actually exists would be a homdir which would be created when a user >>> first logs in. >>> >>> Yes, if you ssh to the dovecot server as the user (with oddjobd running >>> in the background) it will create the homedir with no problems and the >>> issue is resolved, however users should not *have to* interactively log >>> into a server just to allow them to access mail. >>> >>> my only thinking here is shared homedirs (nfs?) between clients and >>> servers, however my thoughts on this are "if dovecot is redirecting a >>> users mail to their homedir, then why do we need dovecot to access it >>> via imap when the mail will already appear in their homedir?" >>> >>> does anyone have any thoughts on this? > > further you do not need to have the Maildirs on the users' homedirs: > > http://wiki.dovecot.org/Authentication/Kerberos > > If you only want to use Kerberos ticket-based authentication: > > auth default { > mechanisms = gssapi > userdb static { > args = uid=vmail gid=vmail home=/var/vmail/%u > } > } > > > I have not tested it, but then you could have all the Maildirs in the > imap server. > just to clarify, I have just re-tested to verify... without the mail_location the below message is present in maillog Feb 3 08:32:37 mail04 dovecot: imap(user1): Error: user user1: Initialization failed: mail_location not set and autodetection failed: Mail storage autodetection failed with home=/home/user1 Feb 3 08:32:37 mail04 dovecot: imap(user1): Error: Invalid user settings. Refer to server log for more information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPK5w9AAoJEAJsWS61tB+qS2sP/1Mq+UdjJAWLwCLWpXLX8ZL9 NUGKzEdspObOzRNDQxrgIxmSLhDpnXGW0fIu+3FU2QVyAa+bilROlHJhcGasSRwG E72dsRaxwCk1B/9beTs6LdeMuZ6pgSzRgfpJNEZNF1TZI7c8mSZsrEiH5r6eCzzK RSWbsT2FasCGsKPN05fJPNOv8qh7ByP17wymlxgSHx1FpekvtM8UlrzjKvT66KWq oibJS3U8wD8NyRoz5GIPg4kWYSicv859OGV9FyhNwg0mTb+rinjGoYWYb8WHVGVl QWfb/jUQJucJB5i+l5sYyTaiIoURiusvW8XW/vlutqzzjqMFV6yV5IzISDagjoLX Dm3ONl32wSBlCkuIrmvkA7zaIA5SvQG5fuE7jlrGqmZc3dLArbsShFGjjB+JYCFh EAcecx59jI5WYjcLT357uO1k1OU8bXWtr+6eiSYbME41/me8hmE9DjGpD1j9L3nI SoIATjGkNoHVaO8N7h8ENzJvDqaKoHn/nT7gCtodziIV1dN3BSbARnFrW0452JVP fiTdnXhNXHDYiN+FGTOYFGRrO3DGr9bKBAG4yRl5qVRzH7XFC1IkE43OU+PdSz9R UzKqfT28fcAEA1vgC3XlhEtWd5nN2YF1OH0oLZBR+/Kx5OEB5GVIFwlzHGkm+fhG W6RifcyCbFExaRG1k5xr =wnil -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From sigbjorn at nixtra.com Fri Feb 3 11:53:29 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 3 Feb 2012 12:53:29 +0100 (CET) Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <1328105073.21059.23.camel@willson.li.ssimo.org> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> <1328105073.21059.23.camel@willson.li.ssimo.org> Message-ID: <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> On Wed, February 1, 2012 15:04, Simo Sorce wrote: > On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: > >> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> Is this more like the expected output? :) >>> >>> >> >> No, I'm afraid it's not. That's a log of a legitimate shutdown, not a >> segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). >> >> Possibly this happened if the time between attaching to the process and >> typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process isn't >> responding and will kill and restart it. >> >> You will know you got the correct results if you see >> >> >> "Program received signal SIGSEGV, Segmentation fault." >> >> >> and then you can immediately perform the 'bt full' > > For better results with gdb I suggest to kill SIGSTOP the monitor before > attaching gdb to any of the reponders or the providers, this way the monitor will be prevented from > sending termination signals to the children. However, don't do this for long, only for short > periods and kill SIGCONT back the monitor immediately after. > > Please see below. Does this help? (gdb) bt full #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 e = i = #1 0x00000000004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 "cn", _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 ret = rdn_attr = 0x0 rdn_val = 0x0 sysdb_name_el = 0x61 orig_dn_el = i = tmpctx = 0xf768ce0 __FUNCTION__ = "sysdb_attrs_primary_name" #2 0x000000000042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, mem_ctx=, attr_list=0xf772e20, attr_count=2, ldap_attr=0xf741110 "cn", name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 ret = 259427552 i = 1 j = 1 list = name = 0xf769580 "ac_server-normal" __FUNCTION__ = "sysdb_attrs_primary_name_list" #3 0x00002b20c9684456 in sdap_initgr_nested_get_membership_diff ( state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 __FUNCTION__ = "sdap_initgr_nested_get_membership_diff" #4 sdap_initgr_store_group_memberships (state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:2820 ret = 3 i = 0 tret = tmp_ctx = 0xf76e930 miter = memberships = __FUNCTION__ = "sdap_initgr_store_group_memberships" #5 0x00002b20c96856fb in sdap_initgr_nested_store ( subreq=) at src/providers/ldap/sdap_async_accounts.c:2742 __FUNCTION__ = "sdap_initgr_nested_store" #6 sdap_initgr_nested_search (subreq=) at src/providers/ldap/sdap_async_accounts.c:2706 req = 0xf771fa0 state = 0xf7726f0 groups = 0xf76f110 count = 1 ret = 0 __FUNCTION__ = "sdap_initgr_nested_search" #7 0x00002b20c967babd in sdap_get_generic_done (op=, reply=0xf76de70, error=0, pvt=) at src/providers/ldap/sdap_async.c:989 req = 0xf772e20 state = attrs = errmsg = 0x0 result = 0 ret = lret = total_count = cookie = {bv_len = 259448432, bv_val = 0x60
} returned_controls = 0x0 page_control = __FUNCTION__ = "sdap_get_generic_done" #8 0x00002b20c967d8ff in sdap_process_message (ev=, pvt=) at src/providers/ldap/sdap_async.c:307 msgtype = 101 ret = 0 reply = 0xf76de70 op = 0xf76a970 msgid = __FUNCTION__ = "sdap_process_message" #9 sdap_process_result (ev=, pvt=) at src/providers/ldap/sdap_async.c:207 sh = no_timeout = {tv_sec = 0, tv_usec = 0} te = msg = 0xf7610a0 ret = __FUNCTION__ = "sdap_process_result" #10 0x00000039a2e034d3 in ?? () from /usr/lib64/libtevent.so.0 No symbol table info available. #11 0x00000039a2e0509b in ?? () from /usr/lib64/libtevent.so.0 No symbol table info available. #12 0x00000039a2e02690 in _tevent_loop_once () from /usr/lib64/libtevent.so.0 No symbol table info available. #13 0x00000039a2e026fb in ?? () from /usr/lib64/libtevent.so.0 No symbol table info available. #14 0x0000000000435771 in server_loop (main_ctx=0xf723b10) at src/util/server.c:526 No locals. #15 0x000000000040ef2f in main (argc=6, argv=0x7fffe9e0e408) at src/providers/data_provider_be.c:1333 opt = pc = 0xf7215e0 be_domain = 0xf7219c0 "dns.domain" pc = 0xf7215e0 be_domain = 0xf7219c0 "dns.domain" ---Type to continue, or q to quit--- srv_name = conf_entry = main_ctx = 0xf723b10 ret = long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6496a0, val = 0, descrip = 0x43a7d2 "Help options:", argDescrip = 0x0}, {longName = 0x43a7e0 "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x649778, val = 0, descrip = 0x43a7b1 "Debug level", argDescrip = 0x0}, { longName = 0x43a7ec "debug-to-files", shortName = 102 'f', argInfo = 0, arg = 0x64977c, val = 0, descrip = 0x43b448 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x43a7fb "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg = 0x649680, val = 0, descrip = 0x43a7bd "Add debug timestamps", argDescrip = 0x0}, { longName = 0x43bd90 "domain", shortName = 0 '\000', argInfo = 1, arg = 0x7fffe9e0e2c8, val = 0, descrip = 0x43b480 "Domain of the information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} __FUNCTION__ = "main" From sgallagh at redhat.com Sat Feb 4 13:58:14 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sat, 04 Feb 2012 08:58:14 -0500 Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> <1328105073.21059.23.camel@willson.li.ssimo.org> <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> Message-ID: <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-02-03 at 12:53 +0100, Sigbjorn Lie wrote: > On Wed, February 1, 2012 15:04, Simo Sorce wrote: > > On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: > > > >> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: > >> > >>> Hi, > >>> > >>> > >>> Is this more like the expected output? :) > >>> > >>> > >> > >> No, I'm afraid it's not. That's a log of a legitimate shutdown, not a > >> segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). > >> > >> Possibly this happened if the time between attaching to the process and > >> typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process isn't > >> responding and will kill and restart it. > >> > >> You will know you got the correct results if you see > >> > >> > >> "Program received signal SIGSEGV, Segmentation fault." > >> > >> > >> and then you can immediately perform the 'bt full' > > > > For better results with gdb I suggest to kill SIGSTOP the monitor before > > attaching gdb to any of the reponders or the providers, this way the monitor will be prevented from > > sending termination signals to the children. However, don't do this for long, only for short > > periods and kill SIGCONT back the monitor immediately after. > > > > > > Please see below. Does this help? Yes, thank you it does. > > > (gdb) bt full > #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", > alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 > e = > i = > #1 0x00000000004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, > attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 "cn", The memory address for "attrs" here is WAY out of range. That suggests that this is an uninitialized value. > _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 > ret = > rdn_attr = 0x0 > rdn_val = 0x0 > sysdb_name_el = 0x61 > orig_dn_el = > i = > tmpctx = 0xf768ce0 > __FUNCTION__ = "sysdb_attrs_primary_name" > #2 0x000000000042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, > mem_ctx=, attr_list=0xf772e20, attr_count=2, > ldap_attr=0xf741110 "cn", name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 > ret = 259427552 > i = 1 i = 1, so it's the second entry in the attr_list being passed in. My spidey-sense is tingling here. Probably the array is one entry too long above. > j = 1 > list = > name = 0xf769580 "ac_server-normal" > __FUNCTION__ = "sysdb_attrs_primary_name_list" > #3 0x00002b20c9684456 in sdap_initgr_nested_get_membership_diff ( > state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 > __FUNCTION__ = "sdap_initgr_nested_get_membership_diff" This is the function that is creating that array (well, actually it's sdap_initgr_nested_get_direct_parents()). So the bug must be occurring here. We're somehow creating an array of two entries but not populating the second one. That said, I'm not sure how that's possible. The code there is very short and seems pretty carefully-written to avoid this possibility. I don't have time today to dig into this any further, but I wanted to get my findings down in an email so that if anyone else wanted to jump on this before I get back to it, they don't have to start from scratch. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Sat Feb 4 14:15:55 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 04 Feb 2012 15:15:55 +0100 Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> <1328105073.21059.23.camel@willson.li.ssimo.org> <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4F2D3D9B.6030702@nixtra.com> On 02/04/2012 02:58 PM, Stephen Gallagher wrote: > On Fri, 2012-02-03 at 12:53 +0100, Sigbjorn Lie wrote: >> On Wed, February 1, 2012 15:04, Simo Sorce wrote: >>> On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: >>> >>>> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> Is this more like the expected output? :) >>>>> >>>>> >>>> No, I'm afraid it's not. That's a log of a legitimate shutdown, not a >>>> segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). >>>> >>>> Possibly this happened if the time between attaching to the process and >>>> typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process isn't >>>> responding and will kill and restart it. >>>> >>>> You will know you got the correct results if you see >>>> >>>> >>>> "Program received signal SIGSEGV, Segmentation fault." >>>> >>>> >>>> and then you can immediately perform the 'bt full' >>> For better results with gdb I suggest to kill SIGSTOP the monitor before >>> attaching gdb to any of the reponders or the providers, this way the monitor will be prevented from >>> sending termination signals to the children. However, don't do this for long, only for short >>> periods and kill SIGCONT back the monitor immediately after. >>> >>> >> Please see below. Does this help? > Yes, thank you it does. > >> >> (gdb) bt full >> #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", >> alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 >> e = >> i = >> #1 0x00000000004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, >> attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 "cn", > The memory address for "attrs" here is WAY out of range. That suggests > that this is an uninitialized value. > >> _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 >> ret = >> rdn_attr = 0x0 >> rdn_val = 0x0 >> sysdb_name_el = 0x61 >> orig_dn_el = >> i = >> tmpctx = 0xf768ce0 >> __FUNCTION__ = "sysdb_attrs_primary_name" >> #2 0x000000000042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, >> mem_ctx=, attr_list=0xf772e20, attr_count=2, >> ldap_attr=0xf741110 "cn", name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 >> ret = 259427552 >> i = 1 > i = 1, so it's the second entry in the attr_list being passed in. My > spidey-sense is tingling here. Probably the array is one entry too long > above. > >> j = 1 >> list = >> name = 0xf769580 "ac_server-normal" >> __FUNCTION__ = "sysdb_attrs_primary_name_list" >> #3 0x00002b20c9684456 in sdap_initgr_nested_get_membership_diff ( >> state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 >> __FUNCTION__ = "sdap_initgr_nested_get_membership_diff" > > This is the function that is creating that array (well, actually it's > sdap_initgr_nested_get_direct_parents()). So the bug must be occurring > here. We're somehow creating an array of two entries but not populating > the second one. > > That said, I'm not sure how that's possible. The code there is very > short and seems pretty carefully-written to avoid this possibility. > > I don't have time today to dig into this any further, but I wanted to > get my findings down in an email so that if anyone else wanted to jump > on this before I get back to it, they don't have to start from scratch. Is there anything further I can do to help out troubleshooting this issue? I have opened a case (case id 00594772) and referenced this thread, as this issue occurred at a paying customers site. Regards, Siggi From robert at marcanoonline.com Mon Feb 6 13:15:17 2012 From: robert at marcanoonline.com (Robert Marcano) Date: Mon, 06 Feb 2012 08:45:17 -0430 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: <4F2B8D55.6000803@themacartneyclan.com> References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: <4F2FD265.2070107@marcanoonline.com> On 02/03/2012 03:01 AM, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Craig > > I am actually working on this very thing at the moment. > > there is a very basic config here > (http://freeipa.org/page/Dovecot_Integration), however this is using pam > for everything > > The end goal of course is sso in which I have managed to get gssapi for > authentication working and pam is used for the user lookups.. > > Here is what I have in a working state on rhel 6.2 > > ##### In order to use GSSAPI authentication from dovecot directly, I only need to set this: auth_gssapi_hostname = hostname.example.com auth_krb5_keytab = /etc/imap.keytab auth_mechanisms = gssapi login From robert at marcanoonline.com Mon Feb 6 13:20:08 2012 From: robert at marcanoonline.com (Robert Marcano) Date: Mon, 06 Feb 2012 08:50:08 -0430 Subject: [Freeipa-users] Dovecot IMAP with IPA 2.x? In-Reply-To: References: <20120203043320.GA12646@noboost.org> <4F2B8D55.6000803@themacartneyclan.com> Message-ID: <4F2FD388.40006@marcanoonline.com> On 02/03/2012 03:43 AM, Natxo Asenjo wrote: > > further you do not need to have the Maildirs on the users' homedirs: > > http://wiki.dovecot.org/Authentication/Kerberos > > If you only want to use Kerberos ticket-based authentication: > > auth default { > mechanisms = gssapi > userdb static { > args = uid=vmail gid=vmail home=/var/vmail/%u > } > } > > > I have not tested it, but then you could have all the Maildirs in the > imap server. > In order to have mail outside the user HOME, I use this mail_location = maildir:/var/vmail/%u:INDEX=/var/vmail/index/%u:CONTROL=/var/vmail/control/%u INDEX and CONTROL are not needed, I add those because we have filesystem quotas enabled, in this case INDEX and CONTROL files must be located outside the quota enabled filesystem to avoid problems like the user being unable to login to dovecot in order to free space From nsollars at gmail.com Mon Feb 6 15:39:19 2012 From: nsollars at gmail.com (Nigel Sollars) Date: Mon, 6 Feb 2012 10:39:19 -0500 Subject: [Freeipa-users] Windows Clients Message-ID: Hi all, Quick question, I want to setup a Windows system to use my realm, ive followed the prep list and created a simple arcfour-hmac krb5.keytab. The guide does not mention where I place this keytab. I thought I would check before running any of the ksetup commands. Also just for reference has anyone gotten Windows 7 / server 2008 authenticated? ( I guess that should also include server 2003 ). Thanks in advance Nigel Sollars -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Feb 6 16:31:18 2012 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 6 Feb 2012 11:31:18 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: Message-ID: I don't think you have to put it anywhere, the ipa.getkeytab mainly sets the workstation password in freeipa. I keep the client keytabs in /etc (krb5.keytab.[clientname].) I have many Win7 and WinXP workstations authenticating but I'm still working on getting user/password sync working. Jimmy On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: > Hi all, > > Quick question, > > I want to setup a Windows system to use my realm, ive followed the prep > list and created a simple arcfour-hmac krb5.keytab. The guide does not > mention where I place this keytab. I thought I would check before running > any of the ksetup commands. > > Also just for reference has anyone gotten Windows 7 / server 2008 > authenticated? ( I guess that should also include server 2003 ). > > Thanks in advance > > Nigel Sollars > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Feb 6 17:24:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Feb 2012 12:24:10 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: Message-ID: <4F300CBA.1010400@redhat.com> On 02/06/2012 11:31 AM, Jimmy wrote: > I don't think you have to put it anywhere, the ipa.getkeytab mainly > sets the workstation password in freeipa. I keep the client keytabs in > /etc (krb5.keytab.[clientname].) > > I have many Win7 and WinXP workstations authenticating but I'm still > working on getting user/password sync working. > > Jimmy Jimmy, Are you using Windows systems directly with IPA or you make them a part of the AD domain and use winsync to sync data from AD to IPA? If you managed to setup Win7 directly with IPA please share how you have done this. Thanks Dmitri > > On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars > wrote: > > Hi all, > > Quick question, > > I want to setup a Windows system to use my realm, ive followed > the prep list and created a simple arcfour-hmac krb5.keytab. The > guide does not mention where I place this keytab. I thought I > would check before running any of the ksetup commands. > > Also just for reference has anyone gotten Windows 7 / server 2008 > authenticated? ( I guess that should also include server 2003 ). > > Thanks in advance > > Nigel Sollars > > > -- > ?Science is a differential equation. Religion is a boundary > condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Feb 6 18:34:25 2012 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 6 Feb 2012 13:34:25 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: <4F300CBA.1010400@redhat.com> References: <4F300CBA.1010400@redhat.com> Message-ID: I am not making the windows systems part of an AD. I only need to replicate users from an AD group to FreeIPA and I've had issues making that work. I was working on that with a couple guys here on the list a couple weeks ago but have been traveling so it's been hard to make time to work on that. I submitted the doc to configure Win7 a while back but will look for it and re-submit. Jimmy On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal wrote: > ** > On 02/06/2012 11:31 AM, Jimmy wrote: > > I don't think you have to put it anywhere, the ipa.getkeytab mainly sets > the workstation password in freeipa. I keep the client keytabs in /etc > (krb5.keytab.[clientname].) > > I have many Win7 and WinXP workstations authenticating but I'm still > working on getting user/password sync working. > > Jimmy > > > Jimmy, > > Are you using Windows systems directly with IPA or you make them a part of > the AD domain and use winsync to sync data from AD to IPA? > If you managed to setup Win7 directly with IPA please share how you have > done this. > > Thanks > Dmitri > > > > On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: > >> Hi all, >> >> Quick question, >> >> I want to setup a Windows system to use my realm, ive followed the >> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >> not mention where I place this keytab. I thought I would check before >> running any of the ksetup commands. >> >> Also just for reference has anyone gotten Windows 7 / server 2008 >> authenticated? ( I guess that should also include server 2003 ). >> >> Thanks in advance >> >> Nigel Sollars >> >> >> -- >> ?Science is a differential equation. Religion is a boundary condition.? >> >> Alan Turing >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Feb 7 00:59:43 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Feb 2012 00:59:43 +0000 Subject: [Freeipa-users] Roles and permissions Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB84EBA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator" and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? I dont find that section of the manual very easy to understand....I'd like examples or more explanation.... Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Tue Feb 7 02:50:23 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Feb 2012 02:50:23 +0000 Subject: [Freeipa-users] promoting a replica section 16.8 Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz> Once these actions are carried out does that mean the webgui is active? is is there any other actions needed to make the promoted replica the new read/write master? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Tue Feb 7 03:32:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Feb 2012 22:32:58 -0500 Subject: [Freeipa-users] Roles and permissions In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CB84EBA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CB84EBA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F309B6A.9080506@redhat.com> Steven Jones wrote: > Hi, > > Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator" and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? Need a little more to go on. It is that "how to specify" question that really matters. How DO you distinguish between users? You can add extra attributes to break them into groups, or you can literally put them into extra groups and manage them that way (easiest). But you definitely need a way to distinguish them. Creating this type of permission would require a bit of LDAP knowledge, mostly just knowing which attributes to use. It all depends on what responsibility you are delegating. I'm not entirely sure what you're after so I don't want to guess and end up down a deep rabbit hole, but it is probably going to be easiest to break the permissions into smaller components like: Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Both of these are relatively straightforward. I can provide examples if you can give me some more guidance on what you're looking for. > I dont find that section of the manual very easy to understand....I'd like examples or more explanation.... > > Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...? Yes, it would be a problem if you granted password change permission to a bad admin. That is true in any system. Given that we've got a ticket open to limit those who can change the password of those in the admins group to those in the admins group, so helpdesk can change user's passwords but not admins. That is currently possible. regards rob From rcritten at redhat.com Tue Feb 7 03:36:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Feb 2012 22:36:32 -0500 Subject: [Freeipa-users] promoting a replica section 16.8 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F309C40.20705@redhat.com> Steven Jones wrote: > > Once these actions are carried out does that mean the webgui is active? is is there any other actions needed to make the promoted replica the new read/write master? Promoting a replica is only necessary if you installed with a selfsign CA and want to issue certs from that machine. With selfsign you really should pick one machine as the CA and stick with it otherwise you'll end up issuing different certs with duplicate serial numbers and sooner or later that will catch up with you. Promotion is documented in case that single point of failure, well, fails. Once a replica is installed it is a full IPA server. This means the UI, XML-RPC interface, KDC, LDAP backend, the works. The only optional components are the DNS and CA (dogtag). regards rob From sigbjorn at nixtra.com Tue Feb 7 10:49:07 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 7 Feb 2012 11:49:07 +0100 (CET) Subject: [Freeipa-users] acroread: unknown user id Message-ID: <20948.213.225.75.97.1328611747.squirrel@www.nixtra.com> Hi, This error occurs when starting Acrobat Reader. This occured with version 8, and I just downloaded AdobeReader_enu-9.4.7-1 to see if that would make a difference. Same problem. This is a Red Hat 5 machine running sssd-1.5.1-44.el5. $ acroread (acroread:3349): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (12345) I'm logged on to the console of the machine, and typing "id" returns the username for my uid, all my groups, etc. I have not experienced this issue with any other applications yet. /etc/nsswitch.conf: passwd: files sss group: files sss shadow: files sss Anyone seen this before? Regards, Siggi From sbose at redhat.com Tue Feb 7 11:32:13 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 7 Feb 2012 12:32:13 +0100 Subject: [Freeipa-users] acroread: unknown user id In-Reply-To: <20948.213.225.75.97.1328611747.squirrel@www.nixtra.com> References: <20948.213.225.75.97.1328611747.squirrel@www.nixtra.com> Message-ID: <20120207113213.GA2234@localhost.localdomain> On Tue, Feb 07, 2012 at 11:49:07AM +0100, Sigbjorn Lie wrote: > Hi, > > This error occurs when starting Acrobat Reader. This occured with version 8, and I just downloaded > AdobeReader_enu-9.4.7-1 to see if that would make a difference. Same problem. > > This is a Red Hat 5 machine running sssd-1.5.1-44.el5. > > $ acroread > > (acroread:3349): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (12345) > > I'm logged on to the console of the machine, and typing "id" returns the username for my uid, all > my groups, etc. I have not experienced this issue with any other applications yet. > > /etc/nsswitch.conf: > passwd: files sss > group: files sss > shadow: files sss > > > Anyone seen this before? yes, I would expect that you run a 32bit acroread on a 64bit system. You have to install the 32bit sssd-client packages as well. HTH bye, Sumit > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From johnny.westerlund at atea.se Tue Feb 7 12:11:26 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Tue, 7 Feb 2012 13:11:26 +0100 Subject: [Freeipa-users] IPA and NFS Message-ID: Hey all. I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS running on RHEL5.7. The documentation states that if you are using an older kernel (like the one in RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure you specify -e des-cbc-crc when exporting your keytab from the IPA server. However things are not working out. I do manage to export a des-cbc-crc key but when trying to mount the NFS share from an IPA client on rhel 6.2 it doesnt work. I have put the allow_weak_crypto = yes in the libdefaults section of my krb5.conf on all machines in the domain. And i've tried changing my password after that. But it still doesnt work. I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key in my keytab as the user i logged in as. If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works just fine but then i'm unable to mount the share from the RHEL5.7 client. If i do a kinit user at MYREALM.BLA and check the klist -e i dont have any des-cbc keys. I only get the AES ones. I did find this thread about running rhel5/rhel6 clients but with an AD kerberos domain so it's not the same problem. but they do get some of the same symptoms. http://www.spinics.net/lists/linux-nfs/msg22188.html There they specify default_tgs_enctypes and default_tkt_enctypes to get it working. Anyone here know's whats wrong or what i'm doing wrong? Regards Johnny From sigbjorn at nixtra.com Tue Feb 7 13:49:41 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 7 Feb 2012 14:49:41 +0100 (CET) Subject: [Freeipa-users] acroread: unknown user id In-Reply-To: <20120207113213.GA2234@localhost.localdomain> References: <20948.213.225.75.97.1328611747.squirrel@www.nixtra.com> <20120207113213.GA2234@localhost.localdomain> Message-ID: <20558.213.225.75.97.1328622581.squirrel@www.nixtra.com> On Tue, February 7, 2012 12:32, Sumit Bose wrote: > On Tue, Feb 07, 2012 at 11:49:07AM +0100, Sigbjorn Lie wrote: > >> Hi, >> >> >> This error occurs when starting Acrobat Reader. This occured with version 8, and I just >> downloaded AdobeReader_enu-9.4.7-1 to see if that would make a difference. Same problem. >> >> >> This is a Red Hat 5 machine running sssd-1.5.1-44.el5. >> >> >> $ acroread >> >> >> (acroread:3349): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (12345) >> >> >> I'm logged on to the console of the machine, and typing "id" returns the username for my uid, >> all my groups, etc. I have not experienced this issue with any other applications yet. >> >> /etc/nsswitch.conf: >> passwd: files sss >> group: files sss >> shadow: files sss >> >> >> >> Anyone seen this before? >> > > yes, I would expect that you run a 32bit acroread on a 64bit system. You have to install the 32bit > sssd-client packages as well. > > HTH > > Ah, you are correct! Installing the i386 packages fixed the issue. Perhaps the i386 rpm packages should be required by the x86_64 sssd rpm packages to avoid any such issues? Thanks! Regards, Siggi From sgallagh at redhat.com Tue Feb 7 14:04:58 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Feb 2012 09:04:58 -0500 Subject: [Freeipa-users] acroread: unknown user id In-Reply-To: <20558.213.225.75.97.1328622581.squirrel@www.nixtra.com> References: <20948.213.225.75.97.1328611747.squirrel@www.nixtra.com> <20120207113213.GA2234@localhost.localdomain> <20558.213.225.75.97.1328622581.squirrel@www.nixtra.com> Message-ID: <1328623498.2673.13.camel@sgallagh520.sgallagh.bos.redhat.com> On Tue, 2012-02-07 at 14:49 +0100, Sigbjorn Lie wrote: > On Tue, February 7, 2012 12:32, Sumit Bose wrote: > > On Tue, Feb 07, 2012 at 11:49:07AM +0100, Sigbjorn Lie wrote: > > > >> Hi, > >> > >> > >> This error occurs when starting Acrobat Reader. This occured with version 8, and I just > >> downloaded AdobeReader_enu-9.4.7-1 to see if that would make a difference. Same problem. > >> > >> > >> This is a Red Hat 5 machine running sssd-1.5.1-44.el5. > >> > >> > >> $ acroread > >> > >> > >> (acroread:3349): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (12345) > >> > >> > >> I'm logged on to the console of the machine, and typing "id" returns the username for my uid, > >> all my groups, etc. I have not experienced this issue with any other applications yet. > >> > >> /etc/nsswitch.conf: > >> passwd: files sss > >> group: files sss > >> shadow: files sss > >> > >> > >> > >> Anyone seen this before? > >> > > > > yes, I would expect that you run a 32bit acroread on a 64bit system. You have to install the 32bit > > sssd-client packages as well. > > > > HTH > > > > > > Ah, you are correct! Installing the i386 packages fixed the issue. > > Perhaps the i386 rpm packages should be required by the x86_64 sssd rpm packages to avoid any such > issues? There is a long-standing debate on how to handle this. The problem is that requiring the i386 RPM packages means that the system has to pull in the 32-bit versions of all its dependencies, including glibc.i386. On systems that want to be purely 64-bit, we don't want to force them to have all these extra pieces. There are several bugs open in RPM and yum to try to figure out how to solve this correctly. Unfortunately I can't locate the BZs right now. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From ondrejv at s3group.cz Tue Feb 7 14:33:11 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Tue, 07 Feb 2012 15:33:11 +0100 Subject: [Freeipa-users] IPA and NFS In-Reply-To: References: Message-ID: <4F313627.4080005@s3group.cz> Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output. Ondrej On 02/07/2012 01:11 PM, Westerlund Johnny wrote: > Hey all. > > I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS running on RHEL5.7. > The documentation states that if you are using an older kernel (like the one in RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure you specify -e des-cbc-crc > when exporting your keytab from the IPA server. However things are not working out. > > I do manage to export a des-cbc-crc key but when trying to mount the NFS share from an IPA client on rhel 6.2 it doesnt work. > I have put the allow_weak_crypto = yes in the libdefaults section of my krb5.conf on all machines in the domain. And i've tried changing my password after that. But it still doesnt work. > I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key in my keytab as the user i logged in as. > > If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works just fine but then i'm unable to mount the share from the RHEL5.7 client. > If i do a kinit user at MYREALM.BLA and check the klist -e i dont have any des-cbc keys. I only get the AES ones. > > I did find this thread about running rhel5/rhel6 clients but with an AD kerberos domain so it's not the same problem. but they do get some of the same symptoms. > http://www.spinics.net/lists/linux-nfs/msg22188.html > > There they specify default_tgs_enctypes and default_tkt_enctypes to get it working. > > Anyone here know's whats wrong or what i'm doing wrong? > > Regards > Johnny > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. -------- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 -------------- next part -------------- An HTML attachment was scrubbed... URL: From yzhang at redhat.com Tue Feb 7 15:46:03 2012 From: yzhang at redhat.com (yi zhang) Date: Tue, 07 Feb 2012 07:46:03 -0800 Subject: [Freeipa-users] IPA and NFS In-Reply-To: <4F313627.4080005@s3group.cz> References: <4F313627.4080005@s3group.cz> Message-ID: <4F31473B.1020102@redhat.com> On 02/07/2012 06:33 AM, Ondrej Valousek wrote: > Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output note from my previous troubleshooting 1. the configuration file for nfs mount is: /etc/sysconfig/nfs 2. make the following changes to /etc/sysconfig/nfs file (1) uncomment the line: SECURE_NFS="yes" (2) add debug flag for rpc gss : RPCGSSDARGS="vvv" in short: you file /etc/sysconfig/nfs should have the following block: # Set to turn on Secure NFS mounts. SECURE_NFS="yes" # Optional arguments passed to rpc.gssd. See rpc.gssd(8) RPCGSSDARGS="vvv" # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) RPCSVCGSSDARGS="vvv" 3. at end, if you are using rhel5.7 you should specify the nfs version when you do mount, mounting command should something like: mount -t nfs4 -o sec=krb5 ipaserver:/ /mylocalmount point --- 2 things you might want to pay attention here -- (1) for -o sec=xxx : "xxx" here is depends on your nfs server configuration, specifically your /etc/export file, if you have krb5p, then you should use -o sec=krb5p (2) when krb5 protocol is used, regardless what directory you have in /etc/export file, you always (and only) use "/" , not your actual directory name Good luck! Yi Zhang > > Ondrej > > On 02/07/2012 01:11 PM, Westerlund Johnny wrote: >> Hey all. >> >> I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS running on RHEL5.7. >> The documentation states that if you are using an older kernel (like the one in RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure you specify -e des-cbc-crc >> when exporting your keytab from the IPA server. However things are not working out. >> >> I do manage to export a des-cbc-crc key but when trying to mount the NFS share from an IPA client on rhel 6.2 it doesnt work. >> I have put the allow_weak_crypto = yes in the libdefaults section of my krb5.conf on all machines in the domain. And i've tried changing my password after that. But it still doesnt work. >> I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key in my keytab as the user i logged in as. >> >> If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works just fine but then i'm unable to mount the share from the RHEL5.7 client. >> If i do a kinituser at MYREALM.BLA and check the klist -e i dont have any des-cbc keys. I only get the AES ones. >> >> I did find this thread about running rhel5/rhel6 clients but with an AD kerberos domain so it's not the same problem. but they do get some of the same symptoms. >> http://www.spinics.net/lists/linux-nfs/msg22188.html >> >> There they specify default_tgs_enctypes and default_tkt_enctypes to get it working. >> >> Anyone here know's whats wrong or what i'm doing wrong? >> >> Regards >> Johnny >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ------------------------------------------------------------------------ > Proud winners of the prestigious Irish Software Exporter Award 2011 > from Irish Exporters Association (IEA). Please, refer to our web site > for more details regarding the award. > ------------------------------------------------------------------------ > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the > intended recipient(s). If you are not an intended recipient, you must > not use, disclose, copy, distribute or retain this e-mail or any part > thereof. If you have received this e-mail in error, please notify the > sender by return e-mail and delete all copies of this e-mail from your > computer system(s). Please direct any additional queries to: > communications at s3group.com. Thank You. Silicon and Software Systems > Limited. Registered in Ireland no. 378073. Registered Office: South > County Business Park, Leopardstown, Dublin 18 > ------------------------------------------------------------------------ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Yi Zhang | | QA @ Mountain View, Calinfornia | | Cell: 408-509-6375 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnny.westerlund at atea.se Tue Feb 7 15:57:04 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Tue, 7 Feb 2012 16:57:04 +0100 Subject: [Freeipa-users] IPA and NFS Message-ID: Hey all. Left for the day so i'll try and post debug output tomorrow. However i think i might have stumbled upon the issue. if i do a klist -kte as root, none of the RHEL6.2 machines have a des-cbc-crc key in the list, but the RHEL5.7 does. The NFS service wich can only use des-cbc-crc can't speak with the KDC since that host does not have any keys that supports that encryption. So i guess i need to enable allow_weak_crypto in the krb5.conf and then update my principal on the hosts with ipa-getkeytab -s -p host/hostname.domain at DOMAIN /J From simo at redhat.com Tue Feb 7 16:06:36 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Feb 2012 11:06:36 -0500 Subject: [Freeipa-users] IPA and NFS In-Reply-To: References: Message-ID: <1328630796.8485.28.camel@willson.li.ssimo.org> On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote: > Hey all. > > Left for the day so i'll try and post debug output tomorrow. However i > think i might have stumbled upon the issue. > > if i do a klist -kte as root, none of the RHEL6.2 machines have a > des-cbc-crc key in the list, but the RHEL5.7 does. > The NFS service wich can only use des-cbc-crc can't speak with the KDC > since that host does not have any keys that supports that encryption. > So i guess i need to enable allow_weak_crypto in the krb5.conf and > then update my principal on the hosts with ipa-getkeytab -s > -p host/hostname.domain at DOMAIN You may also have to enable des keys on the KDC itself, depending on the IPA version. You certainly need *exclusively* DES keys for the nfs/fqdn at REALM key (due to your old client unfortunately). All nfs keys must use only DES both on the client and unfortunately also on the server. However *do not* change the host/ key. You do not need DES keys for that one, and you'd severely degrade your host security by using DES keys in your host/fqdn principal. Simo. -- Simo Sorce * Red Hat, Inc * New York From johnny.westerlund at atea.se Tue Feb 7 16:10:51 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Tue, 7 Feb 2012 17:10:51 +0100 Subject: [Freeipa-users] IPA and NFS In-Reply-To: <1328630796.8485.28.camel@willson.li.ssimo.org> References: , <1328630796.8485.28.camel@willson.li.ssimo.org> Message-ID: OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so it's the one from the channel, is it 2.1.4? I don't have the machine infront of me so i cant check. The documentation does not state that you need to enable des keys on the IPA while setting up this. It only states that you need to enable allow_weak_crypto in krb5.conf and make sure you export your NFS principal with -e des-cbc-crc . ________________________________________ Fr?n: Simo Sorce [simo at redhat.com] Skickat: den 7 februari 2012 17:06 Till: Westerlund Johnny Kopia: freeipa-users at redhat.com ?mne: Re: [Freeipa-users] IPA and NFS On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote: > Hey all. > > Left for the day so i'll try and post debug output tomorrow. However i > think i might have stumbled upon the issue. > > if i do a klist -kte as root, none of the RHEL6.2 machines have a > des-cbc-crc key in the list, but the RHEL5.7 does. > The NFS service wich can only use des-cbc-crc can't speak with the KDC > since that host does not have any keys that supports that encryption. > So i guess i need to enable allow_weak_crypto in the krb5.conf and > then update my principal on the hosts with ipa-getkeytab -s > -p host/hostname.domain at DOMAIN You may also have to enable des keys on the KDC itself, depending on the IPA version. You certainly need *exclusively* DES keys for the nfs/fqdn at REALM key (due to your old client unfortunately). All nfs keys must use only DES both on the client and unfortunately also on the server. However *do not* change the host/ key. You do not need DES keys for that one, and you'd severely degrade your host security by using DES keys in your host/fqdn principal. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Feb 7 16:35:40 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Feb 2012 11:35:40 -0500 Subject: [Freeipa-users] IPA and NFS In-Reply-To: References: ,<1328630796.8485.28.camel@willson.li.ssimo.org> Message-ID: <1328632540.8485.30.camel@willson.li.ssimo.org> On Tue, 2012-02-07 at 17:10 +0100, Westerlund Johnny wrote: > OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so it's the one from the channel, is it 2.1.4? I don't have the machine infront of me so i cant check. > The documentation does not state that you need to enable des keys on the IPA while setting up this. It only states that you need to enable allow_weak_crypto in krb5.conf > and make sure you export your NFS principal with -e des-cbc-crc . 2.1.x still did not disable DES keys by default, so you should be already all set since you changed the 'allow weak crypto' parameter in krb5.conf on the server. Now all you need to do is to get a nfs/fqdn keytab that uses only DES keys for your NFS server as well for the clients. Simo. -- Simo Sorce * Red Hat, Inc * New York From johnny.westerlund at atea.se Tue Feb 7 17:01:44 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Tue, 7 Feb 2012 18:01:44 +0100 Subject: [Freeipa-users] IPA and NFS In-Reply-To: <1328632540.8485.30.camel@willson.li.ssimo.org> References: ,<1328630796.8485.28.camel@willson.li.ssimo.org> , <1328632540.8485.30.camel@willson.li.ssimo.org> Message-ID: I'm pretty sure this doesn't work. I've created the nfs/client.host.name and exported it via ipa-getkeytab -s -p nfs/client.host.name -e des-cbc-crc. enabled secure nfs in /etc/sysconfig/nfs Then i did the same with the server. Create the nfs/server.host.name nad export via ipa-getkeytab -s -p nfs/server.host.name -e des-cbc-crc. And also enable secure nfs I'll send an update when i have time to look at this again. But i'm pretty sure that it didnt work. ________________________________________ Fr?n: Simo Sorce [simo at redhat.com] Skickat: den 7 februari 2012 17:35 Till: Westerlund Johnny Kopia: freeipa-users at redhat.com ?mne: Re: SV: [Freeipa-users] IPA and NFS On Tue, 2012-02-07 at 17:10 +0100, Westerlund Johnny wrote: > OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so it's the one from the channel, is it 2.1.4? I don't have the machine infront of me so i cant check. > The documentation does not state that you need to enable des keys on the IPA while setting up this. It only states that you need to enable allow_weak_crypto in krb5.conf > and make sure you export your NFS principal with -e des-cbc-crc . 2.1.x still did not disable DES keys by default, so you should be already all set since you changed the 'allow weak crypto' parameter in krb5.conf on the server. Now all you need to do is to get a nfs/fqdn keytab that uses only DES keys for your NFS server as well for the clients. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Feb 7 18:18:06 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Feb 2012 13:18:06 -0500 Subject: [Freeipa-users] IPA and NFS In-Reply-To: References: ,<1328630796.8485.28.camel@willson.li.ssimo.org> ,<1328632540.8485.30.camel@willson.li.ssimo.org> Message-ID: <1328638686.8485.31.camel@willson.li.ssimo.org> On Tue, 2012-02-07 at 18:01 +0100, Westerlund Johnny wrote: > I'm pretty sure this doesn't work. > I've created the nfs/client.host.name and exported it via > ipa-getkeytab -s -p nfs/client.host.name -e des-cbc-crc. > enabled secure nfs in /etc/sysconfig/nfs > Then i did the same with the server. Create the nfs/server.host.name > nad export via ipa-getkeytab -s -p nfs/server.host.name -e > des-cbc-crc. > And also enable secure nfs > > I'll send an update when i have time to look at this again. But i'm > pretty sure that it didnt work. You need debug logs then, becuse this setup has been tested and is know to work. Simo. -- Simo Sorce * Red Hat, Inc * New York From ian at crystal.harvard.edu Tue Feb 7 19:50:26 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 7 Feb 2012 14:50:26 -0500 Subject: [Freeipa-users] Replicas in a state of confusion Message-ID: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> Hello, On our production IPA servers, we have been running in a multi-master state successfully for several weeks. Yesterday, while attempting to modify some permissions and roles using the web UI, we had an odd problem where the web UI became unresponsive. In an attempt to resolve the issue, I issued an `ipactl restart` and when that didn't fix the web UI, I rebooted the VM. When IPA services came back up, the replica would try to sync and the primary would crash. I noticed that if IPA on the replica was off, the primary server was fine. So, after fighting with this for a few hours I decided to remove the replica and start the replication process again. Replica reinstall didn't go so well: [root at sbgrid-directory ~]# ipa-replica-manage disconnect sbgrid-directory-replica.in.hwlab [root at sbgrid-directory ~]# ipa-replica-manage del sbgrid-directory-replica.in.hwlab (this failed, unfortunately I didn't record the error) [root at sbgrid-directory ~]# ipa-replica-manage del -f sbgrid-directory-replica.in.hwlab [root at sbgrid-directory-replica ~]# ipa-server-install --uninstall [root at sbgrid-directory-replica ~]# ipa-replica-install /root/replica-info-sbgrid-directory-replica.in.hwlab.gpg (...all ok...) Starting replication, please wait until this has completed. [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. When I try to start the primary (sbgrid-directory) server, I see these errors: /var/log/messages: ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm) /var/log/dirsrv/slapd-SBGRID-ORG/errors: NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 set_krb5_creds - Could not get initial credentials for principal [ldap/sbgrid-directory.in.hwlab at SBGRID.ORG] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) Yikes, what a mess -- thanks for any help. Ian From Steven.Jones at vuw.ac.nz Tue Feb 7 19:52:49 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Feb 2012 19:52:49 +0000 Subject: [Freeipa-users] promoting a replica section 16.8 In-Reply-To: <4F309C40.20705@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F309C40.20705@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB85288@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Sorry I must have mis-read....so a Replica is a full read/write Master or read only copy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 7 February 2012 4:36 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] promoting a replica section 16.8 Steven Jones wrote: > > Once these actions are carried out does that mean the webgui is active? is is there any other actions needed to make the promoted replica the new read/write master? Promoting a replica is only necessary if you installed with a selfsign CA and want to issue certs from that machine. With selfsign you really should pick one machine as the CA and stick with it otherwise you'll end up issuing different certs with duplicate serial numbers and sooner or later that will catch up with you. Promotion is documented in case that single point of failure, well, fails. Once a replica is installed it is a full IPA server. This means the UI, XML-RPC interface, KDC, LDAP backend, the works. The only optional components are the DNS and CA (dogtag). regards rob From rcritten at redhat.com Tue Feb 7 20:08:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Feb 2012 15:08:06 -0500 Subject: [Freeipa-users] promoting a replica section 16.8 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CB85288@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F309C40.20705@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CB85288@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F3184A6.3000603@redhat.com> Steven Jones wrote: > Hi, > > Sorry I must have mis-read....so a Replica is a full read/write Master or read only copy? Full read/write. We do not provide a way to create read-only replicas (though 389-ds supports them). rob From rcritten at redhat.com Tue Feb 7 20:17:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Feb 2012 15:17:43 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> Message-ID: <4F3186E7.7080003@redhat.com> Ian Levesque wrote: > Hello, > > On our production IPA servers, we have been running in a multi-master state successfully for several weeks. Yesterday, while attempting to modify some permissions and roles using the web UI, we had an odd problem where the web UI became unresponsive. In an attempt to resolve the issue, I issued an `ipactl restart` and when that didn't fix the web UI, I rebooted the VM. When IPA services came back up, the replica would try to sync and the primary would crash. I noticed that if IPA on the replica was off, the primary server was fine. So, after fighting with this for a few hours I decided to remove the replica and start the replication process again. > > Replica reinstall didn't go so well: > > [root at sbgrid-directory ~]# ipa-replica-manage disconnect sbgrid-directory-replica.in.hwlab > [root at sbgrid-directory ~]# ipa-replica-manage del sbgrid-directory-replica.in.hwlab > (this failed, unfortunately I didn't record the error) > > [root at sbgrid-directory ~]# ipa-replica-manage del -f sbgrid-directory-replica.in.hwlab > > [root at sbgrid-directory-replica ~]# ipa-server-install --uninstall > [root at sbgrid-directory-replica ~]# ipa-replica-install /root/replica-info-sbgrid-directory-replica.in.hwlab.gpg > (...all ok...) > Starting replication, please wait until this has completed. > [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - System error] > creation of replica failed: Failed to start replication > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > When I try to start the primary (sbgrid-directory) server, I see these errors: > > /var/log/messages: > > ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm) > > /var/log/dirsrv/slapd-SBGRID-ORG/errors: > > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 > > set_krb5_creds - Could not get initial credentials for principal [ldap/sbgrid-directory.in.hwlab at SBGRID.ORG] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) > > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > > > Yikes, what a mess -- thanks for any help. > Ian Strange. Is your 389-ds instance running? If so can you run this query: ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' '(krbprincipalname=*sbgrid-directory*)' I have the feeling that the principals for your IPA server have gone away. Note that when removing a replica it is often necessary to restart its replication partners because sometimes there are old tickets cached. I've never seen a case where principals were actually removed though. What version of IPA are you running, on what distro? rob From ian at crystal.harvard.edu Tue Feb 7 20:53:05 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 7 Feb 2012 15:53:05 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F318BEF.8080103@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> Message-ID: On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote: >>> >>> Strange. Is your 389-ds instance running? If so can you run this query: >>> >>> ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' '(krbprincipalname=*sbgrid-directory*)' >>> >>> I have the feeling that the principals for your IPA server have gone away. >> >> Rather than post all the output, I filtered on the krbPrincipalName attribute. Let me know if you want to see more: >> >> dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=servic >> es,cn=accounts,dc=sbgrid,dc=org >> krbPrincipalName: dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG >> >> dn: krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >> accounts,dc=sbgrid,dc=org >> krbPrincipalName: ldap/sbgrid-directory.in.hwlab at SBGRID.ORG >> >> dn: krbprincipalname=HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >> accounts,dc=sbgrid,dc=org >> krbPrincipalName: HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG >> >> >> >>> Note that when removing a replica it is often necessary to restart its replication partners because sometimes there are old tickets cached. I've never seen a case where principals were actually removed though. >>> >>> What version of IPA are you running, on what distro? >> >> >> CentOS 6.2 >> ipa-server-2.1.3-9.el6.x86_64 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks, >> Ian > > Ok, this looks good. Is the krb5kdc process running? It is indeed: [root at sbgrid-directory dirsrv]# kinit ian Password for ian at SBGRID.ORG: [root at sbgrid-directory dirsrv]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ian at SBGRID.ORG Valid starting Expires Service principal 02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/SBGRID.ORG at SBGRID.ORG ~irl From Steven.Jones at vuw.ac.nz Tue Feb 7 20:54:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Feb 2012 20:54:13 +0000 Subject: [Freeipa-users] Roles and permissions In-Reply-To: <4F309B6A.9080506@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CB84EBA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F309B6A.9080506@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB8529E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, "Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B" Yes, I can see that delegating is going to be very hard to do securely / properly.....at least with [my] limited knowledge....My problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhat....and they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.....looks like I will need a good level of understanding which I obviously lack.....I mean I cant even get across to you what I mean!!! doh..... Having briefly chatted to an AD guy this problem isnt just faced by IPA... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 7 February 2012 4:32 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Roles and permissions Steven Jones wrote: > Hi, > > Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator" and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? Need a little more to go on. It is that "how to specify" question that really matters. How DO you distinguish between users? You can add extra attributes to break them into groups, or you can literally put them into extra groups and manage them that way (easiest). But you definitely need a way to distinguish them. Creating this type of permission would require a bit of LDAP knowledge, mostly just knowing which attributes to use. It all depends on what responsibility you are delegating. I'm not entirely sure what you're after so I don't want to guess and end up down a deep rabbit hole, but it is probably going to be easiest to break the permissions into smaller components like: Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Both of these are relatively straightforward. I can provide examples if you can give me some more guidance on what you're looking for. > I dont find that section of the manual very easy to understand....I'd like examples or more explanation.... > > Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...? Yes, it would be a problem if you granted password change permission to a bad admin. That is true in any system. Given that we've got a ticket open to limit those who can change the password of those in the admins group to those in the admins group, so helpdesk can change user's passwords but not admins. That is currently possible. regards rob From Steven.Jones at vuw.ac.nz Tue Feb 7 20:59:25 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Feb 2012 20:59:25 +0000 Subject: [Freeipa-users] promoting a replica section 16.8 In-Reply-To: <4F3184A6.3000603@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CB84F67@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F309C40.20705@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CB85288@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F3184A6.3000603@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CB852E2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes....tested and it works....thanks. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 8 February 2012 9:08 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] promoting a replica section 16.8 Steven Jones wrote: > Hi, > > Sorry I must have mis-read....so a Replica is a full read/write Master or read only copy? Full read/write. We do not provide a way to create read-only replicas (though 389-ds supports them). rob From rcritten at redhat.com Tue Feb 7 21:56:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Feb 2012 16:56:55 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> Message-ID: <4F319E27.4090707@redhat.com> Ian Levesque wrote: > > On Feb 7, 2012, at 3:39 PM, Rob Crittenden wrote: > >>>> >>>> Strange. Is your 389-ds instance running? If so can you run this query: >>>> >>>> ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' '(krbprincipalname=*sbgrid-directory*)' >>>> >>>> I have the feeling that the principals for your IPA server have gone away. >>> >>> Rather than post all the output, I filtered on the krbPrincipalName attribute. Let me know if you want to see more: >>> >>> dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=servic >>> es,cn=accounts,dc=sbgrid,dc=org >>> krbPrincipalName: dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG >>> >>> dn: krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >>> accounts,dc=sbgrid,dc=org >>> krbPrincipalName: ldap/sbgrid-directory.in.hwlab at SBGRID.ORG >>> >>> dn: krbprincipalname=HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >>> accounts,dc=sbgrid,dc=org >>> krbPrincipalName: HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG >>> >>> >>> >>>> Note that when removing a replica it is often necessary to restart its replication partners because sometimes there are old tickets cached. I've never seen a case where principals were actually removed though. >>>> >>>> What version of IPA are you running, on what distro? >>> >>> >>> CentOS 6.2 >>> ipa-server-2.1.3-9.el6.x86_64 >>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>> >>> Thanks, >>> Ian >> >> Ok, this looks good. Is the krb5kdc process running? > > > It is indeed: > > [root at sbgrid-directory dirsrv]# kinit ian > Password for ian at SBGRID.ORG: > > [root at sbgrid-directory dirsrv]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: ian at SBGRID.ORG > > Valid starting Expires Service principal > 02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/SBGRID.ORG at SBGRID.ORG > > ~irl Hmm, very strange. It seems like your server is actually up and running ok, am I reading this incorrectly? Does your command-line work: ipa user-show admin Perhaps those are just spurious errors in the errors log. You might try re-creating the replica again. You've done a restart since so it should have cleared the ticket cache. rob From ian at crystal.harvard.edu Wed Feb 8 04:19:36 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 7 Feb 2012 23:19:36 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F319E27.4090707@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> Message-ID: <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> >>>>> >>>>> Strange. Is your 389-ds instance running? If so can you run this query: >>>>> >>>>> ldapsearch -x -b 'cn=services,cn=accounts,dc=sbgrid,dc=org' '(krbprincipalname=*sbgrid-directory*)' >>>>> >>>>> I have the feeling that the principals for your IPA server have gone away. >>>> >>>> Rather than post all the output, I filtered on the krbPrincipalName attribute. Let me know if you want to see more: >>>> >>>> dn: krbprincipalname=dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=servic >>>> es,cn=accounts,dc=sbgrid,dc=org >>>> krbPrincipalName: dogtagldap/sbgrid-directory.in.hwlab at SBGRID.ORG >>>> >>>> dn: krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >>>> accounts,dc=sbgrid,dc=org >>>> krbPrincipalName: ldap/sbgrid-directory.in.hwlab at SBGRID.ORG >>>> >>>> dn: krbprincipalname=HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG,cn=services,cn= >>>> accounts,dc=sbgrid,dc=org >>>> krbPrincipalName: HTTP/sbgrid-directory.in.hwlab at SBGRID.ORG >>>> >>>> >>>> >>>>> Note that when removing a replica it is often necessary to restart its replication partners because sometimes there are old tickets cached. I've never seen a case where principals were actually removed though. >>>>> >>>>> What version of IPA are you running, on what distro? >>>> >>>> >>>> CentOS 6.2 >>>> ipa-server-2.1.3-9.el6.x86_64 >>>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>>> >>>> Thanks, >>>> Ian >>> >>> Ok, this looks good. Is the krb5kdc process running? >> >> >> It is indeed: >> >> [root at sbgrid-directory dirsrv]# kinit ian >> Password for ian at SBGRID.ORG: >> >> [root at sbgrid-directory dirsrv]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: ian at SBGRID.ORG >> >> Valid starting Expires Service principal >> 02/07/12 15:51:02 02/08/12 15:51:00 krbtgt/SBGRID.ORG at SBGRID.ORG >> >> ~irl > > Hmm, very strange. It seems like your server is actually up and running ok, am I reading this incorrectly? > > Does your command-line work: ipa user-show admin > > Perhaps those are just spurious errors in the errors log. Sorry if that wasn't clear - aside from the errors I'm seeing now (which I didn't see before the replication broke), LDAP, Kerberos and the cli/web UI seem to work on the primary server. The problems I'm having are: 1) The secondary replica is unable to sync and 2) the errors being logged are ominous and only started appearing after this disconnect. > You might try re-creating the replica again. You've done a restart since so it should have cleared the ticket cache. I've rebooted both, and continue to have the same issue. On the replica: [21/29]: setting up initial replication Starting replication, please wait until this has completed. [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication On the "primary": slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)) slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) `ipa-replica-manage list` on the primary still lists both... sbgrid-directory.in.hwlab: master sbgrid-directory-replica.in.hwlab: master Thanks for your continued interest. ~irl -- Ian Levesque Research Systems Architect Harvard Medical School Structural Biology Grid http://cmcd.hms.harvard.edu http://core.sbgrid.org From freeipa at noboost.org Wed Feb 8 04:39:34 2012 From: freeipa at noboost.org (Craig T) Date: Wed, 8 Feb 2012 15:39:34 +1100 Subject: [Freeipa-users] IPA Error on Server with Public IP?? "cannot use IP network address" Message-ID: <20120208043934.GA2335@noboost.org> Hi, Is IPA somehow restricted from running on machines with a public IP address? I'm attempting to install IPA for practise on my Linux VPS (Centos 6.2 x86_64); ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Error: ---------------------------------------------------------------------------- Server host name [mx1.example.com]: root : DEBUG will use host_name: mx1.example.com The domain name has been calculated based on the host name. Please confirm the domain name [example.com]: root : DEBUG read domain_name: example.com root : DEBUG args=/sbin/ip -family inet -oneline address show root : DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo 3: venet0 inet 127.0.0.1/32 scope host venet0 3: venet0 inet 100.111.111.1/32 brd 100.111.111.1 scope global venet0:0 3: venet0 inet 100.111.111.2/32 brd 100.111.111.2 scope global venet0:1 root : DEBUG stderr= Unexpected error - see ipaserver-install.log for details: cannot use IP network address root : DEBUG cannot use IP network address File "/usr/sbin/ipa-server-install", line 1151, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 770, in main ip = CheckedIPAddress(hostaddr, match_local=True) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 145, in __init__ raise ValueError("cannot use IP network address") ---------------------------------------------------------------------------- cya Craig From sbingram at gmail.com Wed Feb 8 06:25:48 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 7 Feb 2012 22:25:48 -0800 Subject: [Freeipa-users] IPA Error on Server with Public IP?? "cannot use IP network address" In-Reply-To: <20120208043934.GA2335@noboost.org> References: <20120208043934.GA2335@noboost.org> Message-ID: On Tue, Feb 7, 2012 at 8:39 PM, Craig T wrote: > Hi, > > Is IPA somehow restricted from running on machines with a public IP address? > > I'm attempting to install IPA for practise on my Linux VPS (Centos 6.2 x86_64); ...snip... > > Error: > ---------------------------------------------------------------------------- > Server host name [mx1.example.com]: > > root ? ? ? ?: DEBUG ? ?will use host_name: mx1.example.com > > The domain name has been calculated based on the host name. > > Please confirm the domain name [example.com]: > > root ? ? ? ?: DEBUG ? ?read domain_name: example.com > > root ? ? ? ?: DEBUG ? ?args=/sbin/ip -family inet -oneline address show > root ? ? ? ?: DEBUG ? ?stdout=1: lo ? ?inet 127.0.0.1/8 scope host lo > 3: venet0 ? ?inet 127.0.0.1/32 scope host venet0 > 3: venet0 ? ?inet 100.111.111.1/32 brd 100.111.111.1 scope global venet0:0 > 3: venet0 ? ?inet 100.111.111.2/32 brd 100.111.111.2 scope global venet0:1 > > root ? ? ? ?: DEBUG ? ?stderr= > Unexpected error - see ipaserver-install.log for details: > cannot use IP network address > root ? ? ? ?: DEBUG ? ?cannot use IP network address > File "/usr/sbin/ipa-server-install", line 1151, in > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 770, in main > ip = CheckedIPAddress(hostaddr, match_local=True) > > File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 145, in __init__ > raise ValueError("cannot use IP network address") > ---------------------------------------------------------------------------- I can see you are trying to install FreeIPA on an OpenVZ VM. The problem is the venet interfaces you are using which don't use a routed network configuration. I have successfully installed it, but using veth interfaces instead. FreeIPA will then be able to correctly determine the IP address and install without issue. Steve From freeipa at noboost.org Wed Feb 8 06:33:23 2012 From: freeipa at noboost.org (Craig T) Date: Wed, 8 Feb 2012 17:33:23 +1100 Subject: [Freeipa-users] IPA Error on Server with Public IP?? "cannot use IP network address" In-Reply-To: <20120208043934.GA2335@noboost.org> References: <20120208043934.GA2335@noboost.org> Message-ID: <20120208063323.GA2420@noboost.org> A friend of mine help me work this out. FreeIPA install script is checking to see if the IP is the same as the broadcast address. I've never hosted a VPS server so I'm not sure of the IP mask could have been better configured? ---------------------------------------------------------------------------------------- venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:100.111.111.1 P-t-P:100.111.111.1 Bcast:100.111.111.1 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 ---------------------------------------------------------------------------------------- The workaround: /usr/lib/python2.6/site-packages/ipapython/ipautil.py line 145 as below.. remark all 4 lines and it'll continue """ if addr == net.network: raise ValueError("cannot use IP network address") if addr.version == 4 and addr == net.broadcast: raise ValueError("cannot use broadcast IP address") """ cya Craig On Wed, Feb 08, 2012 at 03:39:34PM +1100, Craig T wrote: > Hi, > > Is IPA somehow restricted from running on machines with a public IP address? > > I'm attempting to install IPA for practise on my Linux VPS (Centos 6.2 x86_64); > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Error: > ---------------------------------------------------------------------------- > Server host name [mx1.example.com]: > > root : DEBUG will use host_name: mx1.example.com > > The domain name has been calculated based on the host name. > > Please confirm the domain name [example.com]: > > root : DEBUG read domain_name: example.com > > root : DEBUG args=/sbin/ip -family inet -oneline address show > root : DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo > 3: venet0 inet 127.0.0.1/32 scope host venet0 > 3: venet0 inet 100.111.111.1/32 brd 100.111.111.1 scope global venet0:0 > 3: venet0 inet 100.111.111.2/32 brd 100.111.111.2 scope global venet0:1 > > root : DEBUG stderr= > Unexpected error - see ipaserver-install.log for details: > cannot use IP network address > root : DEBUG cannot use IP network address > File "/usr/sbin/ipa-server-install", line 1151, in > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 770, in main > ip = CheckedIPAddress(hostaddr, match_local=True) > > File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 145, in __init__ > raise ValueError("cannot use IP network address") > ---------------------------------------------------------------------------- > > cya > > Craig > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dale at themacartneyclan.com Wed Feb 8 11:13:36 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 08 Feb 2012 11:13:36 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post Message-ID: <4F3258E0.7060007@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMljYAAoJEAJsWS61tB+qi74P/2aNhu4ztqcyhLwBsg7ukYi3 kH+BYA6miuunxwAKbDR7nd3vbL5g2gqjNFUNiD5tVoFSxtKgRPlEizLdQX+BeHJm KOHq51DPNulkf5QeFh9FntTSWxQHr2ow5UgL9z1Xyv4wVhIgkL/L898/TRvY/tmZ JFWX4eaK07EELV64vopqo20bR70F3DFB0Om7RXla45BYFBN/TMvXqmv8qvRe8Ibe IGJNWo+dF9Oc/CCHU5B0+3AeTCVUt//Rlagpdw70h7Y6BJ1vfpn+CgTMcQ80Utip q/CCF887kxL2o6+8zGN2mtEOqjr26+0l2Lh3Tjbx5ADs49VPOMC98Wc18M+IKgaV 3d6x1KrkliBJBMmBK2tdKxl7JnAPG1wkeRWz7UC5k39UzYH8JVw0Gt42M7EV8iv2 xp+/GKhTn5kfL1qv6mv3Dy558+b1iOZSkLpPS8n5b5dfcX4LkLNs/+hunwXyAd3C noW8Wed2ACgh03PavqHCIu11NJjzaSXIAcsemBGF7yDOtaaaI5swkNM8U9WdegjR flTtxlbTyfMhqusZgxHCcEMRWcO6J+Bfv7SPJpO2gF3OEQyT4hLt+6mlf+/kXv4A AdxJLfM9q8MXyvO4Fim1VPw68eyZdpljey+bmP5Fr9LAukeezZRMrKaBKbL0HF5u QfewGFkfvPFJq9PMX2ZH =K4Qv -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From sigbjorn at nixtra.com Wed Feb 8 11:23:45 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 8 Feb 2012 12:23:45 +0100 (CET) Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> <1328105073.21059.23.camel@willson.li.ssimo.org> <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <22281.213.225.75.97.1328700225.squirrel@www.nixtra.com> On Sat, February 4, 2012 14:58, Stephen Gallagher wrote: > On Fri, 2012-02-03 at 12:53 +0100, Sigbjorn Lie wrote: > >> On Wed, February 1, 2012 15:04, Simo Sorce wrote: >> >>> On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: >>> >>> >>>> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> Is this more like the expected output? :) >>>>> >>>>> >>>>> >>>> >>>> No, I'm afraid it's not. That's a log of a legitimate shutdown, not a >>>> segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). >>>> >>>> Possibly this happened if the time between attaching to the process and >>>> typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process >>>> isn't responding and will kill and restart it. >>>> >>>> You will know you got the correct results if you see >>>> >>>> >>>> >>>> "Program received signal SIGSEGV, Segmentation fault." >>>> >>>> >>>> >>>> and then you can immediately perform the 'bt full' >>> >>> For better results with gdb I suggest to kill SIGSTOP the monitor before >>> attaching gdb to any of the reponders or the providers, this way the monitor will be prevented >>> from sending termination signals to the children. However, don't do this for long, only for >>> short periods and kill SIGCONT back the monitor immediately after. >>> >>> >> >> Please see below. Does this help? >> > > Yes, thank you it does. > > >> >> >> (gdb) bt full >> #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", >> alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 e = i = > optimized out> #1 0x00000000004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, >> attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 "cn", > > The memory address for "attrs" here is WAY out of range. That suggests > that this is an uninitialized value. > >> _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 >> ret = rdn_attr = 0x0 rdn_val = 0x0 sysdb_name_el = 0x61 orig_dn_el = > optimized out> i = tmpctx = 0xf768ce0 __FUNCTION__ = >> "sysdb_attrs_primary_name" >> #2 0x000000000042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, >> mem_ctx=, attr_list=0xf772e20, attr_count=2, ldap_attr=0xf741110 "cn", >> name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 ret = 259427552 i = 1 > > i = 1, so it's the second entry in the attr_list being passed in. My spidey-sense is tingling > here. Probably the array is one entry too long above. > >> j = 1 list = name = 0xf769580 "ac_server-normal" __FUNCTION__ = >> "sysdb_attrs_primary_name_list" >> #3 0x00002b20c9684456 in sdap_initgr_nested_get_membership_diff ( >> state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 __FUNCTION__ = >> "sdap_initgr_nested_get_membership_diff" >> > > > This is the function that is creating that array (well, actually it's > sdap_initgr_nested_get_direct_parents()). So the bug must be occurring here. We're somehow creating > an array of two entries but not populating the second one. > > That said, I'm not sure how that's possible. The code there is very > short and seems pretty carefully-written to avoid this possibility. > > I don't have time today to dig into this any further, but I wanted to > get my findings down in an email so that if anyone else wanted to jump on this before I get back to > it, they don't have to start from scratch. Hi, Any progress on this? Regards, Siggi From chorn at fluxcoil.net Wed Feb 8 09:28:03 2012 From: chorn at fluxcoil.net (Christian Horn) Date: Wed, 8 Feb 2012 10:28:03 +0100 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F3258E0.7060007@themacartneyclan.com> References: <4F3258E0.7060007@themacartneyclan.com> Message-ID: <20120208092803.GA23650@fluxcoil.net> On Wed, Feb 08, 2012 at 11:13:36AM +0000, Dale Macartney wrote: > > i'm dabbling with automated provisioning of ipa client servers, and i'm > a little perplexed on how to add a keytab to a system during the %post > section of a kickstart... > > i've run ipa-client-install -U -p admin -w redhat123 which works > perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > appear to be generated during the ipa-client-install. > > any suggestions on doing this during a post? The password does not look nice here thou.. echo 'redhat123' | kinit admin -- One might also be able to fetch the ticket as a file and deploy it on the system for usage. Christian From dale at themacartneyclan.com Wed Feb 8 11:33:44 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 08 Feb 2012 11:33:44 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <20120208092803.GA23650@fluxcoil.net> References: <4F3258E0.7060007@themacartneyclan.com> <20120208092803.GA23650@fluxcoil.net> Message-ID: <4F325D98.1000303@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Christian I was thinking the same to be honest.. the issue with having a password in a kickstart is obviously that someone can read it in clear text. here I would see the need to use a specific role account with limited ability, but the issue remains the same... its a clear text password and has the ability to read ipa data. I was pondering the idea of fetching a keytab file, however as the system has not yet registered itself into ipa, there is no host data available to be exported to a key.. has anyone performed this kind of task in an environment of their own so far? Dale On 02/08/2012 09:28 AM, Christian Horn wrote: > On Wed, Feb 08, 2012 at 11:13:36AM +0000, Dale Macartney wrote: >> >> i'm dabbling with automated provisioning of ipa client servers, and i'm >> a little perplexed on how to add a keytab to a system during the %post >> section of a kickstart... >> >> i've run ipa-client-install -U -p admin -w redhat123 which works >> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >> appear to be generated during the ipa-client-install. >> >> any suggestions on doing this during a post? > > The password does not look nice here thou.. > > echo 'redhat123' | kinit admin -- > > One might also be able to fetch the ticket as a file and deploy > it on the system for usage. > > Christian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMl2QAAoJEAJsWS61tB+qhMgQAJYPwAWUFr7jNzl5C6qVcAPS 1q8dNniu9atPLzQUQQN596S/8Ca9nrUDtf2O0La5B2ULwq2ljZH7XebWlMzcA+ns 1TL9qfg9baDmhioQx1ACX4VvwT/RUxQtcmWCVOkYxSYJQvd4wH8XeXAS9xzyceix ie0S0apWyhP0Z3TWhhmxJqImBUQf/ddymZHhLPJhOzgqepYvWDRzpX5YuJNcLEag WXsEXOmXxfmj3YTOGkFkX4Fj21fXuHEV6LTcpF7v8kFmSNKPGsAAy5SQL6pTuJVt 2rcVYLuwT/75rX4eTnD2JvWdQtOqTLd/wHv7cYDCrpTT5GDgOIit+KppQHi0VTNe leBoFFz83XF6fvUCCZzDkhdkOw+Dqr14LTag3pwiLvSYSbcksMWPFnpNiP26yYmH neR3Y8MRTwoVn5XF6PqYgGSAb2JXDGKV8KJeVMGWuwkkyxPNUuXwLsCxUqQlfn+h KLintABb1YJn9AXCgA2h1U3QJJ8undqETovcVHyoY+OUYfDCD1T+zAgL4ol6P9N9 kqJGUcF7/EM5DzHh0Doglqx9U1MkXcdXFB/OQHIZ+Xc0PLKTsr7HL2bDdxmAbYoX MgNxK63Vrl10+5m1bAi4jSe3t+hhvagAMXtZ4iW/iuvtDAUllp5JBVQ0CMMh2ClA iCMetup5cwqOHcLsG5n6 =4A+9 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Wed Feb 8 13:49:50 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Feb 2012 08:49:50 -0500 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F3258E0.7060007@themacartneyclan.com> References: <4F3258E0.7060007@themacartneyclan.com> Message-ID: <1328708990.5829.0.camel@willson.li.ssimo.org> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > morning all... > > i'm dabbling with automated provisioning of ipa client servers, and i'm > a little perplexed on how to add a keytab to a system during the %post > section of a kickstart... > > i've run ipa-client-install -U -p admin -w redhat123 which works > perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > appear to be generated during the ipa-client-install. > > any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Wed Feb 8 14:44:51 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 08 Feb 2012 14:44:51 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <1328708990.5829.0.camel@willson.li.ssimo.org> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> Message-ID: <4F328A63.2020907@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name : ipa-client Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 222 k Repo : installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: > On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> morning all... >> >> i'm dabbling with automated provisioning of ipa client servers, and i'm >> a little perplexed on how to add a keytab to a system during the %post >> section of a kickstart... >> >> i've run ipa-client-install -U -p admin -w redhat123 which works >> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >> appear to be generated during the ipa-client-install. >> >> any suggestions on doing this during a post? > > What version of ipa-client-install are you using ? > > Newer versions (2.x) should fetch a keytab for your system (needs > credentials or OTP password. > > Simo. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x UftjI6x2lzTqQw/BNqLL =mInj -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Feb 8 15:33:36 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Feb 2012 15:33:36 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F328A63.2020907@themacartneyclan.com> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> <4F328A63.2020907@themacartneyclan.com> Message-ID: <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Simo > > ipa-client-install is provided by the ipa-client rpm. Details below > > Name : ipa-client > Arch : x86_64 > Version : 2.1.3 > Release : 9.el6 > Size : 222 k > Repo : installed > > > What I am trying to achieve is these two commands in a post... > > ipa service-add HTTP/$(hostname) > this definitely requires an authenticated user to add i'm sure > > > ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > /etc/squid/krb5.keytab > this one I suspect might be able to be retrieved using the host/ > principle from the system after running ipa-client-install. > > > Does this help paint a picture? > > > Dale > > > On 02/08/2012 01:49 PM, Simo Sorce wrote: >> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> morning all... >>> >>> i'm dabbling with automated provisioning of ipa client servers, and i'm >>> a little perplexed on how to add a keytab to a system during the %post >>> section of a kickstart... >>> >>> i've run ipa-client-install -U -p admin -w redhat123 which works >>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >>> appear to be generated during the ipa-client-install. >>> >>> any suggestions on doing this during a post? >> >> What version of ipa-client-install are you using ? >> >> Newer versions (2.x) should fetch a keytab for your system (needs >> credentials or OTP password. >> >> Simo. >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb > NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW > HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU > s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi > AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z > WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV > ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob > sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm > mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY > DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD > huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x > UftjI6x2lzTqQw/BNqLL > =mInj > -----END PGP SIGNATURE----- > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dale at themacartneyclan.com Wed Feb 8 15:49:17 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 08 Feb 2012 15:49:17 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> <4F328A63.2020907@themacartneyclan.com> <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> Message-ID: <4F32997D.50102@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi JR I agree with your statement of acceptable risk.. this is my main reason for questioning.. The ideal situation would be to run this as a satellite kickstart snippet for provisioning with kickstart profiles... That way I can utilize the existing provisioning platform for everything. At the moment everything is in dev using scripted kickstarts for testing. Dale On 02/08/2012 03:33 PM, JR Aquino wrote: > If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. > > If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? > > You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. > > The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. > > > On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >> > Hi Simo > > ipa-client-install is provided by the ipa-client rpm. Details below > > Name : ipa-client > Arch : x86_64 > Version : 2.1.3 > Release : 9.el6 > Size : 222 k > Repo : installed > > > What I am trying to achieve is these two commands in a post... > > ipa service-add HTTP/$(hostname) > this definitely requires an authenticated user to add i'm sure > > > ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > /etc/squid/krb5.keytab > this one I suspect might be able to be retrieved using the host/ > principle from the system after running ipa-client-install. > > > Does this help paint a picture? > > > Dale > > > On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: > >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>> Hash: SHA1 > >>>> > >>>> morning all... > >>>> > >>>> i'm dabbling with automated provisioning of ipa client servers, and i'm > >>>> a little perplexed on how to add a keytab to a system during the %post > >>>> section of a kickstart... > >>>> > >>>> i've run ipa-client-install -U -p admin -w redhat123 which works > >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > >>>> appear to be generated during the ipa-client-install. > >>>> > >>>> any suggestions on doing this during a post? > >>> > >>> What version of ipa-client-install are you using ? > >>> > >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> credentials or OTP password. > >>> > >>> Simo. > >>> >> >> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2 eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I wSWQZseFSumVD9glWtMz =NzzG -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 8 16:00:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Feb 2012 11:00:59 -0500 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F32997D.50102@themacartneyclan.com> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> <4F328A63.2020907@themacartneyclan.com> <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> <4F32997D.50102@themacartneyclan.com> Message-ID: <4F329C3B.2090501@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi JR > > I agree with your statement of acceptable risk.. this is my main reason > for questioning.. > > The ideal situation would be to run this as a satellite kickstart > snippet for provisioning with kickstart profiles... That way I can > utilize the existing provisioning platform for everything. > > At the moment everything is in dev using scripted kickstarts for testing. A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. rob > > Dale > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: >> If you are really trying to go the route of using the password, the > best way to accomplish that is to procedurally ADD the host ahead of > time with the -random flag to generate a one-time-pass. Then insert that > 1 time password dynamically into the kickstart script. >> >> If you want to approach the problem from a technical side and not > procedural... I don't suppose you have Puppet ? >> >> You can utilize puppet to deploy a 'host provisioning' keytab that you > then kinit -kt before issuing the other commands that require > authentication. When it is finished, delete the keytab. >> >> The problem with authentication and complete hands off automation is > that you always have to whittle it down to an area of acceptable risk > with lots of compensating controls and logging. >> >> >> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: >> >> > >> Hi Simo >> >> ipa-client-install is provided by the ipa-client rpm. Details below >> >> Name : ipa-client >> Arch : x86_64 >> Version : 2.1.3 >> Release : 9.el6 >> Size : 222 k >> Repo : installed >> >> >> What I am trying to achieve is these two commands in a post... >> >> ipa service-add HTTP/$(hostname) >> this definitely requires an authenticated user to add i'm sure >> >> >> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k >> /etc/squid/krb5.keytab >> this one I suspect might be able to be retrieved using the host/ >> principle from the system after running ipa-client-install. >> >> >> Does this help paint a picture? >> >> >> Dale >> >> >> On 02/08/2012 01:49 PM, Simo Sorce wrote: >> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: >> >>>> -----BEGIN PGP SIGNED MESSAGE----- >> >>>> Hash: SHA1 >> >>>> >> >>>> morning all... >> >>>> >> >>>> i'm dabbling with automated provisioning of ipa client servers, > and i'm >> >>>> a little perplexed on how to add a keytab to a system during the > %post >> >>>> section of a kickstart... >> >>>> >> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works >> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which > doesn't >> >>>> appear to be generated during the ipa-client-install. >> >>>> >> >>>> any suggestions on doing this during a post? >> >>> >> >>> What version of ipa-client-install are you using ? >> >>> >> >>> Newer versions (2.x) should fetch a keytab for your system (needs >> >>> credentials or OTP password. >> >>> >> >>> Simo. >> >>> >> > >> > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy > R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm > FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw > Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc > oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL > sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD > wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc > wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs > JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2 > eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj > 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I > wSWQZseFSumVD9glWtMz > =NzzG > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dale at themacartneyclan.com Wed Feb 8 16:06:25 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 08 Feb 2012 16:06:25 +0000 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F329C3B.2090501@redhat.com> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> <4F328A63.2020907@themacartneyclan.com> <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> <4F32997D.50102@themacartneyclan.com> <4F329C3B.2090501@redhat.com> Message-ID: <4F329D81.2070008@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thanks for the confirmation earlier Rob, that does make a lot of sense. am I right in assuming that to run the following, would not work with a host principle? Presumably I'd need admin priviledges to create a service principle for a host. ipa service-add HTTP/$(hostname) I will be giving this a go for testing sake tonight. Dale On 02/08/2012 04:00 PM, Rob Crittenden wrote: > Dale Macartney wrote: >> > Hi JR > > I agree with your statement of acceptable risk.. this is my main reason > for questioning.. > > The ideal situation would be to run this as a satellite kickstart > snippet for provisioning with kickstart profiles... That way I can > utilize the existing provisioning platform for everything. > > At the moment everything is in dev using scripted kickstarts for testing. > > > A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. > > > rob > > > Dale > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > >>> If you are really trying to go the route of using the password, the > best way to accomplish that is to procedurally ADD the host ahead of > time with the -random flag to generate a one-time-pass. Then insert that > 1 time password dynamically into the kickstart script. > >>> > >>> If you want to approach the problem from a technical side and not > procedural... I don't suppose you have Puppet ? > >>> > >>> You can utilize puppet to deploy a 'host provisioning' keytab that you > then kinit -kt before issuing the other commands that require > authentication. When it is finished, delete the keytab. > >>> > >>> The problem with authentication and complete hands off automation is > that you always have to whittle it down to an area of acceptable risk > with lots of compensating controls and logging. > >>> > >>> > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >>> > >>> > > >>> Hi Simo > >>> > >>> ipa-client-install is provided by the ipa-client rpm. Details below > >>> > >>> Name : ipa-client > >>> Arch : x86_64 > >>> Version : 2.1.3 > >>> Release : 9.el6 > >>> Size : 222 k > >>> Repo : installed > >>> > >>> > >>> What I am trying to achieve is these two commands in a post... > >>> > >>> ipa service-add HTTP/$(hostname) > >>> this definitely requires an authenticated user to add i'm sure > >>> > >>> > >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > >>> /etc/squid/krb5.keytab > >>> this one I suspect might be able to be retrieved using the host/ > >>> principle from the system after running ipa-client-install. > >>> > >>> > >>> Does this help paint a picture? > >>> > >>> > >>> Dale > >>> > >>> > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: > >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>> >>>> Hash: SHA1 > >>> >>>> > >>> >>>> morning all... > >>> >>>> > >>> >>>> i'm dabbling with automated provisioning of ipa client servers, > and i'm > >>> >>>> a little perplexed on how to add a keytab to a system during the > %post > >>> >>>> section of a kickstart... > >>> >>>> > >>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works > >>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which > doesn't > >>> >>>> appear to be generated during the ipa-client-install. > >>> >>>> > >>> >>>> any suggestions on doing this during a post? > >>> >>> > >>> >>> What version of ipa-client-install are you using ? > >>> >>> > >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> >>> credentials or OTP password. > >>> >>> > >>> >>> Simo. > >>> >>> > >>> > > >>> > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > >>> > Freeipa-users mailing list > >>> > Freeipa-users at redhat.com > >>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7 WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s 9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7 SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv 1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t 4IueTfkeM50INgD6L9pr =p5cG -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From johnny.westerlund at atea.se Thu Feb 9 09:25:05 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Thu, 9 Feb 2012 10:25:05 +0100 Subject: [Freeipa-users] IPA and NFS In-Reply-To: <1328638686.8485.31.camel@willson.li.ssimo.org> References: ,<1328630796.8485.28.camel@willson.li.ssimo.org> ,<1328632540.8485.30.camel@willson.li.ssimo.org> , <1328638686.8485.31.camel@willson.li.ssimo.org> Message-ID: I came in to work early yesterday and well, i cant explain what i did wrong earlier cause it just worked. In fact it worked perfectly! I'm verry impressed so far by freeipa, so kudos to all involved! Regards Johnny ________________________________________ Fr?n: Simo Sorce [simo at redhat.com] Skickat: den 7 februari 2012 19:18 Till: Westerlund Johnny Kopia: freeipa-users at redhat.com ?mne: Re: SV: SV: [Freeipa-users] IPA and NFS On Tue, 2012-02-07 at 18:01 +0100, Westerlund Johnny wrote: > I'm pretty sure this doesn't work. > I've created the nfs/client.host.name and exported it via > ipa-getkeytab -s -p nfs/client.host.name -e des-cbc-crc. > enabled secure nfs in /etc/sysconfig/nfs > Then i did the same with the server. Create the nfs/server.host.name > nad export via ipa-getkeytab -s -p nfs/server.host.name -e > des-cbc-crc. > And also enable secure nfs > > I'll send an update when i have time to look at this again. But i'm > pretty sure that it didnt work. You need debug logs then, becuse this setup has been tested and is know to work. Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Thu Feb 9 10:51:55 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 09 Feb 2012 10:51:55 +0000 Subject: [Freeipa-users] Jabber services for IPA Message-ID: <4F33A54B.7050403@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all I have a working setup of ejabberd authenticated to pam on an IPA client which works great.. However, unlike my other projects to provide details of integration with IPA, I am struggling with the SSO aspect of it, simply because of a lack of knowledge of jabber packages. (Currently I have used ejabberd and pidgin for testing, and from an end user view point, there doesn't appear to be an option to select kerberos to authenticate with). My goal, like other services is to tap *a* jabber service (can be anything) into ipa for single sign on. What is the general feeling in the community around jabber in the enterprise? (Useful or not? Best practices?) What is your preferred jabber software (server and client would be handy to know for testing) and why? Does it support GSSAPI? Many thanks Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPM6U3AAoJEAJsWS61tB+qbiAP/2dYscZ/UTRQfd5GYMt4d7Cx ztjHFGzsiG1QBeIQX8f/eC/sqVo9cS+0EJRIbwVewOtAMT5gRDRmpZN0wE00iijQ AH9Md8EfQqJcpiUiCLw0wEeZKOUc7qoUnRvW6klsdNmtE4uRevr4684AHWCfFwZy B2sHwQt+ah8YAJi1kuZuKv06JuAnzLin9Ohhay+nqTA+/jJE82L2Qgy9ZoXl87CQ 1Tnd4rNGtjrbOXlrJU9OyjIiKa/LSAGFz5DWT7wH/jrN+JHfWZrwpzeUV4SGpKSo 7T60VMRpze1QaVXEi/fXzWjt4JA1xhGlb4bLP8NGz83a0k5B2VAiKfDhi/w0+m1B vEfFUQ1NhyR9BN26g9gM0LcgJuLCA4Z6mZjbFp8t3vASSHJ16zS5JXrnsaqOpMiP ovAOBETJ6OSH2TV2XXP50frdr3qOuQSaZxhBEn7RF9orfEimtMI7+EabfcHcP+48 +FGmr03hQcoVUQxE5E4DSZkrpRZH2e9/jTTrIOo338bM3vR9wr0eyFBWYV/3YWmU gy+BIIdvMcxeay4jpDm3T4a9yQRhRnrJA5VGmMokX4EoPhHK49qYnF9XOXz15XfX H+h2uhc3CoVhWFV2siGnQKePjvr34RMEXX3OnVuFPh3Ds/H6QwfBYIGyD+wecCaj LGyS2NCRWL5RaYv0mnlP =9VhS -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5791 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From nsollars at gmail.com Thu Feb 9 13:25:05 2012 From: nsollars at gmail.com (Nigel Sollars) Date: Thu, 9 Feb 2012 08:25:05 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: <4F300CBA.1010400@redhat.com> Message-ID: Hi, Could you point me to the document please :). Thanks in advance. On Mon, Feb 6, 2012 at 1:34 PM, Jimmy wrote: > I am not making the windows systems part of an AD. I only need to > replicate users from an AD group to FreeIPA and I've had issues making that > work. I was working on that with a couple guys here on the list a couple > weeks ago but have been traveling so it's been hard to make time to work on > that. > > I submitted the doc to configure Win7 a while back but will look for it > and re-submit. > > Jimmy > > On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal wrote: > >> ** >> On 02/06/2012 11:31 AM, Jimmy wrote: >> >> I don't think you have to put it anywhere, the ipa.getkeytab mainly sets >> the workstation password in freeipa. I keep the client keytabs in /etc >> (krb5.keytab.[clientname].) >> >> I have many Win7 and WinXP workstations authenticating but I'm still >> working on getting user/password sync working. >> >> Jimmy >> >> >> Jimmy, >> >> Are you using Windows systems directly with IPA or you make them a part >> of the AD domain and use winsync to sync data from AD to IPA? >> If you managed to setup Win7 directly with IPA please share how you have >> done this. >> >> Thanks >> Dmitri >> >> >> >> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: >> >>> Hi all, >>> >>> Quick question, >>> >>> I want to setup a Windows system to use my realm, ive followed the >>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >>> not mention where I place this keytab. I thought I would check before >>> running any of the ksetup commands. >>> >>> Also just for reference has anyone gotten Windows 7 / server 2008 >>> authenticated? ( I guess that should also include server 2003 ). >>> >>> Thanks in advance >>> >>> Nigel Sollars >>> >>> >>> -- >>> ?Science is a differential equation. Religion is a boundary condition.? >>> >>> Alan Turing >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Thu Feb 9 14:51:48 2012 From: g17jimmy at gmail.com (Jimmy) Date: Thu, 9 Feb 2012 09:51:48 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: <4F300CBA.1010400@redhat.com> Message-ID: Yes, I'll find that and post it. I've been traveling for work the past few weeks and haven't had it with me. On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars wrote: > Hi, > > Could you point me to the document please :). > > Thanks in advance. > > > On Mon, Feb 6, 2012 at 1:34 PM, Jimmy wrote: > >> I am not making the windows systems part of an AD. I only need to >> replicate users from an AD group to FreeIPA and I've had issues making that >> work. I was working on that with a couple guys here on the list a couple >> weeks ago but have been traveling so it's been hard to make time to work on >> that. >> >> I submitted the doc to configure Win7 a while back but will look for it >> and re-submit. >> >> Jimmy >> >> On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal wrote: >> >>> ** >>> On 02/06/2012 11:31 AM, Jimmy wrote: >>> >>> I don't think you have to put it anywhere, the ipa.getkeytab mainly sets >>> the workstation password in freeipa. I keep the client keytabs in /etc >>> (krb5.keytab.[clientname].) >>> >>> I have many Win7 and WinXP workstations authenticating but I'm still >>> working on getting user/password sync working. >>> >>> Jimmy >>> >>> >>> Jimmy, >>> >>> Are you using Windows systems directly with IPA or you make them a part >>> of the AD domain and use winsync to sync data from AD to IPA? >>> If you managed to setup Win7 directly with IPA please share how you have >>> done this. >>> >>> Thanks >>> Dmitri >>> >>> >>> >>> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: >>> >>>> Hi all, >>>> >>>> Quick question, >>>> >>>> I want to setup a Windows system to use my realm, ive followed the >>>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >>>> not mention where I place this keytab. I thought I would check before >>>> running any of the ksetup commands. >>>> >>>> Also just for reference has anyone gotten Windows 7 / server 2008 >>>> authenticated? ( I guess that should also include server 2003 ). >>>> >>>> Thanks in advance >>>> >>>> Nigel Sollars >>>> >>>> >>>> -- >>>> ?Science is a differential equation. Religion is a boundary condition.? >>>> >>>> Alan Turing >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Thu Feb 9 15:29:04 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 09 Feb 2012 10:29:04 -0500 Subject: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD In-Reply-To: <22281.213.225.75.97.1328700225.squirrel@www.nixtra.com> References: <22124.213.225.75.97.1327935713.squirrel@www.nixtra.com> <1327936847.2240.25.camel@sgallagh520.sgallagh.bos.redhat.com> <1327943174.2240.38.camel@sgallagh520.sgallagh.bos.redhat.com> <33082.213.225.75.97.1328013343.squirrel@www.nixtra.com> <1328013646.2240.98.camel@sgallagh520.sgallagh.bos.redhat.com> <24621.213.225.75.97.1328090527.squirrel@www.nixtra.com> <1328099322.2240.212.camel@sgallagh520.sgallagh.bos.redhat.com> <1328105073.21059.23.camel@willson.li.ssimo.org> <25438.213.225.75.97.1328270009.squirrel@www.nixtra.com> <1328363894.2611.25.camel@sgallagh520.sgallagh.bos.redhat.com> <22281.213.225.75.97.1328700225.squirrel@www.nixtra.com> Message-ID: <1328801344.2533.1.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-08 at 12:23 +0100, Sigbjorn Lie wrote: > On Sat, February 4, 2012 14:58, Stephen Gallagher wrote: > > On Fri, 2012-02-03 at 12:53 +0100, Sigbjorn Lie wrote: > > > >> On Wed, February 1, 2012 15:04, Simo Sorce wrote: > >> > >>> On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: > >>> > >>> > >>>> On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: > >>>> > >>>> > >>>>> Hi, > >>>>> > >>>>> > >>>>> > >>>>> Is this more like the expected output? :) > >>>>> > >>>>> > >>>>> > >>>> > >>>> No, I'm afraid it's not. That's a log of a legitimate shutdown, not a > >>>> segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). > >>>> > >>>> Possibly this happened if the time between attaching to the process and > >>>> typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process > >>>> isn't responding and will kill and restart it. > >>>> > >>>> You will know you got the correct results if you see > >>>> > >>>> > >>>> > >>>> "Program received signal SIGSEGV, Segmentation fault." > >>>> > >>>> > >>>> > >>>> and then you can immediately perform the 'bt full' > >>> > >>> For better results with gdb I suggest to kill SIGSTOP the monitor before > >>> attaching gdb to any of the reponders or the providers, this way the monitor will be prevented > >>> from sending termination signals to the children. However, don't do this for long, only for > >>> short periods and kill SIGCONT back the monitor immediately after. > >>> > >>> > >> > >> Please see below. Does this help? > >> > > > > Yes, thank you it does. > > > > > >> > >> > >> (gdb) bt full > >> #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d "name", > >> alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 e = i = >> optimized out> #1 0x00000000004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, > >> attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 "cn", > > > > The memory address for "attrs" here is WAY out of range. That suggests > > that this is an uninitialized value. > > > >> _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 > >> ret = rdn_attr = 0x0 rdn_val = 0x0 sysdb_name_el = 0x61 orig_dn_el = >> optimized out> i = tmpctx = 0xf768ce0 __FUNCTION__ = > >> "sysdb_attrs_primary_name" > >> #2 0x000000000042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, > >> mem_ctx=, attr_list=0xf772e20, attr_count=2, ldap_attr=0xf741110 "cn", > >> name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 ret = 259427552 i = 1 > > > > i = 1, so it's the second entry in the attr_list being passed in. My spidey-sense is tingling > > here. Probably the array is one entry too long above. > > > >> j = 1 list = name = 0xf769580 "ac_server-normal" __FUNCTION__ = > >> "sysdb_attrs_primary_name_list" > >> #3 0x00002b20c9684456 in sdap_initgr_nested_get_membership_diff ( > >> state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 __FUNCTION__ = > >> "sdap_initgr_nested_get_membership_diff" > >> > > > > > > This is the function that is creating that array (well, actually it's > > sdap_initgr_nested_get_direct_parents()). So the bug must be occurring here. We're somehow creating > > an array of two entries but not populating the second one. > > > > That said, I'm not sure how that's possible. The code there is very > > short and seems pretty carefully-written to avoid this possibility. > > > > I don't have time today to dig into this any further, but I wanted to > > get my findings down in an email so that if anyone else wanted to jump on this before I get back to > > it, they don't have to start from scratch. > > > Hi, > > Any progress on this? We haven't forgotten about you, but we've been tied up dealing with the 1.8 beta. We're starting to look at the backlog of bugs now. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dale at themacartneyclan.com Thu Feb 9 15:48:14 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 09 Feb 2012 15:48:14 +0000 Subject: [Freeipa-users] Jabber services for IPA In-Reply-To: <4F33A54B.7050403@themacartneyclan.com> References: <4F33A54B.7050403@themacartneyclan.com> Message-ID: <4F33EABE.8050209@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all I have a working setup of ejabberd authenticated to pam on an IPA client which works great.. However, unlike my other projects to provide details of integration with IPA, I am struggling with the SSO aspect of it, simply because of a lack of knowledge of jabber packages. (Currently I have used ejabberd and pidgin for testing, and from an end user view point, there doesn't appear to be an option to select kerberos to authenticate with). My goal, like other services is to tap *a* jabber service (can be anything) into ipa for single sign on. What is the general feeling in the community around jabber in the enterprise? (Useful or not? Best practices?) What is your preferred jabber software (server and client would be handy to know for testing) and why? Does it support GSSAPI? Many thanks Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPM+qvAAoJEAJsWS61tB+qgfkP/33HWAQAgUbIuXFnWrmBLjDQ Wa4RZXlAf4h59v1JpZmwATMmyLzTzZ+aBeDDBuzgITSo2CtIwEIEbWufaRfyhtu1 sZeJTzoAXOCQntFlTaXkvHWaZ6RM7pkvSPrjX3JFvrno/9v5yiLYn4v3ayWmXSnx iQS3w/J9bQzbbO4tL83evL9dG8rCsZP1zbvZj6Q3HYMoMhjh9e8f9+erZh/sLBvL +H/HAXgpxaHwUrijm2UdVABRfVZAid2wAPirotudhCO2z/Sm7Xy1NnjcZxfdmk31 5xOSnVYs/szfsyn2Ggdt0sWNP1uWjZr5UZxNZqi/Zem3+uGuLVx7dcMyqsLOyMtM MZV4sOW9jg5fFD9IPxVXVEiVpkLTFhfVdf3rv2IlmQ7JM40+XcrJPIbRdv4L1gAH itjE7T93sWmo3pjUZpgdpte3os6MCGI5F+4Dp1bWbpUnBbEpuMtubcwboN56ul0p DBZAgauuQgl13fMrFs7tSb3YWU98rNi79Dc/EZ6JWLtXyLS5Dx15Rc1gbhu119G3 kNZtCd7j64kPh31w9c/J2b1YC+/Tkkbo3ffttMOJRvQDblpDN1CiDQz2jWqQ8O/i drKPcTrcwESf9BZgVlE9aZKmORjIYUTexAOaIXTuaBAzxK6d5otcSUXdDCmFE44B QW+ZH7fwnC4R5i/PY1xc =0DWj -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From erinn.looneytriggs at gmail.com Thu Feb 9 16:01:36 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 09 Feb 2012 07:01:36 -0900 Subject: [Freeipa-users] Jabber services for IPA In-Reply-To: <4F33EABE.8050209@themacartneyclan.com> References: <4F33A54B.7050403@themacartneyclan.com> <4F33EABE.8050209@themacartneyclan.com> Message-ID: <4F33EDE0.9000608@gmail.com> On 02/09/2012 06:48 AM, Dale Macartney wrote: > > Morning all > > I have a working setup of ejabberd authenticated to pam on an IPA client > which works great.. However, unlike my other projects to provide > details of integration with IPA, I am struggling with the SSO aspect of > it, simply because of a lack of knowledge of jabber packages. (Currently > I have used ejabberd and pidgin for testing, and from an end user view > point, there doesn't appear to be an option to select kerberos to > authenticate with). > > My goal, like other services is to tap *a* jabber service (can be > anything) into ipa for single sign on. > > What is the general feeling in the community around jabber in the > enterprise? (Useful or not? Best practices?) > What is your preferred jabber software (server and client would be handy > to know for testing) and why? > Does it support GSSAPI? > > Many thanks > > Dale > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Dale, I built a setup using openfire (the IM server) that utilized kerberos. It is slightly tricky unfortunately, kerberos has been the realm of universities and big business for a long time so a lot of things are not straight forward. Pidgin does natively support kerberos so you can use that easily, the way to use kerberos in pidgin is simply not to provide it with any password info, it will try kerberos in the process. This works both on windows (using kfw) and linux systems, probably macs too, but I have never tested it on macs. I will see if I can dig up some notes from configuring openfire. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From dale at themacartneyclan.com Thu Feb 9 16:24:16 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 09 Feb 2012 16:24:16 +0000 Subject: [Freeipa-users] Jabber services for IPA In-Reply-To: <4F33EDE0.9000608@gmail.com> References: <4F33A54B.7050403@themacartneyclan.com> <4F33EABE.8050209@themacartneyclan.com> <4F33EDE0.9000608@gmail.com> Message-ID: <4F33F330.4040605@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Erin that would be fantastic, thanks very much. I have to admit, i had a bit of a chuckle re: your comment of kerberos acting in the event of no password. I would have *never* thought of that haha. Dale On 02/09/2012 04:01 PM, Erinn Looney-Triggs wrote: > On 02/09/2012 06:48 AM, Dale Macartney wrote: >> >> Morning all >> >> I have a working setup of ejabberd authenticated to pam on an IPA client >> which works great.. However, unlike my other projects to provide >> details of integration with IPA, I am struggling with the SSO aspect of >> it, simply because of a lack of knowledge of jabber packages. (Currently >> I have used ejabberd and pidgin for testing, and from an end user view >> point, there doesn't appear to be an option to select kerberos to >> authenticate with). >> >> My goal, like other services is to tap *a* jabber service (can be >> anything) into ipa for single sign on. >> >> What is the general feeling in the community around jabber in the >> enterprise? (Useful or not? Best practices?) >> What is your preferred jabber software (server and client would be handy >> to know for testing) and why? >> Does it support GSSAPI? >> >> Many thanks >> >> Dale >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Dale, > I built a setup using openfire (the IM server) that utilized kerberos. > It is slightly tricky unfortunately, kerberos has been the realm of > universities and big business for a long time so a lot of things are not > straight forward. > > Pidgin does natively support kerberos so you can use that easily, the > way to use kerberos in pidgin is simply not to provide it with any > password info, it will try kerberos in the process. This works both on > windows (using kfw) and linux systems, probably macs too, but I have > never tested it on macs. > > I will see if I can dig up some notes from configuring openfire. > > -Erinn > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPM/MvAAoJEAJsWS61tB+qbv4QAIfSQ2Bs9L7S0Wryz3wePrTB S3HqRx8UWoFxom2PJOaR5X+IELU2r80gko+k+ZiOIJU6uIeLby5CZQwIEwtdskAg 1KO99rUTBeX2Y77SnyCDJvF6nk+8a4qgLWpiuBA0l5e3PYJrsvGqSae2BafhJkTe CXH9tXrq6+2myg1VMrZYXo2SVskKAjZdJkEZAEAiuBv3FOEPRMKztaS07hIfQgvk RWHqm7gVNFTKm3/v7iqTcZzE+htP5CYpU1euA0v24IpHENQQuogukzrzel47Oc5/ ewntjLJ8oKuB0ES01/yzTbXsv/EE3a0W9SLH27lpyQ8SL+Ie41sEQpPfojv4AzPi 5wVvoQsqB4QsGF9EBemiQ2iVE1nkAXkLo4n/CLJcsITNchqrVQFMfNp4YRuCsvri rXmnYwCQC7Pkv4Visbu5H+MEWbB1g3p3I2m0ZmB/st7qoDi2wS/ErYNQTxeXinLV f8uHwl2S9HgDagfxPmPzGy0HLHtKQFvD3+ZlFl1E5XOWIEqLdaNRrwISSjPag1Ct eS0p+FoLn7i1aUv3mQlB+P8t5DY9rNU92NtKGRqRsfHL6RPcBqDmED9Zu1UQdi3Y dn+Fh+0jT2bv6u1ATWj1Giq06VZHEn+Ece0LeQvW6JfZWHbwyFINxHyN7CCEJrJM JAZBQzx0s2jUJLfvAoe1 =d5Wc -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From erinn.looneytriggs at gmail.com Thu Feb 9 16:50:59 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 09 Feb 2012 07:50:59 -0900 Subject: [Freeipa-users] Jabber services for IPA In-Reply-To: <4F33F330.4040605@themacartneyclan.com> References: <4F33A54B.7050403@themacartneyclan.com> <4F33EABE.8050209@themacartneyclan.com> <4F33EDE0.9000608@gmail.com> <4F33F330.4040605@themacartneyclan.com> Message-ID: <4F33F973.1070008@gmail.com> On 02/09/2012 07:24 AM, Dale Macartney wrote: > > Hey Erin > > that would be fantastic, thanks very much. > > I have to admit, i had a bit of a chuckle re: your comment of kerberos > acting in the event of no password. I would have *never* thought of that > haha. > > Dale > > > > On 02/09/2012 04:01 PM, Erinn Looney-Triggs wrote: >> On 02/09/2012 06:48 AM, Dale Macartney wrote: >>> >>> Morning all >>> >>> I have a working setup of ejabberd authenticated to pam on an IPA client >>> which works great.. However, unlike my other projects to provide >>> details of integration with IPA, I am struggling with the SSO aspect of >>> it, simply because of a lack of knowledge of jabber packages. (Currently >>> I have used ejabberd and pidgin for testing, and from an end user view >>> point, there doesn't appear to be an option to select kerberos to >>> authenticate with). >>> >>> My goal, like other services is to tap *a* jabber service (can be >>> anything) into ipa for single sign on. >>> >>> What is the general feeling in the community around jabber in the >>> enterprise? (Useful or not? Best practices?) >>> What is your preferred jabber software (server and client would be handy >>> to know for testing) and why? >>> Does it support GSSAPI? >>> >>> Many thanks >>> >>> Dale >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Dale, >> I built a setup using openfire (the IM server) that utilized kerberos. >> It is slightly tricky unfortunately, kerberos has been the realm of >> universities and big business for a long time so a lot of things are not >> straight forward. > >> Pidgin does natively support kerberos so you can use that easily, the >> way to use kerberos in pidgin is simply not to provide it with any >> password info, it will try kerberos in the process. This works both on >> windows (using kfw) and linux systems, probably macs too, but I have >> never tested it on macs. > >> I will see if I can dig up some notes from configuring openfire. > >> -Erinn > > Basically the best notes that I have come from here: http://itlab.stanford.edu/blog/archives/2009/test-services/openfire-and-kerberos-implementation-notes The instructions are terse and it is a bit of a slog. Pay particular attention to the custom jar file that comes from MIT, you need to edit this to set your realm in there. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Thu Feb 9 18:57:47 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Feb 2012 13:57:47 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> Message-ID: <1328813867.5829.90.camel@willson.li.ssimo.org> On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote: > On the replica: > > [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - > System error] > creation of replica failed: Failed to start replication > > On the "primary": > > slapd_ldap_sasl_interactive_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Cannot contact any KDC for > requested realm)) > > slapi_ldap_bind - Error: could not perform interactive bind for id [] > mech [GSSAPI]: error -2 (Local error) > > `ipa-replica-manage list` on the primary still lists both... > > sbgrid-directory.in.hwlab: master > sbgrid-directory-replica.in.hwlab: master > > Thanks for your continued interest. I think you failed to properly clean=up before reinstalling the replica. On the replica make sure you run: ipa-server-install --uninstall On the primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab You will have to force because you already removed the replica. Once you do that you can generate a new replica file for the replica and retry to set up replication. Let me know if you encounter any other error once you have done that. Simo. -- Simo Sorce * Red Hat, Inc * New York From loris at lgs.com.ve Thu Feb 9 19:17:14 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 09 Feb 2012 14:47:14 -0430 Subject: [Freeipa-users] Jabber services for IPA In-Reply-To: <4F33A54B.7050403@themacartneyclan.com> References: <4F33A54B.7050403@themacartneyclan.com> Message-ID: <1328815034.10409.28.camel@arepa.pzo.lgs.com.ve> El jue, 09-02-2012 a las 10:51 +0000, Dale Macartney escribi?: > Morning all > > I have a working setup of ejabberd authenticated to pam on an IPA client > which works great.. However, unlike my other projects to provide > details of integration with IPA, I am struggling with the SSO aspect of > it, simply because of a lack of knowledge of jabber packages. (Currently > I have used ejabberd and pidgin for testing, and from an end user view > point, there doesn't appear to be an option to select kerberos to > authenticate with). > > My goal, like other services is to tap *a* jabber service (can be > anything) into ipa for single sign on. > > What is the general feeling in the community around jabber in the > enterprise? (Useful or not? Best practices?) > What is your preferred jabber software (server and client would be handy > to know for testing) and why? > Does it support GSSAPI? Of course it is useful, thanks to kerberos users don't have to type their password every time, or worst save it in a text file in their home directory. Pidgin does support GSSAPI auth, Empathy sadly doesn't. On the server side I have successfully configured jabberd2 and Openfire. The first steps are the same for both jabberd and openfire: 1) Set up your DNS, creating the proper _xmpp-client._tcp and _xmpp-server entries. For example ipa dnsrecord-add mydomain.com _xmpp-client._tcp --srv-rec="10 100 5222 jabberserver.mydomain.com." 2) Create and export the keytab for the server. Preferably your jabber server should join the ipa domain so you don't have to set up kerberos and ntp manually, the proper fqdn hostname, etc. on-ipa-server# ipa service-add xmpp/jabberserver.mydomain.com on-jabberserver# ipa-getkeytab -s ipa-server -p xmpp/jabberserver.mydomain.com -k /etc/krb5-xmpp.keytab Next for jabberd2: 1) Edit /etc/jabberd/c2s.xml and enable the sasl methods in the section 2) Edit /etc/sasl2/xmpp.conf (or /usr/lib/sasl2/xmpp.conf depending on your installed OS) mech_list: GSSAPI PLAIN keytab: /etc/krb5-xmpp.keytab 3) chown /etc/krb5-xmpp.keytab so your jabberd service can access it. For Openfire: 1) Edit /opt/openfire/conf/gss.conf com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="xmpp/jabberserver.mydomain.com at MYDOMAIN.COM" keyTab="/etc/krb5-xmpp.keytab" doNotPrompt=true storeKey=true useKeyTab=true debug=true; }; 2) Edit the and sections on /opt/openfire/conf/openfire.xml krbPrincipalName 3) In the openfire web setup you should set up the ldap connection making sure the app can see all of your ipa users and groups. After this you should enter into the web administration and add some system properties: sasl.gssapi.config = /opt/openfire/conf/gss.conf sasl.mechs = GSSAPI PLAIN sasl.gssapi.useSubjectCredsOnly = false xmpp.domain = mydomain.com xmpp.fqdn = jabberserver.mydomain.com 4) chown /etc/krb5-xmpp.keytab so your openfire service can access it. Hope this helps! -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford From dpal at redhat.com Thu Feb 9 20:40:50 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Feb 2012 15:40:50 -0500 Subject: [Freeipa-users] ipa-getkeytab during %post In-Reply-To: <4F329D81.2070008@themacartneyclan.com> References: <4F3258E0.7060007@themacartneyclan.com> <1328708990.5829.0.camel@willson.li.ssimo.org> <4F328A63.2020907@themacartneyclan.com> <1B994461-2DCB-4466-8D3D-AD22DDDF4CD5@citrixonline.com> <4F32997D.50102@themacartneyclan.com> <4F329C3B.2090501@redhat.com> <4F329D81.2070008@themacartneyclan.com> Message-ID: <4F342F52.9080704@redhat.com> On 02/08/2012 11:06 AM, Dale Macartney wrote: > > thanks for the confirmation earlier Rob, that does make a lot of sense. > > am I right in assuming that to run the following, would not work with > a host principle? Presumably I'd need admin priviledges to create a > service principle for a host. Someone has to have privilege. You can make the host capable to provision keytabs for services that run on the same host. AFAIR this is allowed by default. I am not sure you can allow host principal to create new services out of the box. I think you would have to play with permission to allow it. Rob, am I correct? > > ipa service-add HTTP/$(hostname) > > I will be giving this a go for testing sake tonight. > > Dale > > > > > On 02/08/2012 04:00 PM, Rob Crittenden wrote: > > Dale Macartney wrote: > > >> > > > Hi JR > > > > > I agree with your statement of acceptable risk.. this is my > main reason > > > for questioning.. > > > > > The ideal situation would be to run this as a satellite > kickstart > > > snippet for provisioning with kickstart profiles... That way > I can > > > utilize the existing provisioning platform for everything. > > > > > At the moment everything is in dev using scripted kickstarts > for testing. > > > > > > A host should be able to get keytabs for its own > services so you should be able to kinit to the host service > principal in /etc/keytab and use ipa-getkeytab. > > > > > > rob > > > > > > > Dale > > > > > > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > > > >>> If you are really trying to go the route of > using the password, the > > > best way to accomplish that is to procedurally ADD the host > ahead of > > > time with the -random flag to generate a one-time-pass. Then > insert that > > > 1 time password dynamically into the kickstart script. > > > >>> > > > >>> If you want to approach the problem from a > technical side and not > > > procedural... I don't suppose you have Puppet ? > > > >>> > > > >>> You can utilize puppet to deploy a 'host > provisioning' keytab that you > > > then kinit -kt before issuing the other commands that require > > > authentication. When it is finished, delete the keytab. > > > >>> > > > >>> The problem with authentication and complete > hands off automation is > > > that you always have to whittle it down to an area of > acceptable risk > > > with lots of compensating controls and logging. > > > >>> > > > >>> > > > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney > wrote: > > > >>> > > > >>> > > > > >>> Hi Simo > > > >>> > > > >>> ipa-client-install is provided by the ipa-client > rpm. Details below > > > >>> > > > >>> Name : ipa-client > > > >>> Arch : x86_64 > > > >>> Version : 2.1.3 > > > >>> Release : 9.el6 > > > >>> Size : 222 k > > > >>> Repo : installed > > > >>> > > > >>> > > > >>> What I am trying to achieve is these two > commands in a post... > > > >>> > > > >>> ipa service-add HTTP/$(hostname) > > > >>> this definitely requires an authenticated user > to add i'm sure > > > >>> > > > >>> > > > >>> ipa-getkeytab -s ds01.example.com -p > HTTP/$(hostname) -k > > > >>> /etc/squid/krb5.keytab > > > >>> this one I suspect might be able to be retrieved > using the host/ > > > >>> principle from the system after running > ipa-client-install. > > > >>> > > > >>> > > > >>> Does this help paint a picture? > > > >>> > > > >>> > > > >>> Dale > > > >>> > > > >>> > > > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > > > >>> >>> On Wed, 2012-02-08 at 11:13 +0000, > Dale Macartney wrote: > > > >>> >>>> -----BEGIN PGP SIGNED > MESSAGE----- > > > >>> >>>> Hash: SHA1 > > > >>> >>>> > > > >>> >>>> morning all... > > > >>> >>>> > > > >>> >>>> i'm dabbling with automated > provisioning of ipa client servers, > > > and i'm > > > >>> >>>> a little perplexed on how to > add a keytab to a system during the > > > %post > > > >>> >>>> section of a kickstart... > > > >>> >>>> > > > >>> >>>> i've run ipa-client-install -U > -p admin -w redhat123 which works > > > >>> >>>> perfect, but in order to run > ipa-getkeytab i need a tgt, which > > > doesn't > > > >>> >>>> appear to be generated during > the ipa-client-install. > > > >>> >>>> > > > >>> >>>> any suggestions on doing this > during a post? > > > >>> >>> > > > >>> >>> What version of ipa-client-install > are you using ? > > > >>> >>> > > > >>> >>> Newer versions (2.x) should fetch a > keytab for your system (needs > > > >>> >>> credentials or OTP password. > > > >>> >>> > > > >>> >>> Simo. > > > >>> >>> > > > >>> > > > > >>> > > > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > > > >>> > Freeipa-users mailing list > > > >>> > Freeipa-users at redhat.com > > > >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > >>> > > >> > > >> > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> Freeipa-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at crystal.harvard.edu Thu Feb 9 21:25:03 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 9 Feb 2012 16:25:03 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <1328813867.5829.90.camel@willson.li.ssimo.org> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> Message-ID: <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote: > On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote: > >> On the replica: >> >> [21/29]: setting up initial replication >> Starting replication, please wait until this has completed. >> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - >> System error] >> creation of replica failed: Failed to start replication >> >> On the "primary": >> >> slapd_ldap_sasl_interactive_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Cannot contact any KDC for >> requested realm)) >> >> slapi_ldap_bind - Error: could not perform interactive bind for id [] >> mech [GSSAPI]: error -2 (Local error) >> >> `ipa-replica-manage list` on the primary still lists both... >> >> sbgrid-directory.in.hwlab: master >> sbgrid-directory-replica.in.hwlab: master >> >> Thanks for your continued interest. > > I think you failed to properly clean=up before reinstalling the replica. > > On the replica make sure you run: > ipa-server-install --uninstall > > On the primary: > ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab > > You will have to force because you already removed the replica. > > Once you do that you can generate a new replica file for the replica and > retry to set up replication. > > Let me know if you encounter any other error once you have done that. I tried what you suggested and today, the replication did complete. That said, there were a bunch of errors on the initial master, including: id2entry - str2entry returned NULL for id 12, string="rdn" _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN (snip - continues for each automountmapname cn entry) NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 (repeated several times) slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (repeated several times) NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) And ~ every 5 minutes, I see the familiar-by-now: slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself. Things /appear/ to be working correctly, but none of this is making me feel very confident... Thanks, Ian From simo at redhat.com Thu Feb 9 21:32:03 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Feb 2012 16:32:03 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> Message-ID: <1328823123.5829.96.camel@willson.li.ssimo.org> On Thu, 2012-02-09 at 16:25 -0500, Ian Levesque wrote: > On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote: > > > On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote: > > > >> On the replica: > >> > >> [21/29]: setting up initial replication > >> Starting replication, please wait until this has completed. > >> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - > >> System error] > >> creation of replica failed: Failed to start replication > >> > >> On the "primary": > >> > >> slapd_ldap_sasl_interactive_bind - Error: could not perform > >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >> Minor code may provide more information (Cannot contact any KDC for > >> requested realm)) > >> > >> slapi_ldap_bind - Error: could not perform interactive bind for id [] > >> mech [GSSAPI]: error -2 (Local error) > >> > >> `ipa-replica-manage list` on the primary still lists both... > >> > >> sbgrid-directory.in.hwlab: master > >> sbgrid-directory-replica.in.hwlab: master > >> > >> Thanks for your continued interest. > > > > I think you failed to properly clean=up before reinstalling the replica. > > > > On the replica make sure you run: > > ipa-server-install --uninstall > > > > On the primary: > > ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab > > > > You will have to force because you already removed the replica. > > > > Once you do that you can generate a new replica file for the replica and > > retry to set up replication. > > > > Let me know if you encounter any other error once you have done that. > > I tried what you suggested and today, the replication did complete. > > That said, there were a bunch of errors on the initial master, including: > > id2entry - str2entry returned NULL for id 12, string="rdn" > _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN > (snip - continues for each automountmapname cn entry) > > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 > (repeated several times) > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > (repeated several times) > > NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > > And ~ every 5 minutes, I see the familiar-by-now: > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > > The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself. > > Things /appear/ to be working correctly, but none of this is making me feel very confident... They are not running correctly. Your first master seem to keep having issues connecting to the replica. Did you restart the master ? Because you replaced the replica with another of identical name, the master may have cache a previously valid ticket that is not correct anymore since you rebuilt replica credentials and therefore all old tickets are invalid. Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Thu Feb 9 21:59:13 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Feb 2012 14:59:13 -0700 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> Message-ID: <4F3441B1.3010103@redhat.com> On 02/09/2012 02:25 PM, Ian Levesque wrote: > On Feb 9, 2012, at 1:57 PM, Simo Sorce wrote: > >> On Tue, 2012-02-07 at 23:19 -0500, Ian Levesque wrote: >> >>> On the replica: >>> >>> [21/29]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> [sbgrid-directory.in.hwlab] reports: Update failed! Status: [-2 - >>> System error] >>> creation of replica failed: Failed to start replication >>> >>> On the "primary": >>> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (Cannot contact any KDC for >>> requested realm)) >>> >>> slapi_ldap_bind - Error: could not perform interactive bind for id [] >>> mech [GSSAPI]: error -2 (Local error) >>> >>> `ipa-replica-manage list` on the primary still lists both... >>> >>> sbgrid-directory.in.hwlab: master >>> sbgrid-directory-replica.in.hwlab: master >>> >>> Thanks for your continued interest. >> I think you failed to properly clean=up before reinstalling the replica. >> >> On the replica make sure you run: >> ipa-server-install --uninstall >> >> On the primary: >> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab >> >> You will have to force because you already removed the replica. >> >> Once you do that you can generate a new replica file for the replica and >> retry to set up replication. >> >> Let me know if you encounter any other error once you have done that. > I tried what you suggested and today, the replication did complete. > > That said, there were a bunch of errors on the initial master, including: > > id2entry - str2entry returned NULL for id 12, string="rdn" > _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN > (snip - continues for each automountmapname cn entry) What version of 389-ds-base are you running? rpm -qi 389-ds-base > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 > (repeated several times) We believe this is benign. > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > (repeated several times) > > NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) err=49 either means the kerberos credentials are incorrect, or the sasl mapping of the principal to the DN of the entry failed > And ~ every 5 minutes, I see the familiar-by-now: > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > > The replica reports both masters when I run `ipa-replica-manage list`, but the primary master only lists itself. > > Things /appear/ to be working correctly, but none of this is making me feel very confident... > > Thanks, > Ian > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ian at crystal.harvard.edu Thu Feb 9 22:21:03 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 9 Feb 2012 17:21:03 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F3441B1.3010103@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> Message-ID: <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> On Feb 9, 2012, at 4:59 PM, Rich Megginson wrote: >>> I think you failed to properly clean=up before reinstalling the replica. >>> >>> On the replica make sure you run: >>> ipa-server-install --uninstall >>> >>> On the primary: >>> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab >>> >>> You will have to force because you already removed the replica. >>> >>> Once you do that you can generate a new replica file for the replica and >>> retry to set up replication. >>> >>> Let me know if you encounter any other error once you have done that. >> I tried what you suggested and today, the replication did complete. >> >> That said, there were a bunch of errors on the initial master, including: >> >> id2entry - str2entry returned NULL for id 12, string="rdn" >> _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN >> (snip - continues for each automountmapname cn entry) > > What version of 389-ds-base are you running? rpm -qi 389-ds-base [root at sbgrid-directory ~]# rpm -qa | grep -e 389 -e ipa | sort 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 [root at sbgrid-directory-replica ~]$ rpm -qa | grep -e 389 -e ipa | sort 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 >> (repeated several times) > We believe this is benign. > >> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) >> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> (repeated several times) >> >> NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > err=49 either means the kerberos credentials are incorrect, or the sasl mapping of the principal to the DN of the entry failed OK, that's good to know. So, assuming the problem is that there was an invalid cached credential getting in the way, here's what I did to attempt a reconfiguration of the replica: replica: ipa-server-install --uninstall && reboot primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab && reboot primary: ipa-replica-prepare sbgrid-directory-replica.in.hwlab & rsync ... replica: ipa-replica-install ./replica-info-sbgrid-directory-replica.in.hwlab.gpg The outcome was the same. Error logs from primary: http://pastebin.com/raw.php?i=jKnjZgwQ [root at sbgrid-directory ~]# ipa-replica-manage list sbgrid-directory.in.hwlab: master [root at sbgrid-directory-replica ~]$ ipa-replica-manage list sbgrid-directory.in.hwlab: master sbgrid-directory-replica.in.hwlab: master Thanks, Ian From simo at redhat.com Thu Feb 9 22:45:02 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Feb 2012 17:45:02 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> Message-ID: <1328827502.5829.99.camel@willson.li.ssimo.org> On Thu, 2012-02-09 at 17:21 -0500, Ian Levesque wrote: > On Feb 9, 2012, at 4:59 PM, Rich Megginson wrote: > > >>> I think you failed to properly clean=up before reinstalling the replica. > >>> > >>> On the replica make sure you run: > >>> ipa-server-install --uninstall > >>> > >>> On the primary: > >>> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab > >>> > >>> You will have to force because you already removed the replica. > >>> > >>> Once you do that you can generate a new replica file for the replica and > >>> retry to set up replication. > >>> > >>> Let me know if you encounter any other error once you have done that. > >> I tried what you suggested and today, the replication did complete. > >> > >> That said, there were a bunch of errors on the initial master, including: > >> > >> id2entry - str2entry returned NULL for id 12, string="rdn" > >> _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN > >> (snip - continues for each automountmapname cn entry) > > > > What version of 389-ds-base are you running? rpm -qi 389-ds-base > > [root at sbgrid-directory ~]# rpm -qa | grep -e 389 -e ipa | sort > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > [root at sbgrid-directory-replica ~]$ rpm -qa | grep -e 389 -e ipa | sort > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 > >> (repeated several times) > > We believe this is benign. > > > >> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > >> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > >> (repeated several times) > >> > >> NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > > err=49 either means the kerberos credentials are incorrect, or the sasl mapping of the principal to the DN of the entry failed > > OK, that's good to know. So, assuming the problem is that there was an invalid cached credential getting in the way, here's what I did to attempt a reconfiguration of the replica: > > replica: ipa-server-install --uninstall && reboot > primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab && reboot > primary: ipa-replica-prepare sbgrid-directory-replica.in.hwlab & rsync ... > replica: ipa-replica-install ./replica-info-sbgrid-directory-replica.in.hwlab.gpg > > The outcome was the same. > Error logs from primary: http://pastebin.com/raw.php?i=jKnjZgwQ > > [root at sbgrid-directory ~]# ipa-replica-manage list > sbgrid-directory.in.hwlab: master > > [root at sbgrid-directory-replica ~]$ ipa-replica-manage list > sbgrid-directory.in.hwlab: master > sbgrid-directory-replica.in.hwlab: master Please restart the primary and see if it keeps returning that error (it shouldn't). Simo. -- Simo Sorce * Red Hat, Inc * New York From ian at crystal.harvard.edu Thu Feb 9 22:53:21 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 9 Feb 2012 17:53:21 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <1328827502.5829.99.camel@willson.li.ssimo.org> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <1328827502.5829.99.camel@willson.li.ssimo.org> Message-ID: <81EDEF5D-431D-4CEA-AAA8-0C814D9C4D50@crystal.harvard.edu> >> OK, that's good to know. So, assuming the problem is that there was an invalid cached credential getting in the way, here's what I did to attempt a reconfiguration of the replica: >> >> replica: ipa-server-install --uninstall && reboot >> primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab && reboot >> primary: ipa-replica-prepare sbgrid-directory-replica.in.hwlab & rsync ... >> replica: ipa-replica-install ./replica-info-sbgrid-directory-replica.in.hwlab.gpg >> >> The outcome was the same. >> Error logs from primary: http://pastebin.com/raw.php?i=jKnjZgwQ >> >> [root at sbgrid-directory ~]# ipa-replica-manage list >> sbgrid-directory.in.hwlab: master >> >> [root at sbgrid-directory-replica ~]$ ipa-replica-manage list >> sbgrid-directory.in.hwlab: master >> sbgrid-directory-replica.in.hwlab: master > > Please restart the primary and see if it keeps returning that error (it > shouldn't). I did twice, and continue to see only one master listed on sbgrid-directory. ~irl From simo at redhat.com Thu Feb 9 23:04:47 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Feb 2012 18:04:47 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <81EDEF5D-431D-4CEA-AAA8-0C814D9C4D50@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <1328827502.5829.99.camel@willson.li.ssimo.org> <81EDEF5D-431D-4CEA-AAA8-0C814D9C4D50@crystal.harvard.edu> Message-ID: <1328828687.5829.118.camel@willson.li.ssimo.org> On Thu, 2012-02-09 at 17:53 -0500, Ian Levesque wrote: > >> OK, that's good to know. So, assuming the problem is that there was an invalid cached credential getting in the way, here's what I did to attempt a reconfiguration of the replica: > >> > >> replica: ipa-server-install --uninstall && reboot > >> primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab && reboot > >> primary: ipa-replica-prepare sbgrid-directory-replica.in.hwlab & rsync ... > >> replica: ipa-replica-install ./replica-info-sbgrid-directory-replica.in.hwlab.gpg > >> > >> The outcome was the same. > >> Error logs from primary: http://pastebin.com/raw.php?i=jKnjZgwQ > >> > >> [root at sbgrid-directory ~]# ipa-replica-manage list > >> sbgrid-directory.in.hwlab: master > >> > >> [root at sbgrid-directory-replica ~]$ ipa-replica-manage list > >> sbgrid-directory.in.hwlab: master > >> sbgrid-directory-replica.in.hwlab: master > > > > Please restart the primary and see if it keeps returning that error (it > > shouldn't). > > I did twice, and continue to see only one master listed on sbgrid-directory. It seem like the replica is not synchronizing with the primary. Uhm wait in the paste you have it says you have incompatible IPA versions. Can you post the version of freeipa package of both servers ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Fri Feb 10 00:01:33 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Feb 2012 17:01:33 -0700 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> Message-ID: <4F345E5D.7040404@redhat.com> On 02/09/2012 03:21 PM, Ian Levesque wrote: > On Feb 9, 2012, at 4:59 PM, Rich Megginson wrote: > >>>> I think you failed to properly clean=up before reinstalling the replica. >>>> >>>> On the replica make sure you run: >>>> ipa-server-install --uninstall >>>> >>>> On the primary: >>>> ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab >>>> >>>> You will have to force because you already removed the replica. >>>> >>>> Once you do that you can generate a new replica file for the replica and >>>> retry to set up replication. >>>> >>>> Let me know if you encounter any other error once you have done that. >>> I tried what you suggested and today, the replication did complete. >>> >>> That said, there were a bunch of errors on the initial master, including: >>> >>> id2entry - str2entry returned NULL for id 12, string="rdn" >>> _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN >>> (snip - continues for each automountmapname cn entry) >> What version of 389-ds-base are you running? rpm -qi 389-ds-base > [root at sbgrid-directory ~]# rpm -qa | grep -e 389 -e ipa | sort > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > [root at sbgrid-directory-replica ~]$ rpm -qa | grep -e 389 -e ipa | sort > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 This may be related to https://fedorahosted.org/389/ticket/273 and https://fedorahosted.org/389/ticket/274 which have been fixed in 1.2.10 > >>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=sbgrid,dc=org: 20 >>> (repeated several times) >> We believe this is benign. >> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) >>> slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >>> (repeated several times) >>> >>> NSMMReplicationPlugin - agmt="cn=meTosbgrid-directory-replica.in.hwlab" (sbgrid-directory-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) >> err=49 either means the kerberos credentials are incorrect, or the sasl mapping of the principal to the DN of the entry failed > OK, that's good to know. So, assuming the problem is that there was an invalid cached credential getting in the way, here's what I did to attempt a reconfiguration of the replica: > > replica: ipa-server-install --uninstall&& reboot > primary: ipa-replica-manage --force del sbgrid-directory-replica.in.hwlab&& reboot > primary: ipa-replica-prepare sbgrid-directory-replica.in.hwlab& rsync ... > replica: ipa-replica-install ./replica-info-sbgrid-directory-replica.in.hwlab.gpg > > The outcome was the same. > Error logs from primary: http://pastebin.com/raw.php?i=jKnjZgwQ > > [root at sbgrid-directory ~]# ipa-replica-manage list > sbgrid-directory.in.hwlab: master > > [root at sbgrid-directory-replica ~]$ ipa-replica-manage list > sbgrid-directory.in.hwlab: master > sbgrid-directory-replica.in.hwlab: master > > Thanks, > Ian From marco.pizzoli at gmail.com Fri Feb 10 09:50:54 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 10:50:54 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F26BD89.1010401@redhat.com> References: <4F26BD89.1010401@redhat.com> Message-ID: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > ** > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > Hi guys, > Next days I'm going to start a test deployment of FreeIPA 2.1 but the > following days I'm planning to have a look on the new features FreeIPA 2.2 > brings. > > Are you going to release a alpha/beta package anytime in the future? > > Thanks in advance > Marco > > -- > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > Yes alpha is planned for next couple weeks. > Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From djuran at redhat.com Fri Feb 10 11:01:47 2012 From: djuran at redhat.com (David Juran) Date: Fri, 10 Feb 2012 12:01:47 +0100 Subject: [Freeipa-users] syncing users more not limited to a subtree Message-ID: <1328871707.3458.103.camel@localhost.localdomain> Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From marco.pizzoli at gmail.com Fri Feb 10 12:30:41 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 13:30:41 +0100 Subject: [Freeipa-users] SELinux error during ipa-server-install Message-ID: Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? Thanks in advance Marco [root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java should be allowed name_connect access on the by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pki_ca_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects [ None ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 59940 Host freeipa01.unix.mydomain.it Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-75.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name freeipa01.unix.mydomain.it Platform Linux freeipa01.unix.mydomain.it3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Fri 10 Feb 2012 01:16:43 PM CET Last Seen Fri 10 Feb 2012 01:17:29 PM CET Local ID 885f3218-de29-4254-b095-0439320b3a50 Raw Audit Messages type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode= freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null) Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect audit2allow audit2allow -R -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Fri Feb 10 12:50:05 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 10 Feb 2012 12:50:05 +0000 Subject: [Freeipa-users] SELinux error during ipa-server-install In-Reply-To: References: Message-ID: <4F35127D.50300@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marco I had a very similar issue trying to do the same thing a while back on the day RHEL 6.2 went GA.. My situation was SElinux enforcing, then run ipa-server-install.. it gets half way through the process and it fails then I tried SELinux permissive, to get the exact same issue I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and ran the setup again, and I was able to install successfully. In my situation, it was related to the selinux pki policy. When this was loaded, it caused the ipa setup to fail... an update was made available in rhel which allowed me to move forward with selinux in enforcing mode. Have you patched Fedora 16 with the latest updates? my situation was quite a while ago so I would have imagined that there would be an update to that issue with Fedora as well if this is actually the same issue I encountered. .. Do you get the same issue with selinux disabled at all? Dale On 02/10/2012 12:30 PM, Marco Pizzoli wrote: > Hi guys, > I'm working on Fedora16 and FreeIPA 2.1.4. > I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. > I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. > > Is this an error in the policy? > > Thanks in advance > Marco > > [root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 > SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . > > ***** Plugin catchall (100. confidence) suggests *************************** > > If you believe that java should be allowed name_connect access on the by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep java /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > Additional Information: > Source Context system_u:system_r:pki_ca_t:s0 > Target Context system_u:object_r:ephemeral_port_t:s0 > Target Objects [ None ] > Source java > Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre > /bin/java > Port 59940 > Host freeipa01.unix.mydomain.it > Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 > Target RPM Packages > Policy RPM selinux-policy-3.10.0-75.fc16.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Permissive > Host Name freeipa01.unix.mydomain.it > Platform Linux freeipa01.unix.mydomain.it 3.2.3-2.fc16.x86_64 > #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 > Alert Count 2 > First Seen Fri 10 Feb 2012 01:16:43 PM CET > Last Seen Fri 10 Feb 2012 01:17:29 PM CET > Local ID 885f3218-de29-4254-b095-0439320b3a50 > > Raw Audit Messages > type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null) > > > Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect > > audit2allow > > > audit2allow -R > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+ 9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4 Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e 0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0 3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6 07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV HPn/clZOVTamNdkXPRiC =iR+/ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From marco.pizzoli at gmail.com Fri Feb 10 13:09:54 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 14:09:54 +0100 Subject: [Freeipa-users] SELinux error during ipa-server-install In-Reply-To: <4F35127D.50300@themacartneyclan.com> References: <4F35127D.50300@themacartneyclan.com> Message-ID: Hi Dale, On Fri, Feb 10, 2012 at 1:50 PM, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marco > > I had a very similar issue trying to do the same thing a while back on the > day RHEL 6.2 went GA.. > > My situation was > > SElinux enforcing, then run ipa-server-install.. it gets half way through > the process and it fails > > then I tried > > SELinux permissive, to get the exact same issue > > I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and > ran the setup again, and I was able to install successfully. > > In my situation, it was related to the selinux pki policy. When this was > loaded, it caused the ipa setup to fail... an update was made available in > rhel which allowed me to move forward with selinux in enforcing mode. > > Have you patched Fedora 16 with the latest updates? my situation was quite > a while ago so I would have imagined that there would be an update to that > issue with Fedora as well if this is actually the same issue I encountered. > .. > I updated my system few days ago and I'm currently not seeing further updates available. These are my packages: [root at freeipa01 ~]# rpm -qa|grep -i selinux selinux-policy-3.10.0-75.fc16.noarch libselinux-2.1.6-5.fc16.x86_64 libselinux-python-2.1.6-5.fc16.x86_64 pki-selinux-9.0.17-1.fc16.noarch libselinux-utils-2.1.6-5.fc16.x86_64 selinux-policy-targeted-3.10.0-75.fc16.noarch freeipa-server-selinux-2.1.4-4.fc16.x86_64 > Do you get the same issue with selinux disabled at all? > Actually I haven't tried, but I'm sure to not encounter this problem in that case. As I wrote, I'm running in permissive mode so I only get warning on what it would have been blocked by SELinux, not the effective block to the execution. My setup (apparently) completed correctly. I still have to check-on-the-job :-) Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Feb 10 13:47:16 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Feb 2012 15:47:16 +0200 Subject: [Freeipa-users] SELinux error during ipa-server-install In-Reply-To: References: Message-ID: <20120210134716.GC3452@redhat.com> On Fri, 10 Feb 2012, Marco Pizzoli wrote: > Hi guys, > I'm working on Fedora16 and FreeIPA 2.1.4. > I executed the command ipa-server-install and during the setup digging in > the logs i can find this error, related to SELinux. > I'm running in Permissive mode, so nothing prevented me to successfully > complete my setup. > > Is this an error in the policy? https://bugzilla.redhat.com/show_bug.cgi?id=739708 Allowing connecting to ephemeral port is something that Ade still not decided on yet. -- / Alexander Bokovoy From marco.pizzoli at gmail.com Fri Feb 10 13:50:12 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 14:50:12 +0100 Subject: [Freeipa-users] SELinux error during ipa-server-install In-Reply-To: <20120210134716.GC3452@redhat.com> References: <20120210134716.GC3452@redhat.com> Message-ID: Hi Alexander, On Fri, Feb 10, 2012 at 2:47 PM, Alexander Bokovoy wrote: > On Fri, 10 Feb 2012, Marco Pizzoli wrote: > > > Hi guys, > > I'm working on Fedora16 and FreeIPA 2.1.4. > > I executed the command ipa-server-install and during the setup digging in > > the logs i can find this error, related to SELinux. > > I'm running in Permissive mode, so nothing prevented me to successfully > > complete my setup. > > > > Is this an error in the policy? > https://bugzilla.redhat.com/show_bug.cgi?id=739708 > Allowing connecting to ephemeral port is something that Ade still not > decided on yet. > Thanks for the info. Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Feb 10 14:15:30 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Feb 2012 09:15:30 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F345E5D.7040404@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> Message-ID: <1328883331.5829.128.camel@willson.li.ssimo.org> On Thu, 2012-02-09 at 17:01 -0700, Rich Megginson wrote: > This may be related to https://fedorahosted.org/389/ticket/273 and > https://fedorahosted.org/389/ticket/274 which have been fixed in > 1.2.10 In this case Ian please open a bugzilla, it looks like we need to address this in RHEL6. Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Fri Feb 10 14:20:40 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 10 Feb 2012 14:20:40 +0000 Subject: [Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki Message-ID: <4F3527B8.2030608@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All I have added a walk through on configuring Dovecot to use IMAPS with SSO support to the Wiki. http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Feed back is more than welcome Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNSetAAoJEAJsWS61tB+qossP/1v7doKC1fliPUAvOywcIH+n WLYFnXoGIO4mlRUXEcdU+TDUO1gdFp5v+gXxx5ERWBYbEMOXDEer9tRkxVIyDd1x YcqShRq5Fh8M7Cj0EsurzKEoW36LbUmPaG5TXA3ImEU+wvVNJOUnPazKwUvfrAtO 4PV34rBW5cZD1Y5vVgV2cWut7W8fVqyFS/sOt0mS3Zf2N33lTne3ak4RnZ2f6i5B 2P/zUvbi8GYOVZvjibWTwwiE+o1SJlst7cLJxCaIhpZ0FmVZkq+LG7Q3ObGScwto zXGHiL2d7UA1RJTzp6tn+rPGJgVVh9JQ9ndVVmGk5kskhPbaCuqDknk/f12qB4/X PAmE7jPKIN/Eysp7q1V5MuU9Y6ngxVLkdYENZcq45k6mnZ1EWuidt7W93ax/R9ai ywKTbMaHw5JUqEgt4ij8bA6WJgN4VSaLbBms5w3JmepOd3UTSINH7ghcTsctBfuZ 65FdKc732UvZCb/jJ0q7BribMj4dSOmA5Z6vTE5r9k0Ef+a1dtvdJ8jwpAZD93cg arZeJgva7cnbkrZ1uDbJ/oLiUTJjLDccCEciSyPRzTTBWvGXCoRDgVloSwwLLfFS Y8RZOPCKslfgFqTZR3VpNJJeXBUscagyUt11y4c/yqef2444jKWJ549nhpZXVb94 7MNXWOzHHzDbNHyTcESS =TnXT -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From sgallagh at redhat.com Fri Feb 10 14:24:01 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Feb 2012 09:24:01 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> Message-ID: <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > Hi, > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > Hi guys, > > Next days I'm going to start a test deployment of FreeIPA > > 2.1 but the following days I'm planning to have a look on > > the new features FreeIPA 2.2 brings. > > > > Are you going to release a alpha/beta package anytime in the > > future? > > > > Thanks in advance > > Marco > > > > -- > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Yes alpha is planned for next couple weeks. > > > > Sorry for asking again, but I'm really interested in this. > Any news on the expected release date? I'm available to test it and > give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dale at themacartneyclan.com Fri Feb 10 14:26:49 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 10 Feb 2012 14:26:49 +0000 Subject: [Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki In-Reply-To: <4F3527B8.2030608@themacartneyclan.com> References: <4F3527B8.2030608@themacartneyclan.com> Message-ID: <4F352929.2050804@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All I have added a walk through on configuring Dovecot to use IMAPS with SSO support to the Wiki. http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Feed back is more than welcome Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNSkQAAoJEAJsWS61tB+qr/oP/i+pzZx1GaxC8e1/MRDsURGj krhFZr+3es/SHdAAUAP22MDU7mZDk7uQClPk+SYYO+kVfrWKmUNtp1drtJJblXrb +0olCJKz8yjJzfJRnrLGwv8T8tvU+R41xv+2kdxKzJ74rB/LV12dh9bmmOf1g2bM wk9X4FZrG9d1EpNeB5F/OB60yC6jV5LIDsGHp6ObA0PEY/RXtMqNoowQBkHp1+4A 2b9ID7OgbIRbuLLzVckOxPsTcZ/hYeY0yhPrHDCZJt+L7+8zcqq5DZndBK4UktxV 1zlZux9jwfaoNXirf40bGfTxA8BeALbJtYycJtLFDNwmO/QkKMRSh5K6vOAiQFLY JUtAcTIg9IObGDvbEaGq58xuJHSl5PcZtvb9bAQjnnqO+oCO6GAte8mtENaTppHd DwhutjvHpY94CR1XnbYOEeS1k7yOc6zJWO1KSdSlht409Cc6xjbqoEvtwqx15H2K juRg0OPH8sege6LhiQLfun3BDwnrrny9gaZYLX7ZZzjn2v4p+yklBSbe8aAdBtWk dBT6gm48kvb1MON8u5SqWMWL8/g4SUjn4TOVoC86FJHHqtCYz7eSHHWzR5bUA1IO qii5fN1IPqZ5gbu4ri9RBECTgmPmiLiu8cJ4IJe/Q3fn2bGT+Ht8+PJM2k7lqIAN u4DsCTLrKgQvGHyVGp6u =a2h+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From danieljamesscott at gmail.com Fri Feb 10 14:27:07 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 10 Feb 2012 09:27:07 -0500 Subject: [Freeipa-users] SELinux error during ipa-server-install In-Reply-To: <4F35127D.50300@themacartneyclan.com> References: <4F35127D.50300@themacartneyclan.com> Message-ID: Hi, On Fri, Feb 10, 2012 at 07:50, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marco > > I had a very similar issue trying to do the same thing a while back on the > day RHEL 6.2 went GA.. > > My situation was > > SElinux enforcing, then run ipa-server-install.. it gets half way through > the process and it fails > > then I tried > > SELinux permissive, to get the exact same issue > > I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and > ran the setup again, and I was able to install successfully. > > In my situation, it was related to the selinux pki policy. When this was > loaded, it caused the ipa setup to fail... an update was made available in > rhel which allowed me to move forward with selinux in enforcing mode. > > Have you patched Fedora 16 with the latest updates? my situation was quite a > while ago so I would have imagined that there would be an update to that > issue with Fedora as well if this is actually the same issue I encountered. > .. > > Do you get the same issue with selinux disabled at all? > > Dale I've also had big problems with FreeIPA replication on Fedora 15 and 16. A few issues were related to Fedora 15-16 upgrades and others were related to SELinux. Disabling SELinux has considerably reduced the problems that I've been seeing. Thanks, Dan > On 02/10/2012 12:30 PM, Marco Pizzoli wrote: >> Hi guys, >> I'm working on Fedora16 and FreeIPA 2.1.4. >> I executed the command ipa-server-install and during the setup digging in >> the logs i can find this error, related to SELinux. >> I'm running in Permissive mode, so nothing prevented me to successfully >> complete my setup. >> >> Is this an error in the policy? >> >> Thanks in advance >> Marco >> >> [root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 >> SELinux is preventing >> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from >> name_connect access on the None . >> >> ***** Plugin catchall (100. confidence) suggests >> *************************** >> >> If you believe that java should be allowed name_connect access on the >> by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # grep java /var/log/audit/audit.log | audit2allow -M mypol >> # semodule -i mypol.pp >> >> >> Additional Information: >> Source Context system_u:system_r:pki_ca_t:s0 >> Target Context system_u:object_r:ephemeral_port_t:s0 >> Target Objects [ None ] >> Source java >> Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre >> /bin/java >> Port 59940 >> Host freeipa01.unix.mydomain.it > >> Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 >> Target RPM Packages >> Policy RPM selinux-policy-3.10.0-75.fc16.noarch >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Permissive >> Host Name freeipa01.unix.mydomain.it >> Platform Linux freeipa01.unix.mydomain.it >> 3.2.3-2.fc16.x86_64 > >> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 >> Alert Count 2 >> First Seen Fri 10 Feb 2012 01:16:43 PM CET >> Last Seen Fri 10 Feb 2012 01:17:29 PM CET >> Local ID 885f3218-de29-4254-b095-0439320b3a50 >> >> Raw Audit Messages >> type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for >> pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0 >> tcontext=system_u:object_r:ephemeral_port_t:s0 >> tclass=tcp_socketnode=freeipa01.unix.mydomain.it >> type=SYSCALL >> msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes exit=0 >> a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 >> auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 >> sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java" >> exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" >> subj=system_u:system_r:pki_ca_t:s0 key=(null) > >> >> >> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect >> >> audit2allow >> >> >> audit2allow -R >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+ > 9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z > Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4 > Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus > YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT > iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf > ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e > 0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0 > 3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW > igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6 > 07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV > HPn/clZOVTamNdkXPRiC > =iR+/ > -----END PGP SIGNATURE----- > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From marco.pizzoli at gmail.com Fri Feb 10 14:30:09 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 15:30:09 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of FreeIPA > > > 2.1 but the following days I'm planning to have a look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test it and > > give feedbacks, once released. > > If you're interested in testing the nightly builds, you can install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > RHEL 6: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > Then you can 'yum update' to the latest nightlies. > Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Feb 10 14:36:35 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Feb 2012 09:36:35 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1328884595.5829.129.camel@willson.li.ssimo.org> On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: > > > On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher > wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal > wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of > FreeIPA > > > 2.1 but the following days I'm planning to have a > look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package > anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test > it and > > give feedbacks, once released. > > > If you're interested in testing the nightly builds, you can > install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > RHEL 6: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > Then you can 'yum update' to the latest nightlies. > > Good to know! Thanks a lot. > > Testing nightly build will involves me reporting problems and/or > errors. > Which mailing list should I have to use? -users or -devel ? For -devel version I think freeipa-devel is better. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 10 14:56:15 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Feb 2012 09:56:15 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <1328884595.5829.129.camel@willson.li.ssimo.org> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <1328884595.5829.129.camel@willson.li.ssimo.org> Message-ID: <4F35300F.7060204@redhat.com> Simo Sorce wrote: > On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: >> >> >> On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher >> wrote: >> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: >> > Hi, >> > >> > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal >> wrote: >> > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: >> > > Hi guys, >> > > Next days I'm going to start a test deployment of >> FreeIPA >> > > 2.1 but the following days I'm planning to have a >> look on >> > > the new features FreeIPA 2.2 brings. >> > > >> > > Are you going to release a alpha/beta package >> anytime in the >> > > future? >> > > >> > > Thanks in advance >> > > Marco >> > > >> > > -- >> > > >> > > >> > > >> > > _______________________________________________ >> > > Freeipa-users mailing list >> > > Freeipa-users at redhat.com >> > > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > Yes alpha is planned for next couple weeks. >> > >> > >> > >> > Sorry for asking again, but I'm really interested in this. >> > Any news on the expected release date? I'm available to test >> it and >> > give feedbacks, once released. >> >> >> If you're interested in testing the nightly builds, you can >> install one >> of the below repository files into /etc/yum.repos.d >> >> Fedora 15-17: >> http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo >> >> RHEL 6: >> http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo >> >> >> Then you can 'yum update' to the latest nightlies. >> >> Good to know! Thanks a lot. >> >> Testing nightly build will involves me reporting problems and/or >> errors. >> Which mailing list should I have to use? -users or -devel ? > > For -devel version I think freeipa-devel is better. > > Simo. > Just to add that this version has known upgrade problems so I wouldn't recommend upgrading an existing installation at this time. rob From rmeggins at redhat.com Fri Feb 10 15:28:52 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Feb 2012 08:28:52 -0700 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <1328871707.3458.103.camel@localhost.localdomain> References: <1328871707.3458.103.camel@localhost.localdomain> Message-ID: <4F3537B4.3030205@redhat.com> On 02/10/2012 04:01 AM, David Juran wrote: > Hello > > I wonder if it's somehow possible to sync AD-users more selectively then > just by sub-tree. In my case, I'm dealing with a very large organisation > where the users that are to be synced to IPA aren't grouped by a subtree > in AD but rather spread out. Can this be handled somehow? > I don't think so, but can you provide some examples? From marco.pizzoli at gmail.com Fri Feb 10 15:32:49 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 16:32:49 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F35300F.7060204@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <1328884595.5829.129.camel@willson.li.ssimo.org> <4F35300F.7060204@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden wrote: > Simo Sorce wrote: > >> On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: >> >>> >>> >>> On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher >>> wrote: >>> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: >>> > Hi, >>> > >>> > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal >>> wrote: >>> > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: >>> > > Hi guys, >>> > > Next days I'm going to start a test deployment of >>> FreeIPA >>> > > 2.1 but the following days I'm planning to have a >>> look on >>> > > the new features FreeIPA 2.2 brings. >>> > > >>> > > Are you going to release a alpha/beta package >>> anytime in the >>> > > future? >>> > > >>> > > Thanks in advance >>> > > Marco >>> > > >>> > > -- >>> > > >>> > > >>> > > >>> > > ______________________________**_________________ >>> > > Freeipa-users mailing list >>> > > Freeipa-users at redhat.com >>> > > >>> https://www.redhat.com/**mailman/listinfo/freeipa-users >>> > >>> > Yes alpha is planned for next couple weeks. >>> > >>> > >>> > >>> > Sorry for asking again, but I'm really interested in this. >>> > Any news on the expected release date? I'm available to test >>> it and >>> > give feedbacks, once released. >>> >>> >>> If you're interested in testing the nightly builds, you can >>> install one >>> of the below repository files into /etc/yum.repos.d >>> >>> Fedora 15-17: >>> http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-** >>> fedora.repo >>> >>> RHEL 6: >>> http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-rhel.** >>> repo >>> >>> >>> Then you can 'yum update' to the latest nightlies. >>> >>> Good to know! Thanks a lot. >>> >>> Testing nightly build will involves me reporting problems and/or >>> errors. >>> Which mailing list should I have to use? -users or -devel ? >>> >> >> For -devel version I think freeipa-devel is better. >> >> Simo. >> >> > Just to add that this version has known upgrade problems so I wouldn't > recommend upgrading an existing installation at this time. > Hi Rob, Is there a ticket on which I can put me in Cc to track it? Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 10 15:39:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Feb 2012 10:39:25 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <1328884595.5829.129.camel@willson.li.ssimo.org> <4F35300F.7060204@redhat.com> Message-ID: <4F353A2D.2020304@redhat.com> Marco Pizzoli wrote: > > On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden > wrote: > > Simo Sorce wrote: > > On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: > > > > On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher > > wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal > > wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of > FreeIPA > > > 2.1 but the following days I'm planning to have a > look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package > anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > _________________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/__mailman/listinfo/freeipa-users > > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test > it and > > give feedbacks, once released. > > > If you're interested in testing the nightly builds, > you can > install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.__org/ipa-devel/ipa-devel-__fedora.repo > > > RHEL 6: > http://jdennis.fedorapeople.__org/ipa-devel/ipa-devel-rhel.__repo > > > > Then you can 'yum update' to the latest nightlies. > > Good to know! Thanks a lot. > > Testing nightly build will involves me reporting problems and/or > errors. > Which mailing list should I have to use? -users or -devel ? > > > For -devel version I think freeipa-devel is better. > > Simo. > > > Just to add that this version has known upgrade problems so I > wouldn't recommend upgrading an existing installation at this time. > > > Hi Rob, > Is there a ticket on which I can put me in Cc to track it? > There are a number of them: https://fedorahosted.org/freeipa/ticket/2147 https://fedorahosted.org/freeipa/ticket/2341 https://fedorahosted.org/freeipa/ticket/2344 rob From marco.pizzoli at gmail.com Fri Feb 10 15:42:20 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 16:42:20 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F353A2D.2020304@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <1328884595.5829.129.camel@willson.li.ssimo.org> <4F35300F.7060204@redhat.com> <4F353A2D.2020304@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 4:39 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> >> On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden > > wrote: >> >> Simo Sorce wrote: >> >> On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: >> >> >> >> On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher >> > wrote: >> >> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli >> wrote: >> > Hi, >> > >> > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal >> > wrote: >> >> > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: >> > > Hi guys, >> > > Next days I'm going to start a test deployment of >> FreeIPA >> > > 2.1 but the following days I'm planning to have a >> look on >> > > the new features FreeIPA 2.2 brings. >> > > >> > > Are you going to release a alpha/beta package >> anytime in the >> > > future? >> > > >> > > Thanks in advance >> > > Marco >> > > >> > > -- >> > > >> > > >> > > >> > > ______________________________**___________________ >> > > Freeipa-users mailing list >> > > Freeipa-users at redhat.com > com > >> > > >> https://www.redhat.com/__**mailman/listinfo/freeipa-users >> >> >> **> >> > >> > Yes alpha is planned for next couple weeks. >> > >> > >> > >> > Sorry for asking again, but I'm really interested in this. >> > Any news on the expected release date? I'm available to >> test >> it and >> > give feedbacks, once released. >> >> >> If you're interested in testing the nightly builds, >> you can >> install one >> of the below repository files into /etc/yum.repos.d >> >> Fedora 15-17: >> http://jdennis.fedorapeople.__**org/ipa-devel/ipa-devel-__** >> fedora.repo >> > fedora.repo >> > >> >> RHEL 6: >> http://jdennis.fedorapeople.__**org/ipa-devel/ipa-devel-rhel._ >> **_repo >> >> > repo > >> >> >> Then you can 'yum update' to the latest nightlies. >> >> Good to know! Thanks a lot. >> >> Testing nightly build will involves me reporting problems >> and/or >> errors. >> Which mailing list should I have to use? -users or -devel ? >> >> >> For -devel version I think freeipa-devel is better. >> >> Simo. >> >> >> Just to add that this version has known upgrade problems so I >> wouldn't recommend upgrading an existing installation at this time. >> >> >> Hi Rob, >> Is there a ticket on which I can put me in Cc to track it? >> >> > > There are a number of them: > > https://fedorahosted.org/**freeipa/ticket/2147 > https://fedorahosted.org/**freeipa/ticket/2341 > https://fedorahosted.org/**freeipa/ticket/2344 > Cc'ed to all. Thanks again -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at crystal.harvard.edu Fri Feb 10 18:32:07 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Fri, 10 Feb 2012 13:32:07 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <1328883331.5829.128.camel@willson.li.ssimo.org> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> Message-ID: <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> On Feb 10, 2012, at 9:15 AM, Simo Sorce wrote: > On Thu, 2012-02-09 at 17:01 -0700, Rich Megginson wrote: >> This may be related to https://fedorahosted.org/389/ticket/273 and >> https://fedorahosted.org/389/ticket/274 which have been fixed in >> 1.2.10 > > In this case Ian please open a bugzilla, it looks like we need to > address this in RHEL6. I'll confess that I don't fully understand what tombstone is... Regardless, I'm not sure that either of those tickets apply to the issue at hand. As I understand it, Ticket 273 outlines an issue with searching for tombstone entries after successfully setting up a replica (which as far as I'm hearing, we haven't done). And ticket 274 concerns indexing the tombstone entries. I am able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) and don't see the errors specified in ticket 274. That said, perhaps there's some bug with tombstone re: the automountmap entries in my LDAP instance. Do you think that would be sufficient to cause the replication issues I'm seeing? Best, Ian From rmeggins at redhat.com Fri Feb 10 18:36:48 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Feb 2012 11:36:48 -0700 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> Message-ID: <4F3563C0.6060702@redhat.com> On 02/10/2012 11:32 AM, Ian Levesque wrote: > On Feb 10, 2012, at 9:15 AM, Simo Sorce wrote: > >> On Thu, 2012-02-09 at 17:01 -0700, Rich Megginson wrote: >>> This may be related to https://fedorahosted.org/389/ticket/273 and >>> https://fedorahosted.org/389/ticket/274 which have been fixed in >>> 1.2.10 >> In this case Ian please open a bugzilla, it looks like we need to >> address this in RHEL6. > > I'll confess that I don't fully understand what tombstone is... Regardless, I'm not sure that either of those tickets apply to the issue at hand. As I understand it, Ticket 273 outlines an issue with searching for tombstone entries after successfully setting up a replica (which as far as I'm hearing, we haven't done). And ticket 274 concerns indexing the tombstone entries. I am able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) and don't see the errors specified in ticket 274. in 1.2.9.9 the ruv tombstone entry was indexed correctly, so that's why you see it. For ticket 274, you would only see those errors if you actually attempt to reindex the entryrdn index. > That said, perhaps there's some bug with tombstone re: the automountmap entries in my LDAP instance. Do you think that would be sufficient to cause the replication issues I'm seeing? It could be. Taken together, both of those tickets resolve problems with tombstone indexes. At any rate, I would like to know if you can reproduce your issues with 1.2.10.rc1 To confirm, the first step would be to examine your entryrdn index to see what the problematic entries look like e.g. dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 | grep -C 2 automountmapname=auto.direct > Best, > Ian From dpal at redhat.com Fri Feb 10 18:41:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Feb 2012 13:41:23 -0500 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3537B4.3030205@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> Message-ID: <4F3564D3.50400@redhat.com> On 02/10/2012 10:28 AM, Rich Megginson wrote: > On 02/10/2012 04:01 AM, David Juran wrote: >> Hello >> >> I wonder if it's somehow possible to sync AD-users more selectively then >> just by sub-tree. In my case, I'm dealing with a very large organisation >> where the users that are to be synced to IPA aren't grouped by a subtree >> in AD but rather spread out. Can this be handled somehow? >> > I don't think so, but can you provide some examples? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Rich, can one create two different winsync agreements that use different sub trees on the AD side? If there anything that would prevent it to work? May be it should be done from 2 IPA replicas? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Feb 10 18:44:43 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Feb 2012 13:44:43 -0500 Subject: [Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki In-Reply-To: <4F352929.2050804@themacartneyclan.com> References: <4F3527B8.2030608@themacartneyclan.com> <4F352929.2050804@themacartneyclan.com> Message-ID: <4F35659B.5030800@redhat.com> On 02/10/2012 09:26 AM, Dale Macartney wrote: > > Hi All > > I have added a walk through on configuring Dovecot to use IMAPS with SSO > support to the Wiki. > > http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On > > Feed back is more than welcome > > Dale > Thank you for the contribution! _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Feb 10 18:46:21 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Feb 2012 11:46:21 -0700 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3564D3.50400@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <4F3564D3.50400@redhat.com> Message-ID: <4F3565FD.6010609@redhat.com> On 02/10/2012 11:41 AM, Dmitri Pal wrote: > On 02/10/2012 10:28 AM, Rich Megginson wrote: >> On 02/10/2012 04:01 AM, David Juran wrote: >>> Hello >>> >>> I wonder if it's somehow possible to sync AD-users more selectively then >>> just by sub-tree. In my case, I'm dealing with a very large organisation >>> where the users that are to be synced to IPA aren't grouped by a subtree >>> in AD but rather spread out. Can this be handled somehow? >>> >> I don't think so, but can you provide some examples? >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Rich, can one create two different winsync agreements that use different > sub trees on the AD side? Yes, if they also use two different sub trees on the IPA side. Otherwise, you have two different winsync agreements covering the same ipa subtree - I have no idea what would happen. > If there anything that would prevent it to > work? May be it should be done from 2 IPA replicas? You might still have problems with that scenario, just delayed. That is, the ipa subtree is the same on both replicas, so you still have the same problem, just delayed by the speed of replication. The only way to know for sure would be to get some concrete examples, then try it out. From dpal at redhat.com Fri Feb 10 19:18:44 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Feb 2012 14:18:44 -0500 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3565FD.6010609@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <4F3564D3.50400@redhat.com> <4F3565FD.6010609@redhat.com> Message-ID: <4F356D94.8060507@redhat.com> On 02/10/2012 01:46 PM, Rich Megginson wrote: > On 02/10/2012 11:41 AM, Dmitri Pal wrote: >> On 02/10/2012 10:28 AM, Rich Megginson wrote: >>> On 02/10/2012 04:01 AM, David Juran wrote: >>>> Hello >>>> >>>> I wonder if it's somehow possible to sync AD-users more selectively >>>> then >>>> just by sub-tree. In my case, I'm dealing with a very large >>>> organisation >>>> where the users that are to be synced to IPA aren't grouped by a >>>> subtree >>>> in AD but rather spread out. Can this be handled somehow? >>>> >>> I don't think so, but can you provide some examples? >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Rich, can one create two different winsync agreements that use different >> sub trees on the AD side? > Yes, if they also use two different sub trees on the IPA side. > Otherwise, you have two different winsync agreements covering the same > ipa subtree - I have no idea what would happen. If the users are different then there should be no collision. Are you concerned about two winsyncs stepping on each other in terms of keeping the view (persistent search or something like) at IPA data consistent? >> If there anything that would prevent it to >> work? May be it should be done from 2 IPA replicas? > You might still have problems with that scenario, just delayed. That > is, the ipa subtree is the same on both replicas, so you still have > the same problem, just delayed by the speed of replication. > > The only way to know for sure would be to get some concrete examples, > then try it out. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marco.pizzoli at gmail.com Fri Feb 10 19:22:53 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 20:22:53 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of FreeIPA > > > 2.1 but the following days I'm planning to have a look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test it and > > give feedbacks, once released. > > If you're interested in testing the nightly builds, you can install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > RHEL 6: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > Then you can 'yum update' to the latest nightlies. > I wget-ed the repo file on a 64bit fedora16 system but I'm failing in seeing the package for 64-bit systems. Please, could you tell me what my error is? [root at freeipa02 yum.repos.d]# yum info freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages Name : freeipa-server *Arch : i686* Version : 2.1.4 *Release : 1.20120209T0216Zgit11c25a4.fc16* Size : 957 k *Repo : ipa-devel* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name : freeipa-server *Arch : x86_64* Version : 2.1.4 *Release : 4.fc16* Size : 958 k *Repo : updates* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). [root at freeipa02 yum.repos.d]# uname -a Linux freeipa02.unix.domain.it 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Feb 10 19:25:32 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Feb 2012 12:25:32 -0700 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F356D94.8060507@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <4F3564D3.50400@redhat.com> <4F3565FD.6010609@redhat.com> <4F356D94.8060507@redhat.com> Message-ID: <4F356F2C.6000108@redhat.com> On 02/10/2012 12:18 PM, Dmitri Pal wrote: > On 02/10/2012 01:46 PM, Rich Megginson wrote: >> On 02/10/2012 11:41 AM, Dmitri Pal wrote: >>> On 02/10/2012 10:28 AM, Rich Megginson wrote: >>>> On 02/10/2012 04:01 AM, David Juran wrote: >>>>> Hello >>>>> >>>>> I wonder if it's somehow possible to sync AD-users more selectively >>>>> then >>>>> just by sub-tree. In my case, I'm dealing with a very large >>>>> organisation >>>>> where the users that are to be synced to IPA aren't grouped by a >>>>> subtree >>>>> in AD but rather spread out. Can this be handled somehow? >>>>> >>>> I don't think so, but can you provide some examples? >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Rich, can one create two different winsync agreements that use different >>> sub trees on the AD side? >> Yes, if they also use two different sub trees on the IPA side. >> Otherwise, you have two different winsync agreements covering the same >> ipa subtree - I have no idea what would happen. > If the users are different then there should be no collision. Are you > concerned about two winsyncs stepping on each other in terms of keeping > the view (persistent search or something like) at IPA data consistent? Yes. >>> If there anything that would prevent it to >>> work? May be it should be done from 2 IPA replicas? >> You might still have problems with that scenario, just delayed. That >> is, the ipa subtree is the same on both replicas, so you still have >> the same problem, just delayed by the speed of replication. >> >> The only way to know for sure would be to get some concrete examples, >> then try it out. > From jdennis at redhat.com Fri Feb 10 19:28:02 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 10 Feb 2012 14:28:02 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4F356FC2.40202@redhat.com> On 02/10/2012 02:22 PM, Marco Pizzoli wrote: > I wget-ed the repo file on a 64bit fedora16 system but I'm failing in > seeing the package for 64-bit systems. > Please, could you tell me what my error is? We just finished rebuilding the repo. Please try again. We don't have a mechanism to lock the repo while it's being populated so on occasion you may see some odd failures if you happen to hit it while it's updating. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marco.pizzoli at gmail.com Fri Feb 10 19:35:35 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 20:35:35 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F356FC2.40202@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 8:28 PM, John Dennis wrote: > On 02/10/2012 02:22 PM, Marco Pizzoli wrote: > >> I wget-ed the repo file on a 64bit fedora16 system but I'm failing in >> seeing the package for 64-bit systems. >> Please, could you tell me what my error is? >> > > We just finished rebuilding the repo. Please try again. > No, same as before. Is it "yum makecache" sufficient to renew my metadata? > We don't have a mechanism to lock the repo while it's being populated so > on occasion you may see some odd failures if you happen to hit it while > it's updating. I understand. Thanks for explaining. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Fri Feb 10 19:50:50 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 10 Feb 2012 14:50:50 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> Message-ID: <4F35751A.8030508@redhat.com> On 02/10/2012 02:35 PM, Marco Pizzoli wrote: > No, same as before. > Is it "yum makecache" sufficient to renew my metadata? Sounds like it should work, I'm not in the habit of using makecache, I tend to use the big hammer 'yum clean --all' I just checked the repo the files are there, so I assume yum is somehow confused. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ian at crystal.harvard.edu Fri Feb 10 20:00:18 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Fri, 10 Feb 2012 15:00:18 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F3563C0.6060702@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> <4F3563C0.6060702@redhat.com> Message-ID: <53332B17-8BEB-49B4-A248-6D95D22B1C93@crystal.harvard.edu> On Feb 10, 2012, at 1:36 PM, Rich Megginson wrote: >>>> This may be related to https://fedorahosted.org/389/ticket/273 and >>>> https://fedorahosted.org/389/ticket/274 which have been fixed in >>>> 1.2.10 >>> In this case Ian please open a bugzilla, it looks like we need to >>> address this in RHEL6. >> >> I'll confess that I don't fully understand what tombstone is... Regardless, I'm not sure that either of those tickets apply to the issue at hand. As I understand it, Ticket 273 outlines an issue with searching for tombstone entries after successfully setting up a replica (which as far as I'm hearing, we haven't done). And ticket 274 concerns indexing the tombstone entries. I am able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) and don't see the errors specified in ticket 274. > > in 1.2.9.9 the ruv tombstone entry was indexed correctly, so that's why you see it. > > For ticket 274, you would only see those errors if you actually attempt to reindex the entryrdn index. > >> That said, perhaps there's some bug with tombstone re: the automountmap entries in my LDAP instance. Do you think that would be sufficient to cause the replication issues I'm seeing? > > It could be. Taken together, both of those tickets resolve problems with tombstone indexes. At any rate, I would like to know if you can reproduce your issues with 1.2.10.rc1 > > To confirm, the first step would be to examine your entryrdn index to see what the problematic entries look like e.g. > > dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 | grep -C 2 automountmapname=auto.direct Here's the output from the primary: 139:cn=global_policy ID: 139; RDN: "cn=global_policy"; NRDN: "cn=global_policy" 13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct ID: 13; RDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct" 141:krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org ID: 141; RDN: "krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG"; NRDN: "krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org" -- 450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master ID: 450; RDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master" 451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct ID: 451; RDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct" 452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct ID: 452; RDN: "nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct"; NRDN: "nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct" -- 466:automountmapname=auto.master ID: 466; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" 467:automountmapname=auto.direct ID: 467; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" 468:description=/- auto.direct ID: 468; RDN: "description=/- auto.direct"; NRDN: "description=/- auto.direct" -- ID: 12; RDN: "nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master" C11:cn=default ID: 13; RDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct" C11:cn=default ID: 261; RDN: "nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountMapName=auto_master"; NRDN: "nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountmapname=auto_master" -- ID: 450; RDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master" C449:cn=test ID: 451; RDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct" C449:cn=test ID: 456; RDN: "nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs"; NRDN: "nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs" -- ID: 464; RDN: "nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home"; NRDN: "nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home" C465:cn=default ID: 467; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" C465:cn=default ID: 466; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" -- P139:cn=global_policy ID: 132; RDN: "cn=SBGRID.ORG"; NRDN: "cn=sbgrid.org" P13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct ID: 11; RDN: "cn=default"; NRDN: "cn=default" P141:krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org -- P450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master ID: 449; RDN: "cn=test"; NRDN: "cn=test" P451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct ID: 449; RDN: "cn=test"; NRDN: "cn=test" P452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct -- P466:automountmapname=auto.master ID: 465; RDN: "cn=default"; NRDN: "cn=default" P467:automountmapname=auto.direct ID: 465; RDN: "cn=default"; NRDN: "cn=default" P468:description=/- auto.direct The secondary replica doesn't have the same entries: 253:automountmapname=auto.master ID: 253; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" 254:automountmapname=auto.direct ID: 254; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" 255:description=/- auto.direct ID: 255; RDN: "description=/- auto.direct"; NRDN: "description=/- auto.direct" -- ID: 25; RDN: "cn=posix-ids"; NRDN: "cn=posix-ids" C252:cn=default ID: 254; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" C252:cn=default ID: 253; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" -- P253:automountmapname=auto.master ID: 252; RDN: "cn=default"; NRDN: "cn=default" P254:automountmapname=auto.direct ID: 252; RDN: "cn=default"; NRDN: "cn=default" P255:description=/- auto.direct From rcritten at redhat.com Fri Feb 10 20:10:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Feb 2012 15:10:29 -0500 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3565FD.6010609@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <4F3564D3.50400@redhat.com> <4F3565FD.6010609@redhat.com> Message-ID: <4F3579B5.3000705@redhat.com> Rich Megginson wrote: > On 02/10/2012 11:41 AM, Dmitri Pal wrote: >> On 02/10/2012 10:28 AM, Rich Megginson wrote: >>> On 02/10/2012 04:01 AM, David Juran wrote: >>>> Hello >>>> >>>> I wonder if it's somehow possible to sync AD-users more selectively >>>> then >>>> just by sub-tree. In my case, I'm dealing with a very large >>>> organisation >>>> where the users that are to be synced to IPA aren't grouped by a >>>> subtree >>>> in AD but rather spread out. Can this be handled somehow? >>>> >>> I don't think so, but can you provide some examples? >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Rich, can one create two different winsync agreements that use different >> sub trees on the AD side? > Yes, if they also use two different sub trees on the IPA side. > Otherwise, you have two different winsync agreements covering the same > ipa subtree - I have no idea what would happen. >> If there anything that would prevent it to >> work? May be it should be done from 2 IPA replicas? > You might still have problems with that scenario, just delayed. That is, > the ipa subtree is the same on both replicas, so you still have the same > problem, just delayed by the speed of replication. > > The only way to know for sure would be to get some concrete examples, > then try it out. I'll just add that we don't currently support multiple winsync agreements against the same AD server. I opened a ticket on this yesterday. rob From marco.pizzoli at gmail.com Fri Feb 10 20:49:26 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 21:49:26 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F35751A.8030508@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 8:50 PM, John Dennis wrote: > On 02/10/2012 02:35 PM, Marco Pizzoli wrote: > >> No, same as before. >> Is it "yum makecache" sufficient to renew my metadata? >> > > Sounds like it should work, I'm not in the habit of using makecache, I > tend to use the big hammer 'yum clean --all' > > I just checked the repo the files are there, so I assume yum is somehow > confused. This is what I just did: [root at freeipa02 ~]# yum clean all Loaded plugins: langpacks, presto, refresh-packagekit Cleaning repos: fedora ipa-devel updates Cleaning up Everything No delta-package files removed by presto [root at freeipa02 ~]# yum update Loaded plugins: langpacks, presto, refresh-packagekit fedora/metalink | 29 kB 00:00 fedora | 4.2 kB 00:00 fedora/primary_db | 14 MB 00:36 fedora/group_gz | 431 kB 00:00 ipa-devel | 2.5 kB 00:00 ipa-devel/primary_db | 146 kB 00:00 updates/metalink | 25 kB 00:00 updates | 4.7 kB 00:00 updates/primary_db | 4.7 MB 00:11 updates/group_gz | 431 kB 00:01 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package krb5-libs.x86_64 0:1.9.2-4.fc16 will be updated ---> Package krb5-libs.x86_64 0:1.9.2-6.fc16 will be an update ---> Package krb5-workstation.x86_64 0:1.9.2-4.fc16 will be updated ---> Package krb5-workstation.x86_64 0:1.9.2-6.fc16 will be an update ---> Package libipa_hbac.x86_64 0:1.6.4-1.fc16 will be updated ---> Package libipa_hbac.x86_64 0:1.8.90-0.20120207T1718Zgit14b0185.fc16 will be an update ---> Package libldb.x86_64 0:1.1.0-1.fc16 will be updated --> Processing Dependency: libldb = 1.1.0 for package: sssd-1.6.4-1.fc16.x86_64 ---> Package libldb.x86_64 0:1.1.4-1.fc16.1 will be an update ---> Package libtalloc.x86_64 0:2.0.6-1.fc16 will be updated ---> Package libtalloc.x86_64 0:2.0.7-3.fc16 will be an update ---> Package libtdb.x86_64 0:1.2.9-10.fc16 will be updated ---> Package libtdb.x86_64 0:1.2.9-13.fc16 will be an update ---> Package libtevent.x86_64 0:0.9.13-1.fc16 will be updated ---> Package libtevent.x86_64 0:0.9.14-5.fc16 will be an update --> Running transaction check ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed --> Processing Dependency: libdl.so.2(GLIBC_2.1) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libcrypt.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libdl.so.2 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtdb.so.1(TDB_1.2.1) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtalloc.so.2(TALLOC_2.0.2) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: librt.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtevent.so.0 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libdl.so.2(GLIBC_2.0) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtdb.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtevent.so.0(TEVENT_0.9.9) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtalloc.so.2 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libc.so.6(GLIBC_2.8) for package: libldb-1.1.0-1.fc16.i686 ---> Package libldb.x86_64 0:1.1.0-1.fc16 will be updated --> Running transaction check ---> Package glibc.i686 0:2.14.90-24.fc16.4 will be installed --> Processing Dependency: libfreebl3.so(NSSRAWHASH_3.12.3) for package: glibc-2.14.90-24.fc16.4.i686 --> Processing Dependency: libfreebl3.so for package: glibc-2.14.90-24.fc16.4.i686 ---> Package libtalloc.i686 0:2.0.7-3.fc16 will be installed ---> Package libtdb.i686 0:1.2.9-13.fc16 will be installed ---> Package libtevent.i686 0:0.9.14-5.fc16 will be installed --> Running transaction check ---> Package nss-softokn-freebl.i686 0:3.13.1-15.fc16 will be installed --> Finished Dependency Resolution *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != libldb-1.1.4-1.fc16.1.x86_64* [root at freeipa02 ~]# yum makecache Loaded plugins: langpacks, presto, refresh-packagekit fedora/metalink | 29 kB 00:00 fedora/filelists_db | 22 MB 01:21 fedora/prestodelta | 791 kB 00:02 fedora/other_db | 8.8 MB 00:28 ipa-devel | 2.5 kB 00:00 ipa-devel/filelists_db | 60 kB 00:00 ipa-devel/other_db | 39 kB 00:00 updates/metalink | 25 kB 00:00 updates/filelists_db | 8.0 MB 00:25 updates/prestodelta | 829 kB 00:03 updates/other_db | 2.5 MB 00:10 updates/updateinfo | 470 kB 00:01 Metadata Cache Created [root at freeipa02 ~]# yum info freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages Name : freeipa-server Arch : i686 Version : 2.1.4 Release : 1.20120209T0216Zgit11c25a4.fc16 Size : 957 k Repo : ipa-devel Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name : freeipa-server Arch : x86_64 Version : 2.1.4 Release : 4.fc16 Size : 958 k Repo : updates Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Could it be due to the lib error I'm obtaining? Any hint on how to get rid of it? Thanks again -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Fri Feb 10 21:16:49 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 22:16:49 +0100 Subject: [Freeipa-users] FreeIPA support for AIX as a client? Message-ID: Hi guys, I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is supported for version 5.3. What about versions 6.1 and 7.1? Are they really not supported or simply not been verified they can work? Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Fri Feb 10 21:18:52 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 10 Feb 2012 16:18:52 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> Message-ID: <4F3589BC.9000204@redhat.com> On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > --> Finished Dependency Resolution > *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != > libldb-1.1.4-1.fc16.1.x86_64* This error is because you've got both a 32-bit and 64-bit version of libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit version is 1.1.4, they're not the same. However the ipa-devel repo does have both the 32-bit and 64-bit version of 1.1.4 available in the x86-64 repo ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm So the repo looks good, not sure what yum is complaining about, it should see both 32-bit and 64-bit is available for version 1.1.4 and install both, unless of course you've got a dependency on the 1.1.0 32-bit version, but yum should tell you that. That's about as much help as I can give you at the moment. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Fri Feb 10 21:23:32 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Feb 2012 16:23:32 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F3589BC.9000204@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> <4F3589BC.9000204@redhat.com> Message-ID: <1328909012.3637.2.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-02-10 at 16:18 -0500, John Dennis wrote: > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > > --> Finished Dependency Resolution > > *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != > > libldb-1.1.4-1.fc16.1.x86_64* > > This error is because you've got both a 32-bit and 64-bit version of > libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit > version is 1.1.4, they're not the same. > > However the ipa-devel repo does have both the 32-bit and 64-bit version > of 1.1.4 available in the x86-64 repo > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm > > So the repo looks good, not sure what yum is complaining about, it > should see both 32-bit and 64-bit is available for version 1.1.4 and > install both, unless of course you've got a dependency on the 1.1.0 > 32-bit version, but yum should tell you that. SSSD has to be built against a specific version of LDB. It's not compatible with mixed-versions in your install. Also, yum SHOULD have prevented installing different versions of libldb in multilib. I'm not sure why it didn't. So with all that said, the easiest thing to do would be to 'yum remove libldb.i686' and then try updating again. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From marco.pizzoli at gmail.com Fri Feb 10 21:30:24 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 22:30:24 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <4F3589BC.9000204@redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> <4F3589BC.9000204@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 10:18 PM, John Dennis wrote: > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > >> --> Finished Dependency Resolution >> *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != >> libldb-1.1.4-1.fc16.1.x86_64* >> > > This error is because you've got both a 32-bit and 64-bit version of > libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit > version is 1.1.4, they're not the same. > Actually I think the situation is a little bit different. To explain myself better I start by posting this output: [root at freeipa02 ~]# rpm -qa|grep libldb libldb-1.1.0-1.fc16.x86_64 Look for a second at the output i posted before. As you can see [cut] --> Running transaction check ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed [cut] The package libldb-32bit is being submitted to yum as a candidate from a dependence on a package situated in your ipa-devel repository. I'm not a yum expert, can you confirm what I notice? > However the ipa-devel repo does have both the 32-bit and 64-bit version of > 1.1.4 available in the x86-64 repo > > ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.i686.rpm > ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.x86_64.**rpm > > So the repo looks good, not sure what yum is complaining about, it should > see both 32-bit and 64-bit is available for version 1.1.4 and install both, > unless of course you've got a dependency on the 1.1.0 32-bit version, but > yum should tell you that. > > That's about as much help as I can give you at the moment. > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -- _________________________________________ Non ? forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Fri Feb 10 21:35:47 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Feb 2012 16:35:47 -0500 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> <4F3589BC.9000204@redhat.com> Message-ID: <1328909747.3637.4.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-02-10 at 22:30 +0100, Marco Pizzoli wrote: > > > On Fri, Feb 10, 2012 at 10:18 PM, John Dennis > wrote: > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > --> Finished Dependency Resolution > *Error: Protected multilib versions: > libldb-1.1.0-1.fc16.i686 != > libldb-1.1.4-1.fc16.1.x86_64* > > This error is because you've got both a 32-bit and 64-bit > version of libldb installed, note how the 32-bit version is > 1.1.0 and the 64-bit version is 1.1.4, they're not the same. > > Actually I think the situation is a little bit different. > > To explain myself better I start by posting this output: > > [root at freeipa02 ~]# rpm -qa|grep libldb > libldb-1.1.0-1.fc16.x86_64 > > Look for a second at the output i posted before. As you can see > > [cut] > --> Running transaction check > ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed > [cut] > > The package libldb-32bit is being submitted to yum as a candidate from > a dependence on a package situated in your ipa-devel repository. > > I'm not a yum expert, can you confirm what I notice? > > > However the ipa-devel repo does have both the 32-bit and > 64-bit version of 1.1.4 available in the x86-64 repo > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm > > So the repo looks good, not sure what yum is complaining > about, it should see both 32-bit and 64-bit is available for > version 1.1.4 and install both, unless of course you've got a > dependency on the 1.1.0 32-bit version, but yum should tell > you that. > > That's about as much help as I can give you at the moment. You're right. I see what's happening. SSSD is built with an explicit LDB dependency. So because it's keeping SSSD at 1.6.4 for you, it's trying to hang on to libldb 1.1.0 from the regular repos (which is inappropriate). The real question here is why it's not pulling in the latest SSSD bits. And the answer to that is because we're currently having issues where not all of the SSSD subpackages are ending up in the repo. So yum is trying its best with what it has (which doesn't line up). We're working on this. We'll have it fixed by sometime on Monday, I'm sure. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From marco.pizzoli at gmail.com Fri Feb 10 21:41:21 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 10 Feb 2012 22:41:21 +0100 Subject: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere? In-Reply-To: <1328909747.3637.4.camel@sgallagh520.sgallagh.bos.redhat.com> References: <4F26BD89.1010401@redhat.com> <1328883841.2613.8.camel@sgallagh520.sgallagh.bos.redhat.com> <4F356FC2.40202@redhat.com> <4F35751A.8030508@redhat.com> <4F3589BC.9000204@redhat.com> <1328909747.3637.4.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On Fri, Feb 10, 2012 at 10:35 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 22:30 +0100, Marco Pizzoli wrote: > > > > > > On Fri, Feb 10, 2012 at 10:18 PM, John Dennis > > wrote: > > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > > --> Finished Dependency Resolution > > *Error: Protected multilib versions: > > libldb-1.1.0-1.fc16.i686 != > > libldb-1.1.4-1.fc16.1.x86_64* > > > > This error is because you've got both a 32-bit and 64-bit > > version of libldb installed, note how the 32-bit version is > > 1.1.0 and the 64-bit version is 1.1.4, they're not the same. > > > > Actually I think the situation is a little bit different. > > > > To explain myself better I start by posting this output: > > > > [root at freeipa02 ~]# rpm -qa|grep libldb > > libldb-1.1.0-1.fc16.x86_64 > > > > Look for a second at the output i posted before. As you can see > > > > [cut] > > --> Running transaction check > > ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed > > [cut] > > > > The package libldb-32bit is being submitted to yum as a candidate from > > a dependence on a package situated in your ipa-devel repository. > > > > I'm not a yum expert, can you confirm what I notice? > > > > > > However the ipa-devel repo does have both the 32-bit and > > 64-bit version of 1.1.4 available in the x86-64 repo > > > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm > > > > So the repo looks good, not sure what yum is complaining > > about, it should see both 32-bit and 64-bit is available for > > version 1.1.4 and install both, unless of course you've got a > > dependency on the 1.1.0 32-bit version, but yum should tell > > you that. > > > > That's about as much help as I can give you at the moment. > > > You're right. I see what's happening. SSSD is built with an explicit LDB > dependency. So because it's keeping SSSD at 1.6.4 for you, it's trying > to hang on to libldb 1.1.0 from the regular repos (which is > inappropriate). > > The real question here is why it's not pulling in the latest SSSD bits. > And the answer to that is because we're currently having issues where > not all of the SSSD subpackages are ending up in the repo. So yum is > trying its best with what it has (which doesn't line up). > > We're working on this. We'll have it fixed by sometime on Monday, I'm > sure. > I'm happy we've found the cause. No problem, I have no hurry... there's still a lot of documents to read out there :-) Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Feb 10 22:56:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Feb 2012 17:56:20 -0500 Subject: [Freeipa-users] FreeIPA support for AIX as a client? In-Reply-To: References: Message-ID: <4F35A094.6060108@redhat.com> On 02/10/2012 04:16 PM, Marco Pizzoli wrote: > Hi guys, > I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a > client is supported for version 5.3. > What about versions 6.1 and 7.1? Are they really not supported or > simply not been verified they can work? > You are definitely welcome to try and provide step by step instructions. It should work we just never had this as a priority. This is a real help that you can provide while we are fixing the SSSD build. :-) If the instructions are testable and repeatable we will post them on the IPA wiki. I would grant you access to create pages if you want to go this route. Thanks Dmitri > Thanks > Marco > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Feb 11 03:26:54 2012 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Feb 2012 22:26:54 -0500 Subject: [Freeipa-users] Roles and permissions In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CB8529E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CB84EBA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F309B6A.9080506@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CB8529E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F35DFFE.40902@redhat.com> On 02/07/2012 03:54 PM, Steven Jones wrote: > Hi, > > "Users in group A can manage the membership of group B > Users in group A can manage this small set of attributes of members of > group B" > > Yes, I can see that delegating is going to be very hard to do securely / properly.....at least with [my] limited knowledge....My problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhat....and they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.....looks like I will need a good level of understanding which I obviously lack.....I mean I cant even get across to you what I mean!!! doh..... > > Having briefly chatted to an AD guy this problem isnt just faced by IPA... > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Tuesday, 7 February 2012 4:32 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Roles and permissions > > Steven Jones wrote: >> Hi, >> >> Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator" and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? > Need a little more to go on. It is that "how to specify" question that > really matters. How DO you distinguish between users? You can add extra > attributes to break them into groups, or you can literally put them into > extra groups and manage them that way (easiest). But you definitely need > a way to distinguish them. > > Creating this type of permission would require a bit of LDAP knowledge, > mostly just knowing which attributes to use. It all depends on what > responsibility you are delegating. > > I'm not entirely sure what you're after so I don't want to guess and end > up down a deep rabbit hole, but it is probably going to be easiest to > break the permissions into smaller components like: > > Users in group A can manage the membership of group B > Users in group A can manage this small set of attributes of members of > group B > > Both of these are relatively straightforward. I can provide examples if > you can give me some more guidance on what you're looking for. > >> I dont find that section of the manual very easy to understand....I'd like examples or more explanation.... >> >> Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...? > Yes, it would be a problem if you granted password change permission to > a bad admin. That is true in any system. > > Given that we've got a ticket open to limit those who can change the > password of those in the admins group to those in the admins group, so > helpdesk can change user's passwords but not admins. That is currently > possible. > > regards > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Does this answer your question: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ From marco.pizzoli at gmail.com Sat Feb 11 09:55:35 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sat, 11 Feb 2012 10:55:35 +0100 Subject: [Freeipa-users] FreeIPA support for AIX as a client? In-Reply-To: <4F35A094.6060108@redhat.com> References: <4F35A094.6060108@redhat.com> Message-ID: On Fri, Feb 10, 2012 at 11:56 PM, Dmitri Pal wrote: > ** > On 02/10/2012 04:16 PM, Marco Pizzoli wrote: > > Hi guys, > I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is > supported for version 5.3. > What about versions 6.1 and 7.1? Are they really not supported or simply > not been verified they can work? > > You are definitely welcome to try and provide step by step instructions. > It should work we just never had this as a priority. > This is a real help that you can provide while we are fixing the SSSD > build. :-) > I would be happy to do it, but it will be not so easy for me finding a system for testing purposes... :-( > If the instructions are testable and repeatable we will post them on the > IPA wiki. I would grant you access to create pages if you want to go this > route. > Good to know. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sat Feb 11 11:25:48 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sat, 11 Feb 2012 12:25:48 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause Message-ID: Hi, Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing in having it started. [root at freeipa01 ~]# systemctl | grep ipa ipa.service loaded failed failed Identity, Policy, Audit /var/log/messages [cut] Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not readable (yet?) after start. Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: 0.fedora.pool.ntp.org Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: 1.fedora.pool.ntp.org Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: 2.fedora.pool.ntp.org Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not readable (yet?) after start. Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, code=exited, status=1 Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed state. Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s 675ms 758us. [cut] /var/log/dirsrv/slapd-/errors [cut] [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 starting up [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. /var/log/dirsrv/slapd-/errors [cut] [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 starting up [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. dmesg output [cut] [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux database in 14ms 981us, size on heap is 485K. [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for /var/run/dirsrv configured, ignoring. [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for /var/lock/dirsrv configured, ignoring. [cut] Any help? Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Sat Feb 11 18:47:27 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 11 Feb 2012 18:47:27 +0000 Subject: [Freeipa-users] Child Domains in IPA? Message-ID: <4F36B7BF.6090203@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Evening all Does IPA currently accommodate for child domains? As in the equivalent of Active Directory child domains? I can't seem to find any documentation mentioning this.. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNrewAAoJEAJsWS61tB+qqYcQAIIPM77RaxIIrSH7CQFxPtpn gVTdBuzTQM91yLzUood0clOP82ePUr/WMI/BOn+kgaPbFBk91u/rMArILipYIDZs AEdlyigP7BsO1bCqkqAivMemiUnXPzjSnDNwNFRt+3vGgYeh9c2FzC7euh0+6QDP PZg+LxWfppRpGRiXO9rJj6xLbs3Lp0Nb0noPgIIEF1P32bmmoTccKeKDcXON+y/r WLD0U5Gf4W9882y9A+fbhiE18XhnPMB73HF8fc/s4vlNWDiSrbBdk8tq23MS2PkD V03IpB0hlJpo/ACgpVYnDwxCjUq+OxF/dZZR8a25Ukp9+8s7WrOWde56K+ouLbBy XVo6I6z3Ow7ufw1ZbQ9r8/vRT2SIr4zZtZyVNHfl/TZjvzWFCDD7xj59+n/+f4Q7 9SJ/Oai/86n3tp3oN2RKFHYU6a969hnJ1YlOBhfhW9eOwkr7Av/9aqQIES+ckOgn euSHHi5YlvV3/LlTlfOpwtvZ+W9H1dUEhdaL2Dy560bthuCetXZZW+sarpSCdtny 3ZMcnwaPWq8LA50bhgZG1A/ye8q6HiV9iZLRemsWtu3FYogehaCK3tStbb7zHjuE Xa2Z6brbtl3bCs7vN5d0V33OPMPyfEsns6w6dwALfUbXDTigvIbtuB0zPZ0Vhdcr 2Q02DEqMTsanlGR4J70g =UNc/ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From abokovoy at redhat.com Sat Feb 11 22:54:37 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 12 Feb 2012 00:54:37 +0200 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: Message-ID: <20120211225436.GF3452@redhat.com> On Sat, 11 Feb 2012, Marco Pizzoli wrote: > Hi, > Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing in > having it started. > > [root at freeipa01 ~]# systemctl | grep ipa > ipa.service loaded failed failed Identity, Policy, > Audit > > /var/log/messages > [cut] > Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not > readable (yet?) after start. > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > 0.fedora.pool.ntp.org > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > 1.fedora.pool.ntp.org > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > 2.fedora.pool.ntp.org > Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not > readable (yet?) after start. > Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from Directory > Service: Unknown error when retrieving list of services from LDAP: [Errno > 111] Connection refused > Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down > Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service > Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, > code=exited, status=1 > Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed state. > Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us > (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s > 675ms 758us. > [cut] > > /var/log/dirsrv/slapd-/errors > [cut] > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > starting up > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > > /var/log/dirsrv/slapd-/errors > [cut] > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > starting up > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > > dmesg output > [cut] > [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux database > in 14ms 981us, size on heap is 485K. > [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for > /var/run/dirsrv configured, ignoring. > [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for > /var/lock/dirsrv configured, ignoring. > [cut] > > Any help? Did you try 'ipactl start' afterwards? I'm not sure what has caused 389-ds database issue but from the log excerpts it looks like 389-ds was able to fix those. Fedora 16 stable updates got freeipa 2.1.4-5 and 389-ds 1.2.10-rc1 tonight. -- / Alexander Bokovoy From simo at redhat.com Sun Feb 12 04:07:31 2012 From: simo at redhat.com (Simo Sorce) Date: Sat, 11 Feb 2012 23:07:31 -0500 Subject: [Freeipa-users] Child Domains in IPA? In-Reply-To: <4F36B7BF.6090203@themacartneyclan.com> References: <4F36B7BF.6090203@themacartneyclan.com> Message-ID: <1329019651.5829.138.camel@willson.li.ssimo.org> On Sat, 2012-02-11 at 18:47 +0000, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Evening all > > Does IPA currently accommodate for child domains? As in the equivalent > of Active Directory child domains? No, within FreeIPA there is nothing resembling what AD calls forests. We will soon add AD cross forest trust relationships and later cross realm trusts between freeIPA domains, but we haven't planned on "child domains". I would be interested in understanding what you find them useful for, what kind of interaction between parent-child you expect ? Simo. -- Simo Sorce * Red Hat, Inc * New York From marco.pizzoli at gmail.com Sun Feb 12 13:15:07 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 14:15:07 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120211225436.GF3452@redhat.com> References: <20120211225436.GF3452@redhat.com> Message-ID: Hi Alexander, On Sat, Feb 11, 2012 at 11:54 PM, Alexander Bokovoy wrote: > On Sat, 11 Feb 2012, Marco Pizzoli wrote: > > Hi, > > Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing in > > having it started. > > > > [root at freeipa01 ~]# systemctl | grep ipa > > ipa.service loaded failed failed Identity, Policy, > > Audit > > > > /var/log/messages > > [cut] > > Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not > > readable (yet?) after start. > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 0.fedora.pool.ntp.org > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 1.fedora.pool.ntp.org > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 2.fedora.pool.ntp.org > > Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not > > readable (yet?) after start. > > Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from Directory > > Service: Unknown error when retrieving list of services from LDAP: [Errno > > 111] Connection refused > > Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down > > Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service > > Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, > > code=exited, status=1 > > Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed > state. > > Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us > > (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s > > 675ms 758us. > > [cut] > > > > /var/log/dirsrv/slapd-/errors > > [cut] > > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > > starting up > > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > > > /var/log/dirsrv/slapd-/errors > > [cut] > > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > > starting up > > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > > > dmesg output > > [cut] > > [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux > database > > in 14ms 981us, size on heap is 485K. > > [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for > > /var/run/dirsrv configured, ignoring. > > [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for > > /var/lock/dirsrv configured, ignoring. > > [cut] > > > > Any help? > Did you try 'ipactl start' afterwards? > Yes, same as before. > I'm not sure what has caused 389-ds database issue but from the log > excerpts it looks like 389-ds was able to fix those. > > Fedora 16 stable updates got freeipa 2.1.4-5 and 389-ds 1.2.10-rc1 > tonight. > Now, I did a full upgrade of the system but I'm encountering quite the same problem. The interesting thing is that the 389-ds upgrade produced a log full of interesting info about what the problem is. Please find my log here: http://pastebin.com/ueH87Q05 I'm running a system with less than 1GB RAM [root at freeipa01 ~]# free -m total used free shared buffers cached Mem: 869 758 110 0 42 561 -/+ buffers/cache: 154 714 Swap: 2015 0 2015 I'm curious to know if is an opportunity to recover the system. If no, I have no problems in erase and recreate. Thanks again Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 12 15:24:53 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 16:24:53 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: <20120211225436.GF3452@redhat.com> Message-ID: On Sun, Feb 12, 2012 at 2:15 PM, Marco Pizzoli wrote: > Hi Alexander, > > On Sat, Feb 11, 2012 at 11:54 PM, Alexander Bokovoy wrote: > >> On Sat, 11 Feb 2012, Marco Pizzoli wrote: >> > Hi, >> > Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing >> in >> > having it started. >> > >> > [root at freeipa01 ~]# systemctl | grep ipa >> > ipa.service loaded failed failed Identity, Policy, >> > Audit >> > >> > /var/log/messages >> > [cut] >> > Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not >> > readable (yet?) after start. >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 0.fedora.pool.ntp.org >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 1.fedora.pool.ntp.org >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 2.fedora.pool.ntp.org >> > Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not >> > readable (yet?) after start. >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from >> Directory >> > Service: Unknown error when retrieving list of services from LDAP: >> [Errno >> > 111] Connection refused >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service >> > Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, >> > code=exited, status=1 >> > Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed >> state. >> > Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us >> > (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s >> > 675ms 758us. >> > [cut] >> > >> > /var/log/dirsrv/slapd-/errors >> > [cut] >> > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 >> > starting up >> > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time >> > Directory Server was running, recovering database. >> > >> > /var/log/dirsrv/slapd-/errors >> > [cut] >> > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 >> > starting up >> > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time >> > Directory Server was running, recovering database. >> > >> > dmesg output >> > [cut] >> > [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux >> database >> > in 14ms 981us, size on heap is 485K. >> > [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for >> > /var/run/dirsrv configured, ignoring. >> > [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for >> > /var/lock/dirsrv configured, ignoring. >> > [cut] >> > >> > Any help? >> Did you try 'ipactl start' afterwards? >> > > Yes, same as before. > > >> I'm not sure what has caused 389-ds database issue but from the log >> excerpts it looks like 389-ds was able to fix those. >> >> Fedora 16 stable updates got freeipa 2.1.4-5 and 389-ds 1.2.10-rc1 >> tonight. >> > > Now, I did a full upgrade of the system but I'm encountering quite the > same problem. > The interesting thing is that the 389-ds upgrade produced a log full of > interesting info about what the problem is. > > Please find my log here: http://pastebin.com/ueH87Q05 > > I'm running a system with less than 1GB RAM > > [root at freeipa01 ~]# free -m > total used free shared buffers cached > Mem: 869 758 110 0 42 561 > -/+ buffers/cache: 154 714 > Swap: 2015 0 2015 > > > I'm curious to know if is an opportunity to recover the system. If no, I > have no problems in erase and recreate. > > Thanks again > Marco > I'm having the same issue with another freeipa setup which was installed directly from the updates-testing repository. He was working correctly once installed but then, after the first power-on after the installation, no working from the 389-ds side. [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 12 16:32:40 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 17:32:40 +0100 Subject: [Freeipa-users] Report for FreeIPA 2.2 advances? Message-ID: Hi guys, please, could you create a view/report similar to this: {22} All 2.1.x Tickets By Milestone (Including closed) - https://fedorahosted.org/freeipa/report/22 for the version 2.2.x ? Thanks in advance Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Feb 12 16:41:04 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 12 Feb 2012 18:41:04 +0200 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: <20120211225436.GF3452@redhat.com> Message-ID: <20120212164104.GG3452@redhat.com> On Sun, 12 Feb 2012, Marco Pizzoli wrote: > I'm having the same issue with another freeipa setup which was installed > directly from the updates-testing repository. > He was working correctly once installed but then, after the first power-on > after the installation, no working from the 389-ds side. > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > starting up > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment So there is something fishy with 389-ds shutdown on reboots? Am I correct in assuming that you had FreeIPA working after install, then power cycled the VM and after restart it didn't come back online? Was there anything specific about shutdown? Anything similar to https://fedorahosted.org/freeipa/ticket/2302 ? -- / Alexander Bokovoy From marco.pizzoli at gmail.com Sun Feb 12 16:50:58 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 17:50:58 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120212164104.GG3452@redhat.com> References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> Message-ID: On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > I'm having the same issue with another freeipa setup which was installed > > directly from the updates-testing repository. > > He was working correctly once installed but then, after the first > power-on > > after the installation, no working from the 389-ds side. > > > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > > starting up > > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment > So there is something fishy with 389-ds shutdown on reboots? Am I > correct in assuming that you had FreeIPA working after install, then > power cycled the VM and after restart it didn't come back online? > Well, just to be clear, each time I talked about reboot actually I intended "shutdown -h now" and powering on the day after. Was there anything specific about shutdown? Anything similar to > https://fedorahosted.org/freeipa/ticket/2302 ? > I don't get hangs or other type of similar evidences. My system just complete (correctly, it seems) a shutdown sequence. I am not yet an expert about systemd, so I don't know if it's just going to kill the service if it doesn't respond in a specific time to a request to shut down. I'm working with more than one virtual machine active on my not-so-new laptop, so the promptness of response is very low... If you want me to do any kind of test, just let me know. Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Feb 12 17:00:53 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 12 Feb 2012 19:00:53 +0200 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> Message-ID: <20120212170053.GH3452@redhat.com> On Sun, 12 Feb 2012, Marco Pizzoli wrote: > On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy wrote: > > > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > I'm having the same issue with another freeipa setup which was installed > > > directly from the updates-testing repository. > > > He was working correctly once installed but then, after the first > > power-on > > > after the installation, no working from the 389-ds side. > > > > > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > > > starting up > > > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > > > Directory Server was running, recovering database. > > > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment > > So there is something fishy with 389-ds shutdown on reboots? Am I > > correct in assuming that you had FreeIPA working after install, then > > power cycled the VM and after restart it didn't come back online? > > > > Well, just to be clear, each time I talked about reboot actually I intended > "shutdown -h now" and powering on the day after. > > Was there anything specific about shutdown? Anything similar to > > https://fedorahosted.org/freeipa/ticket/2302 ? > > > > > I don't get hangs or other type of similar evidences. My system just > complete (correctly, it seems) a shutdown sequence. > I am not yet an expert about systemd, so I don't know if it's just going to > kill the service if it doesn't respond in a specific time to a request to > shut down. > I'm working with more than one virtual machine active on my not-so-new > laptop, so the promptness of response is very low... > > If you want me to do any kind of test, just let me know. If you could reproduce similar results with new VM, it would be good to get access to the 389-ds database in question and exact steps to reproduce the failure. -- / Alexander Bokovoy From marco.pizzoli at gmail.com Sun Feb 12 17:03:40 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 18:03:40 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120212170053.GH3452@redhat.com> References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> Message-ID: On Sun, Feb 12, 2012 at 6:00 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy >wrote: > > > > > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > I'm having the same issue with another freeipa setup which was > installed > > > > directly from the updates-testing repository. > > > > He was working correctly once installed but then, after the first > > > power-on > > > > after the installation, no working from the 389-ds side. > > > > > > > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > > > > starting up > > > > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > > > > Directory Server was running, recovering database. > > > > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment > > > So there is something fishy with 389-ds shutdown on reboots? Am I > > > correct in assuming that you had FreeIPA working after install, then > > > power cycled the VM and after restart it didn't come back online? > > > > > > > Well, just to be clear, each time I talked about reboot actually I > intended > > "shutdown -h now" and powering on the day after. > > > > Was there anything specific about shutdown? Anything similar to > > > https://fedorahosted.org/freeipa/ticket/2302 ? > > > > > > > > > I don't get hangs or other type of similar evidences. My system just > > complete (correctly, it seems) a shutdown sequence. > > I am not yet an expert about systemd, so I don't know if it's just going > to > > kill the service if it doesn't respond in a specific time to a request to > > shut down. > > I'm working with more than one virtual machine active on my not-so-new > > laptop, so the promptness of response is very low... > > > > If you want me to do any kind of test, just let me know. > If you could reproduce similar results with new VM, it would be good > to get access to the 389-ds database in question and exact steps to > reproduce the failure. > I can start the VM setup right now, but please explain more in detail what I do need to do for this trial. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Feb 12 17:24:47 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 12 Feb 2012 19:24:47 +0200 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> Message-ID: <20120212172447.GI3452@redhat.com> On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > I don't get hangs or other type of similar evidences. My system just > > > complete (correctly, it seems) a shutdown sequence. > > > I am not yet an expert about systemd, so I don't know if it's just going > > to > > > kill the service if it doesn't respond in a specific time to a request to > > > shut down. > > > I'm working with more than one virtual machine active on my not-so-new > > > laptop, so the promptness of response is very low... > > > > > > If you want me to do any kind of test, just let me know. > > If you could reproduce similar results with new VM, it would be good > > to get access to the 389-ds database in question and exact steps to > > reproduce the failure. > > > > I can start the VM setup right now, but please explain more in detail what > I do need to do for this trial. Ideally, install Fedora 16 and apply all updates. Then connect over ssh with something like this: $ ssh root at freeipa-test-vm | tee -a ~/freeipa-test-vm-session.log and perform FreeIPA packages install, ipa-server-install, and all operations that caused the data corruption. You can logout and enter over ssh multiple times, every time using the command above to ensure that log is appended. This log will show what has happened on the console as you performed install and configuration. In addition to it /var/log will contain number of files (ipaserver-*.log, ipaclient-*.log, pki*.log, pki-ca/*, dirsrv/*, etc) with logs relevant to FreeIPA operations. Then /etc/dirsrv/ would contain 389-ds instances' data stores. Thanks in advance. -- / Alexander Bokovoy From simo at redhat.com Sun Feb 12 18:27:44 2012 From: simo at redhat.com (Simo Sorce) Date: Sun, 12 Feb 2012 13:27:44 -0500 Subject: [Freeipa-users] Report for FreeIPA 2.2 advances? In-Reply-To: References: Message-ID: <1329071264.5829.146.camel@willson.li.ssimo.org> On Sun, 2012-02-12 at 17:32 +0100, Marco Pizzoli wrote: > Hi guys, > please, could you create a view/report similar to this: > > {22} All 2.1.x Tickets By Milestone (Including closed) - > https://fedorahosted.org/freeipa/report/22 > > for the version 2.2.x ? Done. Simo. -- Simo Sorce * Red Hat, Inc * New York From marco.pizzoli at gmail.com Sun Feb 12 20:40:49 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 21:40:49 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120212172447.GI3452@redhat.com> References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> <20120212172447.GI3452@redhat.com> Message-ID: On Sun, Feb 12, 2012 at 6:24 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > I don't get hangs or other type of similar evidences. My system just > > > > complete (correctly, it seems) a shutdown sequence. > > > > I am not yet an expert about systemd, so I don't know if it's just > going > > > to > > > > kill the service if it doesn't respond in a specific time to a > request to > > > > shut down. > > > > I'm working with more than one virtual machine active on my > not-so-new > > > > laptop, so the promptness of response is very low... > > > > > > > > If you want me to do any kind of test, just let me know. > > > If you could reproduce similar results with new VM, it would be good > > > to get access to the 389-ds database in question and exact steps to > > > reproduce the failure. > > > > > > > I can start the VM setup right now, but please explain more in detail > what > > I do need to do for this trial. > Ideally, install Fedora 16 and apply all updates. Then connect over > ssh with something like this: > > $ ssh root at freeipa-test-vm | tee -a ~/freeipa-test-vm-session.log > > and perform FreeIPA packages install, ipa-server-install, and all > operations that caused the data corruption. > > You can logout and enter over ssh multiple times, every time using the > command above to ensure that log is appended. > > This log will show what has happened on the console as you performed > install and configuration. In addition to it /var/log will contain > number of files (ipaserver-*.log, ipaclient-*.log, pki*.log, pki-ca/*, > dirsrv/*, etc) with logs relevant to FreeIPA operations. Then > /etc/dirsrv/ would contain 389-ds instances' data stores. > > Thanks in advance. > For the record: logs have been sent off-list to Alexander Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 12 20:49:56 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 21:49:56 +0100 Subject: [Freeipa-users] Questions about AD Synchronization Message-ID: Hi guys, a couple of questions about AD synchronization. I read in the guide these points: - A synchronization operation runs every five minutes. --> I read that it can be triggered on demand, but is it possibile to change the value of this frequency? - Synchronization can only be configured with one Active Directory domain. Multiple domains are not supported. --> Do they will in a future version? - While modifications are bi-directional (going both from Active Directory to FreeIPA and from FreeIPA to Active Directory), new accounts are only uni-directional. New accounts created in Active Directory are synchronized over to FreeIPA. However, user accounts created in FreeIPA must also be added in Active Directory before they will be synchronized. ---> What is the origin of this restriction? I mean, why cannot be created a user in AD by FreeIPA? And another question, not related to the synchronization: - In the FreeIPA 389-ds I see used the "DUA Config Profile" objectClass. To learn what it is I already read RFC#4876. Now I would like to have a look at a document/draft/etc.. about his using within FreeIPA. Is it available anywhere? If no, could someone give some explanation? Thanks a lot as usual! Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 12 21:00:29 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 22:00:29 +0100 Subject: [Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority? Message-ID: Hi, I see DogTag PKI used as a certificate server for the enrollment of hosts and services. What about the enrollment of normal X509v3 certificates? I have not seen, correct me if I'm wrong, any reference to the possibility to use it as a regular CA for user certificates. Not within FreeIPA, of course. Is there any drawback in using it as the primary CA for the company? Thanks a lot again! Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 12 21:11:24 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 12 Feb 2012 22:11:24 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120212205641.GJ3452@redhat.com> References: <20120211225436.GF3452@redhat.com> <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> <20120212172447.GI3452@redhat.com> <20120212205641.GJ3452@redhat.com> Message-ID: > > Here they are. > > I think that it is not worth sending an attachment of over 1.2MB to the > > entire list, even if I don't have any personal data in them. > Thanks. Could you please edit /usr/sbin/ipactl and change timeout > parameter at lines 125 and 128 to something greater than 6? Maybe 10 > or even 15... The parameter is seconds to time out: > .. > wait_for_open_socket(lurl.hostport, timeout=6) > .. > wait_for_open_ports(host, [int(port)], timeout=6) > .. > > Looks like your VM is so slow that ipactl simply times out to wait for > the directory server to respond. We've seen this before with some > other VMs. > Good catch! I tried with 25, but same result :-( I tried with 45 and now it is up! Please, could you confirm that the following "exited" is not bad thing: [root at freeipa04 ~]# systemctl|grep ipa ipa.service loaded active *exited* Identity, Policy, Audit ipa_kpasswd.service loaded active running IPA Kerberos password service Thanks a lot! Marco -- _________________________________________ Non ? forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Feb 12 21:26:48 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 12 Feb 2012 23:26:48 +0200 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: References: <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> <20120212172447.GI3452@redhat.com> <20120212205641.GJ3452@redhat.com> Message-ID: <20120212212648.GK3452@redhat.com> On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > Here they are. > > > I think that it is not worth sending an attachment of over 1.2MB to the > > > entire list, even if I don't have any personal data in them. > > Thanks. Could you please edit /usr/sbin/ipactl and change timeout > > parameter at lines 125 and 128 to something greater than 6? Maybe 10 > > or even 15... The parameter is seconds to time out: > > .. > > wait_for_open_socket(lurl.hostport, timeout=6) > > .. > > wait_for_open_ports(host, [int(port)], timeout=6) > > .. > > > > Looks like your VM is so slow that ipactl simply times out to wait for > > the directory server to respond. We've seen this before with some > > other VMs. > > > > Good catch! > I tried with 25, but same result :-( > I tried with 45 and now it is up! > > Please, could you confirm that the following "exited" is not bad thing: > > [root at freeipa04 ~]# systemctl|grep ipa > ipa.service loaded active *exited* Identity, Policy, > Audit > ipa_kpasswd.service loaded active running IPA Kerberos password > service *exited* is fine, it is /usr/sbin/ipactl exited after running the startup sequence. Would you mind to file a ticket against FreeIPA to make this time out configurable in /etc/ipa/default.conf? This is something that we can't predict in all cases so this would be per-system setting. -- / Alexander Bokovoy From dpal at redhat.com Sun Feb 12 21:45:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Feb 2012 16:45:15 -0500 Subject: [Freeipa-users] Questions about AD Synchronization In-Reply-To: References: Message-ID: <4F3832EB.9070607@redhat.com> On 02/12/2012 03:49 PM, Marco Pizzoli wrote: > Hi guys, > a couple of questions about AD synchronization. > > I read in the guide these points: > - A synchronization operation runs every five minutes. --> I read > that it can be triggered on demand, but is it possibile to change the > value of this frequency? I think it is configurable. You might want to check port389 wiki for more details. > - Synchronization can only be configured with one Active Directory > domain. Multiple domains are not supported. --> Do they will in a > future version? No plans as we are working on trusts and trusts would make synchronization not needed. > - While modifications are bi-directional (going both from Active > Directory to FreeIPA and from FreeIPA to Active Directory), new > accounts are only uni-directional. New accounts created in Active > Directory are synchronized over to FreeIPA. However, user accounts > created in FreeIPA must also be added in Active Directory before they > will be synchronized. > ---> What is the origin of this restriction? I mean, why cannot > be created a user in AD by FreeIPA? > Time and materials mostly - the support cost is origin of this restriction. It is potentially could be done and DS does this but the use case for IPA is different and dominated by AD so it does not make sense to build a solution when in 95 persent the sync would go from AD to IPA as people already have users there. > > And another question, not related to the synchronization: > - In the FreeIPA 389-ds I see used the "DUA Config Profile" > objectClass. To learn what it is I already read RFC#4876. Now I would > like to have a look at a document/draft/etc.. about his using within > FreeIPA. Is it available anywhere? If no, could someone give some > explanation? > There is no use but we contemplated using it some time in future. So far we have noot seen any real damand for this functionality and it is pretty complex feature to build. > Thanks a lot as usual! > Marco > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sun Feb 12 23:01:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 12 Feb 2012 18:01:45 -0500 Subject: [Freeipa-users] Questions about AD Synchronization In-Reply-To: <4F3832EB.9070607@redhat.com> References: <4F3832EB.9070607@redhat.com> Message-ID: <4F3844D9.6070106@redhat.com> Dmitri Pal wrote: > On 02/12/2012 03:49 PM, Marco Pizzoli wrote: >> Hi guys, >> a couple of questions about AD synchronization. >> >> I read in the guide these points: >> - A synchronization operation runs every five minutes. --> I read that >> it can be triggered on demand, but is it possibile to change the value >> of this frequency? > > I think it is configurable. You might want to check port389 wiki for > more details. I seem to recall it is hardcoded and an RFE was opened on it but I can't find it out. winsync uses a pull model so the only immediate mode may be from IPA to AD. >> - Synchronization can only be configured with one Active Directory >> domain. Multiple domains are not supported. --> Do they will in a >> future version? > > No plans as we are working on trusts and trusts would make > synchronization not needed. Currently only one winsync agreement is allowed on one IPA server to an AD server at a time (there is a ticket to allow multiples https://fedorahosted.org/freeipa/ticket/2358) It would probably work to have two AD agreements on two separate IPA instances though. We don't care what realm the remote AD server are. >> - While modifications are bi-directional (going both from Active >> Directory to FreeIPA and from FreeIPA to Active Directory), new >> accounts are only uni-directional. New accounts created in Active >> Directory are synchronized over to FreeIPA. However, user accounts >> created in FreeIPA must also be added in Active Directory before they >> will be synchronized. >> ---> What is the origin of this restriction? I mean, why cannot be >> created a user in AD by FreeIPA? >> > > Time and materials mostly - the support cost is origin of this > restriction. It is potentially could be done and DS does this but the > use case for IPA is different and dominated by AD so it does not make > sense to build a solution when in 95 persent the sync would go from AD > to IPA as people already have users there. > >> >> And another question, not related to the synchronization: >> - In the FreeIPA 389-ds I see used the "DUA Config Profile" >> objectClass. To learn what it is I already read RFC#4876. Now I would >> like to have a look at a document/draft/etc.. about his using within >> FreeIPA. Is it available anywhere? If no, could someone give some >> explanation? >> A DUA profile is created and is currently used by Solaris clients that can join using the ldapinit tool. I believe that HP/ux can also use this profile. This entry looks like: dn: cn=default,ou=profile,dc=example,dc=com defaultServerList: rawhide.example.com defaultSearchBase: dc=example,dc=com objectClass: top objectClass: DUAConfigProfile serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com searchTimeLimit: 15 followReferrals: TRUE objectclassMap: shadow:shadowAccount=posixAccount bindTimeLimit: 5 authenticationMethod: none cn: default rob From freeipa at noboost.org Sun Feb 12 23:39:23 2012 From: freeipa at noboost.org (Craig T) Date: Mon, 13 Feb 2012 10:39:23 +1100 Subject: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials Message-ID: <20120212233923.GA12242@noboost.org> Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: craig at EXAMPLE.COM kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? Is it a bug? Anyone else seen this error? Regards, Craig From marco.pizzoli at gmail.com Mon Feb 13 07:45:10 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 13 Feb 2012 08:45:10 +0100 Subject: [Freeipa-users] FreeIPA not starting - probably 389ds cause In-Reply-To: <20120212212648.GK3452@redhat.com> References: <20120212164104.GG3452@redhat.com> <20120212170053.GH3452@redhat.com> <20120212172447.GI3452@redhat.com> <20120212205641.GJ3452@redhat.com> <20120212212648.GK3452@redhat.com> Message-ID: On Sun, Feb 12, 2012 at 10:26 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > Here they are. > > > > I think that it is not worth sending an attachment of over 1.2MB to > the > > > > entire list, even if I don't have any personal data in them. > > > Thanks. Could you please edit /usr/sbin/ipactl and change timeout > > > parameter at lines 125 and 128 to something greater than 6? Maybe 10 > > > or even 15... The parameter is seconds to time out: > > > .. > > > wait_for_open_socket(lurl.hostport, timeout=6) > > > .. > > > wait_for_open_ports(host, [int(port)], timeout=6) > > > .. > > > > > > Looks like your VM is so slow that ipactl simply times out to wait for > > > the directory server to respond. We've seen this before with some > > > other VMs. > > > > > > > Good catch! > > I tried with 25, but same result :-( > > I tried with 45 and now it is up! > > > > Please, could you confirm that the following "exited" is not bad thing: > > > > [root at freeipa04 ~]# systemctl|grep ipa > > ipa.service loaded active *exited* Identity, Policy, > > Audit > > ipa_kpasswd.service loaded active running IPA Kerberos > password > > service > *exited* is fine, it is /usr/sbin/ipactl exited after running the > startup sequence. > Ok, thanks. > Would you mind to file a ticket against FreeIPA to make this time out > configurable in /etc/ipa/default.conf? This is something that we can't > predict in all cases so this would be per-system setting. > Done. https://fedorahosted.org/freeipa/ticket/2375 For the record, in creating a new ticket I notice that I can specify as affected version only versions "2.0" and "alpha3". Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Mon Feb 13 14:14:36 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 13 Feb 2012 15:14:36 +0100 Subject: [Freeipa-users] Future audit feature Message-ID: Hi guys, I'm interested to know what is the expected feature that I have to expect from the Audit part of IPA. I had a look at this: http://www.freeipa.org/page/Audit_Design_Overview I see that are mentioned watchers on directories for alerting on file alterations. What is the final high-level purpose? I suppose not only anti tampering... Thanks a lot as usual! Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Feb 13 15:40:54 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Feb 2012 08:40:54 -0700 Subject: [Freeipa-users] Questions about AD Synchronization In-Reply-To: <4F3844D9.6070106@redhat.com> References: <4F3832EB.9070607@redhat.com> <4F3844D9.6070106@redhat.com> Message-ID: <4F392F06.2030303@redhat.com> On 02/12/2012 04:01 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 02/12/2012 03:49 PM, Marco Pizzoli wrote: >>> Hi guys, >>> a couple of questions about AD synchronization. >>> >>> I read in the guide these points: >>> - A synchronization operation runs every five minutes. --> I read that >>> it can be triggered on demand, but is it possibile to change the value >>> of this frequency? >> >> I think it is configurable. You might want to check port389 wiki for >> more details. > > I seem to recall it is hardcoded and an RFE was opened on it but I > can't find it out. > > winsync uses a pull model so the only immediate mode may be from IPA > to AD. The attribute is called "winSyncInterval" - by default the value is 300 seconds. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Modifying_the_Sync_Agreement.html#syncagmt-cmd > >>> - Synchronization can only be configured with one Active Directory >>> domain. Multiple domains are not supported. --> Do they will in a >>> future version? >> >> No plans as we are working on trusts and trusts would make >> synchronization not needed. > > Currently only one winsync agreement is allowed on one IPA server to > an AD server at a time (there is a ticket to allow multiples > https://fedorahosted.org/freeipa/ticket/2358) > > It would probably work to have two AD agreements on two separate IPA > instances though. We don't care what realm the remote AD server are. > >>> - While modifications are bi-directional (going both from Active >>> Directory to FreeIPA and from FreeIPA to Active Directory), new >>> accounts are only uni-directional. New accounts created in Active >>> Directory are synchronized over to FreeIPA. However, user accounts >>> created in FreeIPA must also be added in Active Directory before they >>> will be synchronized. >>> ---> What is the origin of this restriction? I mean, why cannot be >>> created a user in AD by FreeIPA? >>> >> >> Time and materials mostly - the support cost is origin of this >> restriction. It is potentially could be done and DS does this but the >> use case for IPA is different and dominated by AD so it does not make >> sense to build a solution when in 95 persent the sync would go from AD >> to IPA as people already have users there. >> >>> >>> And another question, not related to the synchronization: >>> - In the FreeIPA 389-ds I see used the "DUA Config Profile" >>> objectClass. To learn what it is I already read RFC#4876. Now I would >>> like to have a look at a document/draft/etc.. about his using within >>> FreeIPA. Is it available anywhere? If no, could someone give some >>> explanation? >>> > > A DUA profile is created and is currently used by Solaris clients that > can join using the ldapinit tool. I believe that HP/ux can also use > this profile. This entry looks like: > > dn: cn=default,ou=profile,dc=example,dc=com > defaultServerList: rawhide.example.com > defaultSearchBase: dc=example,dc=com > objectClass: top > objectClass: DUAConfigProfile > serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com > serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com > searchTimeLimit: 15 > followReferrals: TRUE > objectclassMap: shadow:shadowAccount=posixAccount > bindTimeLimit: 5 > authenticationMethod: none > cn: default > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jdennis at redhat.com Mon Feb 13 16:23:29 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 13 Feb 2012 11:23:29 -0500 Subject: [Freeipa-users] Future audit feature In-Reply-To: References: Message-ID: <4F393901.6070701@redhat.com> On 02/13/2012 09:14 AM, Marco Pizzoli wrote: > Hi guys, > I'm interested to know what is the expected feature that I have to > expect from the Audit part of IPA. > > I had a look at this: http://www.freeipa.org/page/Audit_Design_Overview > I see that are mentioned watchers on directories for alerting on file > alterations. > What is the final high-level purpose? I suppose not only anti tampering... The audit portion of IPA has been put on hold while we focus on on the core identity and policy components. A significant part of the audit component was collecting log information from all services on a host and aggregating them on a central server for analysis and archiving. The directory watching you saw on the aforementioned page is exactly for the purposes of watching log file manipulation. There has been a *lot* of recent discussion on how to perform logging in the larger community as well as capturing auditable system events. As yet there hasn't been a consensus. Until such time as a consensus forms around the methods, tools, and libraries in this domain we won't proceed further with the A part of IPA. However, we are actively participating in these discussions. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marco.pizzoli at gmail.com Mon Feb 13 16:28:52 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 13 Feb 2012 17:28:52 +0100 Subject: [Freeipa-users] Future audit feature In-Reply-To: <4F393901.6070701@redhat.com> References: <4F393901.6070701@redhat.com> Message-ID: Hi John, On Mon, Feb 13, 2012 at 5:23 PM, John Dennis wrote: > On 02/13/2012 09:14 AM, Marco Pizzoli wrote: > >> Hi guys, >> I'm interested to know what is the expected feature that I have to >> expect from the Audit part of IPA. >> >> I had a look at this: http://www.freeipa.org/page/**Audit_Design_Overview >> I see that are mentioned watchers on directories for alerting on file >> alterations. >> What is the final high-level purpose? I suppose not only anti tampering... >> > > The audit portion of IPA has been put on hold while we focus on on the > core identity and policy components. > Yes, I'm aware of this. > A significant part of the audit component was collecting log information > from all services on a host and aggregating them on a central server for > analysis and archiving. The directory watching you saw on the > aforementioned page is exactly for the purposes of watching log file > manipulation. > Good. > There has been a *lot* of recent discussion on how to perform logging in > the larger community as well as capturing auditable system events. As yet > there hasn't been a consensus. Until such time as a consensus forms around > the methods, tools, and libraries in this domain we won't proceed further > with the A part of IPA. However, we are actively participating in these > discussions. > I'm very interest in this topic. Please, could you tell me where I can read these discussions? Thanks! Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Feb 13 16:58:58 2012 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Feb 2012 11:58:58 -0500 Subject: [Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority? In-Reply-To: References: Message-ID: <4F394152.7060608@redhat.com> On 02/12/2012 04:00 PM, Marco Pizzoli wrote: > Hi, > I see DogTag PKI used as a certificate server for the enrollment of > hosts and services. > What about the enrollment of normal X509v3 certificates? I have not > seen, correct me if I'm wrong, any reference to the possibility to use > it as a regular CA for user certificates. Not within FreeIPA, of course. > > Is there any drawback in using it as the primary CA for the company? It is a full CA. You can use it as such. Dogtag is a vibrant project in its own right, and you can find developers on #dogtag-pki in Freenode. The install is done via pkisilent, and you might want to make sure that you understand the parameters used to call it. One major drawback is that IPA has disabled Nonces in the Dogtag backend. These are there to defend against a CSRF attack. What this means is that you should not expose the Dogtag WebUI through the IPA server, either on its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA implements Nonces for its web UI, and does not allow session based calls through to the Dogtag back end, so its configuration is secure. The problem is only exposed if you expose additional web URLs to the Dogtag backend beyond those specified in the PKI Proxy. Enabling nonces will break IPA. I've installed and used the standard Java tools for Dogtag and used them to talk to the PKI backend installed by IPA. They work fine. Currently, IPA acts as a single Agent in Dogtag. This should be fine. For other certificate usage, you should probably use a different agent. IPA does not currently support user certificates. However, there are standard LDAP object classes and attributes that you could conceivably use to record them if you wanted to keep them in a single DirSrv. Obviosuly, you do not want to put the private keys on the IPA server, so plan accordingly. Red Hat does not support using the Certificate Server (PKI) backend with its Identity management install for purposes other than support for the IdM (IPA) front end, so beware that you have no "up sell" if you desire to get paid support for IPA. > > Thanks a lot again! > Marco > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Feb 13 17:27:30 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Feb 2012 12:27:30 -0500 Subject: [Freeipa-users] Future audit feature In-Reply-To: References: <4F393901.6070701@redhat.com> Message-ID: <4F394802.90104@redhat.com> On 02/13/2012 11:28 AM, Marco Pizzoli wrote: > Hi John, > > On Mon, Feb 13, 2012 at 5:23 PM, John Dennis > wrote: > > On 02/13/2012 09:14 AM, Marco Pizzoli wrote: > > Hi guys, > I'm interested to know what is the expected feature that I have to > expect from the Audit part of IPA. > > I had a look at this: > http://www.freeipa.org/page/Audit_Design_Overview > I see that are mentioned watchers on directories for alerting > on file > alterations. > What is the final high-level purpose? I suppose not only anti > tampering... > > > The audit portion of IPA has been put on hold while we focus on on > the core identity and policy components. > > > Yes, I'm aware of this. > > > A significant part of the audit component was collecting log > information from all services on a host and aggregating them on a > central server for analysis and archiving. The directory watching > you saw on the aforementioned page is exactly for the purposes of > watching log file manipulation. > > > Good. > > > There has been a *lot* of recent discussion on how to perform > logging in the larger community as well as capturing auditable > system events. As yet there hasn't been a consensus. Until such > time as a consensus forms around the methods, tools, and libraries > in this domain we won't proceed further with the A part of IPA. > However, we are actively participating in these discussions. > > > I'm very interest in this topic. Please, could you tell me where I can > read these discussions? Some of them are internal to Red Hat just because we want to understand the use cases before we wrap our head around the audit on OS level and reach out to different communities looking for ideas. There will be some discussions on the developer conference in Brno later this week. I will keep you updated as soon as I have something to share. > > Thanks! > Marco > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Mon Feb 13 17:33:09 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 13 Feb 2012 18:33:09 +0100 Subject: [Freeipa-users] Future audit feature In-Reply-To: <4F394802.90104@redhat.com> References: <4F393901.6070701@redhat.com> <4F394802.90104@redhat.com> Message-ID: On Mon, Feb 13, 2012 at 6:27 PM, Dmitri Pal wrote: > ** > On 02/13/2012 11:28 AM, Marco Pizzoli wrote: > > Hi John, > > On Mon, Feb 13, 2012 at 5:23 PM, John Dennis wrote: > >> On 02/13/2012 09:14 AM, Marco Pizzoli wrote: >> >>> Hi guys, >>> I'm interested to know what is the expected feature that I have to >>> expect from the Audit part of IPA. >>> >>> I had a look at this: http://www.freeipa.org/page/Audit_Design_Overview >>> I see that are mentioned watchers on directories for alerting on file >>> alterations. >>> What is the final high-level purpose? I suppose not only anti >>> tampering... >>> >> >> The audit portion of IPA has been put on hold while we focus on on the >> core identity and policy components. >> > > Yes, I'm aware of this. > > >> A significant part of the audit component was collecting log information >> from all services on a host and aggregating them on a central server for >> analysis and archiving. The directory watching you saw on the >> aforementioned page is exactly for the purposes of watching log file >> manipulation. >> > > Good. > > >> There has been a *lot* of recent discussion on how to perform logging in >> the larger community as well as capturing auditable system events. As yet >> there hasn't been a consensus. Until such time as a consensus forms around >> the methods, tools, and libraries in this domain we won't proceed further >> with the A part of IPA. However, we are actively participating in these >> discussions. >> > > I'm very interest in this topic. Please, could you tell me where I can > read these discussions? > > > Some of them are internal to Red Hat just because we want to understand > the use cases before we wrap our head around the audit on OS level and > reach out to different communities looking for ideas. > Ok, I understand. > There will be some discussions on the developer conference in Brno later > this week. > I will keep you updated as soon as I have something to share. > Thank you very much indeed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Mon Feb 13 17:43:39 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 13 Feb 2012 18:43:39 +0100 Subject: [Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority? In-Reply-To: <4F394152.7060608@redhat.com> References: <4F394152.7060608@redhat.com> Message-ID: Hi Adam, On Mon, Feb 13, 2012 at 5:58 PM, Adam Young wrote: > On 02/12/2012 04:00 PM, Marco Pizzoli wrote: > > Hi, > I see DogTag PKI used as a certificate server for the enrollment of hosts > and services. > What about the enrollment of normal X509v3 certificates? I have not seen, > correct me if I'm wrong, any reference to the possibility to use it as a > regular CA for user certificates. Not within FreeIPA, of course. > > Is there any drawback in using it as the primary CA for the company? > > > It is a full CA. You can use it as such. Dogtag is a vibrant project in > its own right, and you can find developers on #dogtag-pki in Freenode. > The install is done via pkisilent, and you might want to make sure that > you understand the parameters used to call it. > I will. Thanks for the pointer. > One major drawback is that IPA has disabled Nonces in the Dogtag backend. > These are there to defend against a CSRF attack. What this means is that > you should not expose the Dogtag WebUI through the IPA server, either on > its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA > implements Nonces for its web UI, and does not allow session based calls > through to the Dogtag back end, so its configuration is secure. The > problem is only exposed if you expose additional web URLs to the Dogtag > backend beyond those specified in the PKI Proxy. > > Enabling nonces will break IPA. > You told me something I wasn't aware of. I will dig into this during next weeks. > I've installed and used the standard Java tools for Dogtag and used them > to talk to the PKI backend installed by IPA. They work fine. > Ok, this is what I hoped to read! :-) Currently, IPA acts as a single Agent in Dogtag. This should be fine. > For other certificate usage, you should probably use a different agent. > Please be patient with me, I don't understand yet the concept of "agent". Even a reference to the documentation would be helpful to me. > IPA does not currently support user certificates. However, there are > standard LDAP object classes and attributes that you could conceivably use > to record them if you wanted to keep them in a single DirSrv. Obviosuly, > you do not want to put the private keys on the IPA server, so plan > accordingly. > I will, I promise :-) > Red Hat does not support using the Certificate Server (PKI) backend with > its Identity management install for purposes other than support for the IdM > (IPA) front end, so beware that you have no "up sell" if you desire to get > paid support for IPA. > I understand. I link a question I'm curious of: if I remember correctly, on the PKI-user mailing list I read a user complaining about RH not selling RHCS standalone anymore. Is it true? You've been very helpful! Your blog too.. :-) Thanks a lot! Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Mon Feb 13 18:41:05 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Feb 2012 19:41:05 +0100 Subject: [Freeipa-users] Replacing the primary IPA server Message-ID: <4F395941.60408@nixtra.com> Hi, What precautions need to be taken when replacing the primary/first IPA server? Is it enough to reinstall the server and run a ipa-replica-install from one of the other replicas? Regards, Siggi From rcritten at redhat.com Mon Feb 13 19:16:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Feb 2012 14:16:23 -0500 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <4F395941.60408@nixtra.com> References: <4F395941.60408@nixtra.com> Message-ID: <4F396187.1040109@redhat.com> Sigbjorn Lie wrote: > Hi, > > What precautions need to be taken when replacing the primary/first IPA > server? > > Is it enough to reinstall the server and run a ipa-replica-install from > one of the other replicas? It depends on what type of CA installation you have. Did you install with dogtag or with a selfsign CA? rob From sigbjorn at nixtra.com Mon Feb 13 19:43:10 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Feb 2012 20:43:10 +0100 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <4F396187.1040109@redhat.com> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> Message-ID: <4F3967CE.6060104@nixtra.com> On 02/13/2012 08:16 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> Hi, >> >> What precautions need to be taken when replacing the primary/first IPA >> server? >> >> Is it enough to reinstall the server and run a ipa-replica-install from >> one of the other replicas? > > It depends on what type of CA installation you have. Did you install > with dogtag or with a selfsign CA? > > rob > Dogtag From simo at redhat.com Mon Feb 13 19:55:21 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Feb 2012 14:55:21 -0500 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <4F3967CE.6060104@nixtra.com> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> Message-ID: <1329162921.5829.160.camel@willson.li.ssimo.org> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: > On 02/13/2012 08:16 PM, Rob Crittenden wrote: > > Sigbjorn Lie wrote: > >> Hi, > >> > >> What precautions need to be taken when replacing the primary/first IPA > >> server? > >> > >> Is it enough to reinstall the server and run a ipa-replica-install from > >> one of the other replicas? > > > > It depends on what type of CA installation you have. Did you install > > with dogtag or with a selfsign CA? > > > > rob > > > Dogtag If you installed the CA on more than one replica, then you can remove the first master, all the info is replicated on the other replicas that have a clone of the CA. Note that the CA is not replicated by default see the --setup-ca option or ipa-ca-install Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Feb 13 20:37:34 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Feb 2012 21:37:34 +0100 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <1329162921.5829.160.camel@willson.li.ssimo.org> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> <1329162921.5829.160.camel@willson.li.ssimo.org> Message-ID: <4F39748E.2070004@nixtra.com> On 02/13/2012 08:55 PM, Simo Sorce wrote: > On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: >> On 02/13/2012 08:16 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> What precautions need to be taken when replacing the primary/first IPA >>>> server? >>>> >>>> Is it enough to reinstall the server and run a ipa-replica-install from >>>> one of the other replicas? >>> It depends on what type of CA installation you have. Did you install >>> with dogtag or with a selfsign CA? >>> >>> rob >>> >> Dogtag > If you installed the CA on more than one replica, then you can remove > the first master, all the info is replicated on the other replicas that > have a clone of the CA. Note that the CA is not replicated by default > see the --setup-ca option or ipa-ca-install Excellent. Yes, I've used --setup-ca when I created the replicas. :) What if I have 3 IPA servers. 2 being replicated off the first master. The master is re-installed and re-setup using ipa-replica-install from one of the 2 other IPA servers. Will not the 3rd server be left without a sync agreement? Does the 3rd server need to be manually added back in with a sync agreement? Rgds, Siggi From simo at redhat.com Mon Feb 13 20:43:19 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Feb 2012 15:43:19 -0500 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <4F39748E.2070004@nixtra.com> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> <1329162921.5829.160.camel@willson.li.ssimo.org> <4F39748E.2070004@nixtra.com> Message-ID: <1329165799.5829.162.camel@willson.li.ssimo.org> On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote: > On 02/13/2012 08:55 PM, Simo Sorce wrote: > > On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: > >> On 02/13/2012 08:16 PM, Rob Crittenden wrote: > >>> Sigbjorn Lie wrote: > >>>> Hi, > >>>> > >>>> What precautions need to be taken when replacing the primary/first IPA > >>>> server? > >>>> > >>>> Is it enough to reinstall the server and run a ipa-replica-install from > >>>> one of the other replicas? > >>> It depends on what type of CA installation you have. Did you install > >>> with dogtag or with a selfsign CA? > >>> > >>> rob > >>> > >> Dogtag > > If you installed the CA on more than one replica, then you can remove > > the first master, all the info is replicated on the other replicas that > > have a clone of the CA. Note that the CA is not replicated by default > > see the --setup-ca option or ipa-ca-install > > Excellent. Yes, I've used --setup-ca when I created the replicas. :) > > What if I have 3 IPA servers. 2 being replicated off the first master. > The master is re-installed and re-setup using ipa-replica-install from > one of the 2 other IPA servers. > > Will not the 3rd server be left without a sync agreement? Does the 3rd > server need to be manually added back in with a sync agreement? Before removing any server you should make sure it will not break the topology. You can use ipa-replica-manage and ipa-ca-replica-manage to create links between the 2 other servers before you retire the hub. You have to use both the commands as CA replication agreements are distinct from IPA replication agreements. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Feb 13 23:14:18 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 14 Feb 2012 00:14:18 +0100 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <1329165799.5829.162.camel@willson.li.ssimo.org> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> <1329162921.5829.160.camel@willson.li.ssimo.org> <4F39748E.2070004@nixtra.com> <1329165799.5829.162.camel@willson.li.ssimo.org> Message-ID: <4F39994A.8090804@nixtra.com> On 02/13/2012 09:43 PM, Simo Sorce wrote: > On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote: >> On 02/13/2012 08:55 PM, Simo Sorce wrote: >>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: >>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote: >>>>> Sigbjorn Lie wrote: >>>>>> Hi, >>>>>> >>>>>> What precautions need to be taken when replacing the primary/first IPA >>>>>> server? >>>>>> >>>>>> Is it enough to reinstall the server and run a ipa-replica-install from >>>>>> one of the other replicas? >>>>> It depends on what type of CA installation you have. Did you install >>>>> with dogtag or with a selfsign CA? >>>>> >>>>> rob >>>>> >>>> Dogtag >>> If you installed the CA on more than one replica, then you can remove >>> the first master, all the info is replicated on the other replicas that >>> have a clone of the CA. Note that the CA is not replicated by default >>> see the --setup-ca option or ipa-ca-install >> Excellent. Yes, I've used --setup-ca when I created the replicas. :) >> >> What if I have 3 IPA servers. 2 being replicated off the first master. >> The master is re-installed and re-setup using ipa-replica-install from >> one of the 2 other IPA servers. >> >> Will not the 3rd server be left without a sync agreement? Does the 3rd >> server need to be manually added back in with a sync agreement? > Before removing any server you should make sure it will not break the > topology. > > You can use ipa-replica-manage and ipa-ca-replica-manage to create links > between the 2 other servers before you retire the hub. > > You have to use both the commands as CA replication agreements are > distinct from IPA replication agreements. > > 1. Let's say the server has crashed. Unrecoverable. Can new replication agreements still be set up between the remaining hosts? 2. I do not see a way for displaying relationships between the IPA hosts when viewing the replicas with ipa-replica-manage list. I see the same output on all the IPA hosts. So if I was not the one who set up IPA, and did not have the documentation handy available, is there a command provided with IPA where I can figure out how the existing replication agreements are set up between the hosts? ...except of looking in the LDAP tree under cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config? 3. Perhaps this was discussed earlier: Can there be configured a ring of replicas with IPA? Regards, Siggi From simo at redhat.com Mon Feb 13 23:31:33 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Feb 2012 18:31:33 -0500 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <4F39994A.8090804@nixtra.com> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> <1329162921.5829.160.camel@willson.li.ssimo.org> <4F39748E.2070004@nixtra.com> <1329165799.5829.162.camel@willson.li.ssimo.org> <4F39994A.8090804@nixtra.com> Message-ID: <1329175893.5829.172.camel@willson.li.ssimo.org> On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote: > On 02/13/2012 09:43 PM, Simo Sorce wrote: > > On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote: > >> On 02/13/2012 08:55 PM, Simo Sorce wrote: > >>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: > >>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote: > >>>>> Sigbjorn Lie wrote: > >>>>>> Hi, > >>>>>> > >>>>>> What precautions need to be taken when replacing the primary/first IPA > >>>>>> server? > >>>>>> > >>>>>> Is it enough to reinstall the server and run a ipa-replica-install from > >>>>>> one of the other replicas? > >>>>> It depends on what type of CA installation you have. Did you install > >>>>> with dogtag or with a selfsign CA? > >>>>> > >>>>> rob > >>>>> > >>>> Dogtag > >>> If you installed the CA on more than one replica, then you can remove > >>> the first master, all the info is replicated on the other replicas that > >>> have a clone of the CA. Note that the CA is not replicated by default > >>> see the --setup-ca option or ipa-ca-install > >> Excellent. Yes, I've used --setup-ca when I created the replicas. :) > >> > >> What if I have 3 IPA servers. 2 being replicated off the first master. > >> The master is re-installed and re-setup using ipa-replica-install from > >> one of the 2 other IPA servers. > >> > >> Will not the 3rd server be left without a sync agreement? Does the 3rd > >> server need to be manually added back in with a sync agreement? > > Before removing any server you should make sure it will not break the > > topology. > > > > You can use ipa-replica-manage and ipa-ca-replica-manage to create links > > between the 2 other servers before you retire the hub. > > > > You have to use both the commands as CA replication agreements are > > distinct from IPA replication agreements. > > > > > 1. Let's say the server has crashed. Unrecoverable. Can new replication > agreements still be set up between the remaining hosts? Yes, you should be able to change the agreements, as all the principals already exists so there is no need to replicate through the old hub just to set the m up. > 2. I do not see a way for displaying relationships between the IPA hosts > when viewing the replicas with ipa-replica-manage list. I see the same > output on all the IPA hosts. ipa-replica-manage list shows all servers ipa-replica-manage list servername shows the replication agreements that server uses If they all look the same it means you have a full mesh :) > So if I was not the one who set up IPA, and did not have the > documentation handy available, is there a command provided with IPA > where I can figure out how the existing replication agreements are set > up between the hosts? > > ...except of looking in the LDAP tree under > cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config? See above. > 3. Perhaps this was discussed earlier: Can there be configured a ring of > replicas with IPA? If by ring you mean A <-> B <-> C <-> A then yes. In general we recommend to not have more than 4 replication agreements per server, but that's more of a rule of thumb than a hard limit. Simo. -- Simo Sorce * Red Hat, Inc * New York From dlackey at redhat.com Tue Feb 14 00:55:24 2012 From: dlackey at redhat.com (E Deon Lackey) Date: Mon, 13 Feb 2012 18:55:24 -0600 Subject: [Freeipa-users] Aix client configuration In-Reply-To: <4F215D0A.2010803@redhat.com> References: <4F204A32.4070602@redhat.com> <4F215D0A.2010803@redhat.com> Message-ID: <4F39B0FC.5090008@redhat.com> On 1/26/2012 8:02 AM, Rob Crittenden wrote: > > > Use ldapmodify to create this entry: > > # ldapmodify -D "cn=directory manager" -w secret -p 389 -h > ipaserver.example.com -x -a > > dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com > objectClass: account > objectClass: simplesecurityobject > objectClass: top > uid: nss > userPassword: secretpassword > > This is documented at > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html > > rob Hey, Sylvain. Were these instructions enough to get FreeIPA configured on AIX 6.1? Thanks! Deon From marco.pizzoli at gmail.com Tue Feb 14 09:20:25 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Tue, 14 Feb 2012 10:20:25 +0100 Subject: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install Message-ID: Hi guys, I'm running freeipa-server-2.1.4-5.fc16.x86_64. Following the documentation I can see that to uninstall and reinstall a freeipa system it is sufficient to: > ipa-server-install > ipa-server-install --uninstall > ipa-server-install Well, when re-installing the system, I get this error on the console: [cut] done configuring named. Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain unix.mydomain.it --server freeipa01.unix.mydomain.it --realm UNIX.MYDOMAIN.IT --hostname freeipa01.unix.mydomain.it' returned non-zero exit status 1 I had a look to /var/log/ipaclient-install.log and I saw these lines [cut] 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://freeipa01.unix.mydomain.it/ipa/config/ca.crt 2012-02-14 09:53:39,435 DEBUG stdout= 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- http://freeipa01.unix.mydomain.it/ipa/config/ca.crt Resolving freeipa01.unix.mydomain.it... 192.168.146.131 Connecting to freeipa01.unix.mydomain.it|192.168.146.131|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1325 (1.3K) [application/x-x509-ca-cert] Saving to: <80><9C>/etc/ipa/ca.crt<80><9D> 0K . 100% 270M=0s 2012-02-14 09:53:39 (270 MB/s) - <80><9C>/etc/ipa/ca.crt<80><9D> saved [1325/1325] 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2012-02-14 09:53:39,463 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it is already configured in existing SSSD config, creating a new one. 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2012-02-14 09:53:39,643 DEBUG stdout= 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. So I tried a new "ipa-server-install --uninstall" and checked the file /etc/ipa/ca.crt. And it remained there. What is the problem? Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Feb 14 13:23:06 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Feb 2012 08:23:06 -0500 Subject: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials In-Reply-To: <20120212233923.GA12242@noboost.org> References: <20120212233923.GA12242@noboost.org> Message-ID: <1329225786.5829.195.camel@willson.li.ssimo.org> On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > Hi, > > Server: > RHEL6.2 > > > Spec: > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > libipa_hbac-1.5.1-66.el6_2.3.x86_64 > libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > > > Error: > I had this working on Friday night, came in Monday and then this error appeared? > > kinit -V craig > Using default cache: /tmp/krb5cc_0 > Using principal: craig at EXAMPLE.COM > kinit: Generic error (see e-text) while getting initial credentials > > Server Side Error: (File: /var/log/krb5kdc.log) > Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) > > > Usual Questions: > Should I simply reset the password? It seem like the only option to quickly recover access to your user. > Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Also could you ldapsearch this user entry before you change your password using 'cn=Directory Manager' as user in order to retrieve the key attribute and send the ldif to me in private ? I want to see if the key blob at least looks normal (do not worry about your password, the key material is itself encrypted). > Anyone else seen this error? Haven't seen any report, and haven't ever occurred in my testing. Simo, -- Simo Sorce * Red Hat, Inc * New York From djuran at redhat.com Tue Feb 14 14:18:09 2012 From: djuran at redhat.com (David Juran) Date: Tue, 14 Feb 2012 15:18:09 +0100 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3537B4.3030205@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> Message-ID: <1329229089.3280.45.camel@localhost.localdomain> Hello! On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: > On 02/10/2012 04:01 AM, David Juran wrote: > > I wonder if it's somehow possible to sync AD-users more selectively then > > just by sub-tree. In my case, I'm dealing with a very large organisation > > where the users that are to be synced to IPA aren't grouped by a subtree > > in AD but rather spread out. Can this be handled somehow? > > > I don't think so, but can you provide some examples? If I understand the customers use-case correctly (and this is quite a disclaimer) they have _most_ of their users in one sub-tree in AD but also some users spread out all over the AD. So I gather that I really should sync the entire AD. Or that I _possibly_ could specify multiple sub-trees to sync, but still only on a subtree level and not individual users to sync. Or that I really should wait for the trust-to-AD feature to be ready... Is that correct? -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Tue Feb 14 14:24:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Feb 2012 09:24:40 -0500 Subject: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install In-Reply-To: References: Message-ID: <4F3A6EA8.4030700@redhat.com> Marco Pizzoli wrote: > Hi guys, > I'm running freeipa-server-2.1.4-5.fc16.x86_64. > > Following the documentation I can see that to uninstall and reinstall a > freeipa system it is sufficient to: > > > ipa-server-install > > ipa-server-install --uninstall > > ipa-server-install > > Well, when re-installing the system, I get this error on the console: > [cut] > done configuring named. > Configuration of client side components failed! > ipa-client-install returned: Command '/usr/sbin/ipa-client-install > --on-master --unattended --domain unix.mydomain.it > --server freeipa01.unix.mydomain.it > --realm UNIX.MYDOMAIN.IT > --hostname freeipa01.unix.mydomain.it > ' returned non-zero exit status 1 > > I had a look to /var/log/ipaclient-install.log and I saw these lines > > [cut] > 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > http://freeipa01.unix.mydomain.it/ipa/config/ca.crt > 2012-02-14 09:53:39,435 DEBUG stdout= > 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- > http://freeipa01.unix.mydomain.it/ipa/config/ca.crt > Resolving freeipa01.unix.mydomain.it... 192.168.146.131 > Connecting to freeipa01.unix.mydomain.it > |192.168.146.131|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 1325 (1.3K) [application/x-x509-ca-cert] > Saving to: <80><9C>/etc/ipa/ca.crt<80><9D> > > 0K . 100% 270M=0s > > 2012-02-14 09:53:39 (270 MB/s) - <80><9C>/etc/ipa/ca.crt<80><9D> > saved [1325/1325] > > > 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file > '/etc/sssd/sssd.conf' > 2012-02-14 09:53:39,463 DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it > is already configured in existing SSSD config, > creating a new one. > 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d > /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt > 2012-02-14 09:53:39,643 DEBUG stdout= > 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain > certificate from file: You are attempting to import a cert with the same > issuer/serial as an existing cert, but that is not the same cert. > > > So I tried a new "ipa-server-install --uninstall" and checked the file > /etc/ipa/ca.crt. And it remained there. > What is the problem? The problem isn't the existence of the file, it is the existence of the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d /etc/pki/nsdb Re-install should succeed then. rob From marco.pizzoli at gmail.com Tue Feb 14 14:58:42 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Tue, 14 Feb 2012 15:58:42 +0100 Subject: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install In-Reply-To: <4F3A6EA8.4030700@redhat.com> References: <4F3A6EA8.4030700@redhat.com> Message-ID: On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> Hi guys, >> I'm running freeipa-server-2.1.4-5.fc16.**x86_64. >> >> Following the documentation I can see that to uninstall and reinstall a >> freeipa system it is sufficient to: >> >> > ipa-server-install >> > ipa-server-install --uninstall >> > ipa-server-install >> >> Well, when re-installing the system, I get this error on the console: >> [cut] >> done configuring named. >> Configuration of client side components failed! >> ipa-client-install returned: Command '/usr/sbin/ipa-client-install >> --on-master --unattended --domain unix.mydomain.it >> --server freeipa01.unix.mydomain.it >> > >> --realm UNIX.MYDOMAIN.IT >> --hostname freeipa01.unix.mydomain.it >> >' >> returned non-zero exit status 1 >> >> >> I had a look to /var/log/ipaclient-install.log and I saw these lines >> >> [cut] >> 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >> http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt >> 2012-02-14 09:53:39,435 DEBUG stdout= >> 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- >> http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt >> Resolving freeipa01.unix.mydomain.it... 192.168.146.131 >> Connecting to freeipa01.unix.mydomain.it >> >> >|192.168.146.131|:**80... connected. >> >> HTTP request sent, awaiting response... 200 OK >> Length: 1325 (1.3K) [application/x-x509-ca-cert] >> Saving to: <80><9C>/etc/ipa/ca.crt<**E2><80><9D> >> >> 0K . 100% >> 270M=0s >> >> 2012-02-14 09:53:39 (270 MB/s) - <80><9C>/etc/ipa/ca.crt<** >> E2><80><9D> >> saved [1325/1325] >> >> >> 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file >> '/etc/sssd/sssd.conf' >> 2012-02-14 09:53:39,463 DEBUG Saving Index File to >> '/var/lib/ipa-client/**sysrestore/sysrestore.index' >> 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it >> is already configured in existing SSSD config, >> >> creating a new one. >> 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d >> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt >> 2012-02-14 09:53:39,643 DEBUG stdout= >> 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain >> certificate from file: You are attempting to import a cert with the same >> issuer/serial as an existing cert, but that is not the same cert. >> >> >> So I tried a new "ipa-server-install --uninstall" and checked the file >> /etc/ipa/ca.crt. And it remained there. >> What is the problem? >> > > The problem isn't the existence of the file, it is the existence of the > cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d > /etc/pki/nsdb > [root at freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ certutil: could not find certificate named "IPA CA": security library: bad database. Thanks again Marco > Re-install should succeed then. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Feb 14 15:14:35 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Feb 2012 08:14:35 -0700 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <1329229089.3280.45.camel@localhost.localdomain> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <1329229089.3280.45.camel@localhost.localdomain> Message-ID: <4F3A7A5B.6080904@redhat.com> On 02/14/2012 07:18 AM, David Juran wrote: > Hello! > > On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: >> On 02/10/2012 04:01 AM, David Juran wrote: >>> I wonder if it's somehow possible to sync AD-users more selectively then >>> just by sub-tree. In my case, I'm dealing with a very large organisation >>> where the users that are to be synced to IPA aren't grouped by a subtree >>> in AD but rather spread out. Can this be handled somehow? >>> >> I don't think so, but can you provide some examples? > If I understand the customers use-case correctly (and this is quite a > disclaimer) they have _most_ of their users in one sub-tree in AD but > also some users spread out all over the AD. > So I gather that I really should sync the entire AD. Or that I > _possibly_ could specify multiple sub-trees to sync, but still only on a > subtree level and not individual users to sync. Or that I really should > wait for the trust-to-AD feature to be ready... Is that correct? You could try syncing several subtrees from AD to IPA. From rcritten at redhat.com Tue Feb 14 19:25:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Feb 2012 14:25:45 -0500 Subject: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install In-Reply-To: References: <4F3A6EA8.4030700@redhat.com> Message-ID: <4F3AB539.1030503@redhat.com> Marco Pizzoli wrote: > > > On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden > wrote: > > Marco Pizzoli wrote: > > Hi guys, > I'm running freeipa-server-2.1.4-5.fc16.__x86_64. > > Following the documentation I can see that to uninstall and > reinstall a > freeipa system it is sufficient to: > > > ipa-server-install > > ipa-server-install --uninstall > > ipa-server-install > > Well, when re-installing the system, I get this error on the > console: > [cut] > done configuring named. > Configuration of client side components failed! > ipa-client-install returned: Command '/usr/sbin/ipa-client-install > --on-master --unattended --domain unix.mydomain.it > > --server freeipa01.unix.mydomain.it > > > --realm UNIX.MYDOMAIN.IT > > --hostname freeipa01.unix.mydomain.it > > >' returned non-zero exit > status 1 > > > I had a look to /var/log/ipaclient-install.log and I saw these lines > > [cut] > 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt > > 2012-02-14 09:53:39,435 DEBUG stdout= > 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- > http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt > > Resolving freeipa01.unix.mydomain.it... 192.168.146.131 > Connecting to freeipa01.unix.mydomain.it > > >|192.168.146.131|:__80... > connected. > > HTTP request sent, awaiting response... 200 OK > Length: 1325 (1.3K) [application/x-x509-ca-cert] > Saving to: <80><9C>/etc/ipa/ca.crt<__E2><80><9D> > > 0K . > 100% 270M=0s > > 2012-02-14 09:53:39 (270 MB/s) - > <80><9C>/etc/ipa/ca.crt<__E2><80><9D> > saved [1325/1325] > > > 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file > '/etc/sssd/sssd.conf' > 2012-02-14 09:53:39,463 DEBUG Saving Index File to > '/var/lib/ipa-client/__sysrestore/sysrestore.index' > 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it > > is already configured in existing SSSD > config, > > creating a new one. > 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d > /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt > 2012-02-14 09:53:39,643 DEBUG stdout= > 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain > certificate from file: You are attempting to import a cert with > the same > issuer/serial as an existing cert, but that is not the same cert. > > > So I tried a new "ipa-server-install --uninstall" and checked > the file > /etc/ipa/ca.crt. And it remained there. > What is the problem? > > > The problem isn't the existence of the file, it is the existence of > the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d > /etc/pki/nsdb > > > [root at freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ > certutil: could not find certificate named "IPA CA": security library: > bad database. Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ? rob From dpal at redhat.com Tue Feb 14 19:43:56 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 14 Feb 2012 14:43:56 -0500 Subject: [Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority? In-Reply-To: <4F3AB94C.7060908@redhat.com> References: <4F394152.7060608@redhat.com> <4F3AB94C.7060908@redhat.com> Message-ID: <4F3AB97C.1050505@redhat.com> I hit reply instead of reply all again. Sorry. Adding the list back. On 02/14/2012 02:43 PM, Dmitri Pal wrote: > On 02/13/2012 12:43 PM, Marco Pizzoli wrote: >> Hi Adam, >> >> On Mon, Feb 13, 2012 at 5:58 PM, Adam Young > > wrote: >> >> On 02/12/2012 04:00 PM, Marco Pizzoli wrote: >>> Hi, >>> I see DogTag PKI used as a certificate server for the enrollment >>> of hosts and services. >>> What about the enrollment of normal X509v3 certificates? I have >>> not seen, correct me if I'm wrong, any reference to the >>> possibility to use it as a regular CA for user certificates. Not >>> within FreeIPA, of course. >>> >>> Is there any drawback in using it as the primary CA for the company? >> >> It is a full CA. You can use it as such. Dogtag is a vibrant >> project in its own right, and you can find developers on >> #dogtag-pki in Freenode. The install is done via pkisilent, and >> you might want to make sure that you understand the parameters >> used to call it. >> >> >> I will. Thanks for the pointer. >> >> >> One major drawback is that IPA has disabled Nonces in the Dogtag >> backend. These are there to defend against a CSRF attack. What >> this means is that you should not expose the Dogtag WebUI through >> the IPA server, either on its Dogtag port or via HTTP proxy. It >> should be explicitly stated that IPA implements Nonces for its >> web UI, and does not allow session based calls through to the >> Dogtag back end, so its configuration is secure. The problem is >> only exposed if you expose additional web URLs to the Dogtag >> backend beyond those specified in the PKI Proxy. >> >> Enabling nonces will break IPA. >> >> >> You told me something I wasn't aware of. I will dig into this during >> next weeks. >> >> >> I've installed and used the standard Java tools for Dogtag and >> used them to talk to the PKI backend installed by IPA. They work >> fine. >> >> >> Ok, this is what I hoped to read! :-) >> >> Currently, IPA acts as a single Agent in Dogtag. This should >> be fine. For other certificate usage, you should probably use >> a different agent. >> >> >> Please be patient with me, I don't understand yet the concept of >> "agent". Even a reference to the documentation would be helpful to me. >> > > > "Agent" is client side software that can connect to CA, authenticate > and has a role to perform specific operations against CA. > >> IPA does not currently support user certificates. However, >> there are standard LDAP object classes and attributes that you >> could conceivably use to record them if you wanted to keep them >> in a single DirSrv. Obviosuly, you do not want to put the >> private keys on the IPA server, so plan accordingly. >> >> >> I will, I promise :-) >> >> >> Red Hat does not support using the Certificate Server (PKI) >> backend with its Identity management install for purposes other >> than support for the IdM (IPA) front end, so beware that you have >> no "up sell" if you desire to get paid support for IPA. >> >> >> I understand. >> I link a question I'm curious of: if I remember correctly, on the >> PKI-user mailing list I read a user complaining about RH not selling >> RHCS standalone anymore. Is it true? > > It is true to some extent. > It is sold under special conditions. For more info on RHCS sales > conditions you need to go via official RH channels. > >> >> You've been very helpful! Your blog too.. :-) >> Thanks a lot! >> Marco >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Feb 14 21:28:45 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 14 Feb 2012 22:28:45 +0100 Subject: [Freeipa-users] Replacing the primary IPA server In-Reply-To: <1329175893.5829.172.camel@willson.li.ssimo.org> References: <4F395941.60408@nixtra.com> <4F396187.1040109@redhat.com> <4F3967CE.6060104@nixtra.com> <1329162921.5829.160.camel@willson.li.ssimo.org> <4F39748E.2070004@nixtra.com> <1329165799.5829.162.camel@willson.li.ssimo.org> <4F39994A.8090804@nixtra.com> <1329175893.5829.172.camel@willson.li.ssimo.org> Message-ID: <4F3AD20D.8090002@nixtra.com> On 02/14/2012 12:31 AM, Simo Sorce wrote: > On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote: >> On 02/13/2012 09:43 PM, Simo Sorce wrote: >>> On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote: >>>> On 02/13/2012 08:55 PM, Simo Sorce wrote: >>>>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: >>>>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote: >>>>>>> Sigbjorn Lie wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> What precautions need to be taken when replacing the primary/first IPA >>>>>>>> server? >>>>>>>> >>>>>>>> Is it enough to reinstall the server and run a ipa-replica-install from >>>>>>>> one of the other replicas? >>>>>>> It depends on what type of CA installation you have. Did you install >>>>>>> with dogtag or with a selfsign CA? >>>>>>> >>>>>>> rob >>>>>>> >>>>>> Dogtag >>>>> If you installed the CA on more than one replica, then you can remove >>>>> the first master, all the info is replicated on the other replicas that >>>>> have a clone of the CA. Note that the CA is not replicated by default >>>>> see the --setup-ca option or ipa-ca-install >>>> Excellent. Yes, I've used --setup-ca when I created the replicas. :) >>>> >>>> What if I have 3 IPA servers. 2 being replicated off the first master. >>>> The master is re-installed and re-setup using ipa-replica-install from >>>> one of the 2 other IPA servers. >>>> >>>> Will not the 3rd server be left without a sync agreement? Does the 3rd >>>> server need to be manually added back in with a sync agreement? >>> Before removing any server you should make sure it will not break the >>> topology. >>> >>> You can use ipa-replica-manage and ipa-ca-replica-manage to create links >>> between the 2 other servers before you retire the hub. >>> >>> You have to use both the commands as CA replication agreements are >>> distinct from IPA replication agreements. >>> >>> >> 1. Let's say the server has crashed. Unrecoverable. Can new replication >> agreements still be set up between the remaining hosts? > Yes, you should be able to change the agreements, as all the principals > already exists so there is no need to replicate through the old hub just > to set the m up. > >> 2. I do not see a way for displaying relationships between the IPA hosts >> when viewing the replicas with ipa-replica-manage list. I see the same >> output on all the IPA hosts. > ipa-replica-manage list shows all servers > ipa-replica-manage list servername shows the replication agreements that > server uses > > If they all look the same it means you have a full mesh :) > >> 3. Perhaps this was discussed earlier: Can there be configured a ring of >> replicas with IPA? > If by ring you mean A<-> B<-> C<-> A then yes. In general we > recommend to not have more than 4 replication agreements per server, but > that's more of a rule of thumb than a hard limit. > Thank you. :) For anyone else reading this thread and looking for more information, see the link below. I see some of my questions we're already documented there. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html From rcritten at redhat.com Tue Feb 14 21:54:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Feb 2012 16:54:51 -0500 Subject: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials In-Reply-To: <1329225786.5829.195.camel@willson.li.ssimo.org> References: <20120212233923.GA12242@noboost.org> <1329225786.5829.195.camel@willson.li.ssimo.org> Message-ID: <4F3AD82B.9050806@redhat.com> Simo Sorce wrote: > On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: >> Hi, >> >> Server: >> RHEL6.2 >> >> >> Spec: >> ipa-admintools-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-python-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> libipa_hbac-1.5.1-66.el6_2.3.x86_64 >> libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> >> >> Error: >> I had this working on Friday night, came in Monday and then this error appeared? >> >> kinit -V craig >> Using default cache: /tmp/krb5cc_0 >> Using principal: craig at EXAMPLE.COM >> kinit: Generic error (see e-text) while getting initial credentials >> >> Server Side Error: (File: /var/log/krb5kdc.log) >> Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) >> >> >> Usual Questions: >> Should I simply reset the password? > > It seem like the only option to quickly recover access to your user. > >> Is it a bug? > > It may be. Did you do anything special with this user ? Did this happen > immediately after a password change ? Or immediately after a FreeIPA or > krb5kdc upgrade ? > Can you give a little more context around this ? > > Also could you ldapsearch this user entry before you change your > password using 'cn=Directory Manager' as user in order to retrieve the > key attribute and send the ldif to me in private ? I want to see if the > key blob at least looks normal (do not worry about your password, the > key material is itself encrypted). It might also be handy to see who last updated this entry before you reset the password (if it isn't too late): modifyTimestamp lastModifiedBy > >> Anyone else seen this error? > > Haven't seen any report, and haven't ever occurred in my testing. > > Simo, > From rcritten at redhat.com Tue Feb 14 22:50:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Feb 2012 17:50:06 -0500 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <1329229089.3280.45.camel@localhost.localdomain> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <1329229089.3280.45.camel@localhost.localdomain> Message-ID: <4F3AE51E.6010704@redhat.com> David Juran wrote: > Hello! > > On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: >> On 02/10/2012 04:01 AM, David Juran wrote: > >>> I wonder if it's somehow possible to sync AD-users more selectively then >>> just by sub-tree. In my case, I'm dealing with a very large organisation >>> where the users that are to be synced to IPA aren't grouped by a subtree >>> in AD but rather spread out. Can this be handled somehow? >>> >> I don't think so, but can you provide some examples? > > If I understand the customers use-case correctly (and this is quite a > disclaimer) they have _most_ of their users in one sub-tree in AD but > also some users spread out all over the AD. > So I gather that I really should sync the entire AD. Or that I > _possibly_ could specify multiple sub-trees to sync, but still only on a > subtree level and not individual users to sync. Or that I really should > wait for the trust-to-AD feature to be ready... Is that correct? How would they identify which users they would want sync'd? Is this something we'd be able to build a filter on (not that we actually provide a configurable filter right now)? rob From topping at codehaus.org Wed Feb 15 04:24:24 2012 From: topping at codehaus.org (Brian Topping) Date: Tue, 14 Feb 2012 23:24:24 -0500 Subject: [Freeipa-users] FreeIPA deployment questions (Open Directory) Message-ID: I'm new to FreeIPA and have some questions. I've searched the archives for similar articles and found https://www.redhat.com/archives/freeipa-users/2011-May/msg00040.html, but with some differences. Please excuse my lack of knowledge, but hope that answers to these questions might help others through the archives. *** I saw the announcement that 2.1.4 from the updates-testing repo is "strongly advised". In the previous message, I saw that deploying a production server on Fedora was a bad idea. 2.1.3 is the last version available on the CentOS repos. Is that one reasonable to use? Are there any gotchas that I should know about like disabling selinux? Is 2.1.3 usable while waiting for 2.1.4 to hit the CentOS repos? *** AD synchronization is under active development, but I'm wanting to work with Open Directory. The last references I've seen to it on the user list was with 1.x. I've seen the opaque objects in the OD schema, realize the OD schema is rather fluid and understand that maintaining an integration like that may not be productive for such a small audience. On the other hand, are there configurations with limited replication or referrals that might provide basic interoperability? I haven't been too successful with getting Apache Directory Studio connected to FreeIPA so I can browse around, but does anyone have some insights they could share on this? Anyone have FreeIPA working at any level with OpenDirectory that they could share insights about? Thank you kindly for any insights that you might be able to share! Brian From rcritten at redhat.com Wed Feb 15 05:16:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2012 00:16:44 -0500 Subject: [Freeipa-users] FreeIPA deployment questions (Open Directory) In-Reply-To: References: Message-ID: <4F3B3FBC.3000601@redhat.com> Brian Topping wrote: > I'm new to FreeIPA and have some questions. I've searched the archives for similar articles and found https://www.redhat.com/archives/freeipa-users/2011-May/msg00040.html, but with some differences. Please excuse my lack of knowledge, but hope that answers to these questions might help others through the archives. > > *** I saw the announcement that 2.1.4 from the updates-testing repo is "strongly advised". In the previous message, I saw that deploying a production server on Fedora was a bad idea. 2.1.3 is the last version available on the CentOS repos. Is that one reasonable to use? Are there any gotchas that I should know about like disabling selinux? Is 2.1.3 usable while waiting for 2.1.4 to hit the CentOS repos? RHEL (and therefore CentOS) versioning can be misleading because it tends to not move much over time despite patches being added. ipa 2.1.3-9 is more or less equivalent to FreeIPA 2.1.4 (a number of features are disabled, perhaps a patch or two not backported). The advisory is to pick up the CSRF fix which can be found in both versions. Deploying in production in Fedora can be fine you just have to accept that the window of support for any given release is relatively short (~13 months). > *** AD synchronization is under active development, but I'm wanting to work with Open Directory. The last references I've seen to it on the user list was with 1.x. I've seen the opaque objects in the OD schema, realize the OD schema is rather fluid and understand that maintaining an integration like that may not be productive for such a small audience. On the other hand, are there configurations with limited replication or referrals that might provide basic interoperability? I haven't been too successful with getting Apache Directory Studio connected to FreeIPA so I can browse around, but does anyone have some insights they could share on this? Anyone have FreeIPA working at any level with OpenDirectory that they could share insights about? 389-ds is our LDAP server so we generally support what it can do. AFAIK it does not do replication with OD. What is it you want to replicate, what direction, etc? I've never used the Apache studio but others have reported success. It is probably just a matter of getting your basedn right (e.g. dc=example,dc=com) and perhaps providing a bind user (cn=Directory Manager). Are you getting specific error messages, that might help troubleshoot things. regards rob From djuran at redhat.com Wed Feb 15 07:39:17 2012 From: djuran at redhat.com (David Juran) Date: Wed, 15 Feb 2012 08:39:17 +0100 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <4F3AE51E.6010704@redhat.com> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <1329229089.3280.45.camel@localhost.localdomain> <4F3AE51E.6010704@redhat.com> Message-ID: <1329291557.3280.88.camel@localhost.localdomain> On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote: > >>> > >> I don't think so, but can you provide some examples? > > > > If I understand the customers use-case correctly (and this is quite a > > disclaimer) they have _most_ of their users in one sub-tree in AD but > > also some users spread out all over the AD. > > So I gather that I really should sync the entire AD. Or that I > > _possibly_ could specify multiple sub-trees to sync, but still only on a > > subtree level and not individual users to sync. Or that I really should > > wait for the trust-to-AD feature to be ready... Is that correct? > > How would they identify which users they would want sync'd? Is this > something we'd be able to build a filter on (not that we actually > provide a configurable filter right now)? I'll check that, but won't all of this become moot once we can trust an AD domain? If this filtering would become a show-stopper I'll get back to you, but if schedule permits, I'd rather wait for the trust feature rather then develop a new feature for this. -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Wed Feb 15 08:20:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Feb 2012 03:20:20 -0500 Subject: [Freeipa-users] syncing users more not limited to a subtree In-Reply-To: <1329291557.3280.88.camel@localhost.localdomain> References: <1328871707.3458.103.camel@localhost.localdomain> <4F3537B4.3030205@redhat.com> <1329229089.3280.45.camel@localhost.localdomain> <4F3AE51E.6010704@redhat.com> <1329291557.3280.88.camel@localhost.localdomain> Message-ID: <4F3B6AC4.3010704@redhat.com> On 02/15/2012 02:39 AM, David Juran wrote: > On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote: > >>>> I don't think so, but can you provide some examples? >>> If I understand the customers use-case correctly (and this is quite a >>> disclaimer) they have _most_ of their users in one sub-tree in AD but >>> also some users spread out all over the AD. >>> So I gather that I really should sync the entire AD. Or that I >>> _possibly_ could specify multiple sub-trees to sync, but still only on a >>> subtree level and not individual users to sync. Or that I really should >>> wait for the trust-to-AD feature to be ready... Is that correct? >> How would they identify which users they would want sync'd? Is this >> something we'd be able to build a filter on (not that we actually >> provide a configurable filter right now)? > I'll check that, but won't all of this become moot once we can trust an > AD domain? > If this filtering would become a show-stopper I'll get back to you, but > if schedule permits, I'd rather wait for the trust feature rather then > develop a new feature for this. > If you are seriously considering trust solution - great. The only advice I want to give is to think about how the final solution based on trusts would look like. Then look at what you have and try to develop procedures that would bring you from where you are to where you want to be. There might be some "aha" moments there as trust solution would work with latest SSSD and IPA but the older versions of Fedora/RHEL or other platforms would not be able to participate so you need to think how to deal with that scenario. Also if you come across some problems and/or ideas please do not hesitate to share. May be there is something we can do tomake the migration smoother but we need to understand the issues first. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Wed Feb 15 17:42:03 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Wed, 15 Feb 2012 18:42:03 +0100 Subject: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install In-Reply-To: <4F3AB539.1030503@redhat.com> References: <4F3A6EA8.4030700@redhat.com> <4F3AB539.1030503@redhat.com> Message-ID: On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> >> >> On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden > > wrote: >> >> Marco Pizzoli wrote: >> >> Hi guys, >> I'm running freeipa-server-2.1.4-5.fc16.__**x86_64. >> >> >> Following the documentation I can see that to uninstall and >> reinstall a >> freeipa system it is sufficient to: >> >> > ipa-server-install >> > ipa-server-install --uninstall >> > ipa-server-install >> >> Well, when re-installing the system, I get this error on the >> console: >> [cut] >> done configuring named. >> Configuration of client side components failed! >> ipa-client-install returned: Command '/usr/sbin/ipa-client-install >> --on-master --unattended --domain unix.mydomain.it >> >> --server freeipa01.unix.mydomain.it >> >> > >> >> >> >> >> --realm UNIX.MYDOMAIN.IT >> >> --hostname freeipa01.unix.mydomain.it >> >> > >> >> >> >>' >> returned non-zero exit >> status 1 >> >> >> I had a look to /var/log/ipaclient-install.log and I saw these >> lines >> >> [cut] >> 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt >> >> >> > >> 2012-02-14 09:53:39,435 DEBUG stdout= >> 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- >> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt >> >> >> > >> Resolving freeipa01.unix.mydomain.it... 192.168.146.131 >> Connecting to freeipa01.unix.mydomain.it >> >> > >> >> >> >>|192.168.146.131|**:__80... >> >> connected. >> >> HTTP request sent, awaiting response... 200 OK >> Length: 1325 (1.3K) [application/x-x509-ca-cert] >> Saving to: <80><9C>/etc/ipa/ca.crt<__**E2><80><9D> >> >> >> 0K . >> 100% 270M=0s >> >> 2012-02-14 09:53:39 (270 MB/s) - >> <80><9C>/etc/ipa/ca.crt<__**E2><80><9D> >> >> saved [1325/1325] >> >> >> 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file >> '/etc/sssd/sssd.conf' >> 2012-02-14 09:53:39,463 DEBUG Saving Index File to >> '/var/lib/ipa-client/__**sysrestore/sysrestore.index' >> >> 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it >> >> is already configured in existing SSSD >> config, >> >> creating a new one. >> 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d >> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt >> 2012-02-14 09:53:39,643 DEBUG stdout= >> 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain >> certificate from file: You are attempting to import a cert with >> the same >> issuer/serial as an existing cert, but that is not the same cert. >> >> >> So I tried a new "ipa-server-install --uninstall" and checked >> the file >> /etc/ipa/ca.crt. And it remained there. >> What is the problem? >> >> >> The problem isn't the existence of the file, it is the existence of >> the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d >> /etc/pki/nsdb >> >> >> [root at freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ >> certutil: could not find certificate named "IPA CA": security library: >> bad database. >> > > Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ? > More strange... I re-did a freeipa-install and it worked... Thanks anyway -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Wed Feb 15 19:49:11 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 15 Feb 2012 20:49:11 +0100 Subject: [Freeipa-users] Solaris kerberos - fail Message-ID: <4F3C0C37.1040008@nixtra.com> Hi, I see that the documentation for configuring kerberos on Solaris has changed since the last time I looked. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 kclient fails if I pre-create the account in IPA, and attempt to kclient configure the client. If I don't, it successfully retreives a keytab for the host, but I'm unable to add the host as a host in IPA as the kerberos principal is already used. I suppose there is a LDAP ACL preventing me from doing this? Can I work around this somehow, having the host account in IPA and using kclient to configure Solaris hosts at the same time? I have edited /var/kerberos/krb5kdc/kadm5.acl : ------------------------------------------------------------------------------------------ */admin at IX.TEST.COM * ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ # kclient Starting client setup --------------------------------------------------- Do you want to use DNS for kerberos lookups ? [y/n]: n No action performed. Enter the Kerberos realm: IX.TEST.COM Specify the KDC hostname for the above realm: ipa01.ix.test.com ipa01.ix.test.com Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP). Setting up /etc/krb5/krb5.conf. Enter the krb5 administrative principal to be used: soladmin Obtaining TGT for soladmin/admin ... Password for soladmin/admin at IX.TEST.COM: Do you have multiple DNS domains spanning the Kerberos realm IX.NIXTRA.COM ? [y/n]: n No action performed. Do you plan on doing Kerberized nfs ? [y/n]: n No action performed. host/server2.ix.nixtra.com entry already exists in KDC database. Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing credentials. kadmin: Insufficient access to perform requested operation while changing host/server2.ix.nixtra.com's key Administration credentials NOT DESTROYED. kadmin: ktadd of host/server2.ix.test.com failed, exiting. --------------------------------------------------- Setup FAILED. ------------------------------------------------------------------------------------------ From /var/log/kadmind.log: ------------------------------------------------------------------------------------------ Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_init, soladmin/admin at IX.TEST.COM, success, client=soladmin/admin at IX.TEST.COM, service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, vers=2, flavor=6 Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User modification failed: Insufficient access, client=soladmin/admin at IX.TEST.COM, service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 ------------------------------------------------------------------------------------------ From rcritten at redhat.com Wed Feb 15 20:06:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2012 15:06:09 -0500 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C0C37.1040008@nixtra.com> References: <4F3C0C37.1040008@nixtra.com> Message-ID: <4F3C1031.10708@redhat.com> Sigbjorn Lie wrote: > Hi, > > I see that the documentation for configuring kerberos on Solaris has > changed since the last time I looked. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > > > kclient fails if I pre-create the account in IPA, and attempt to kclient > configure the client. If I don't, it successfully retreives a keytab for > the host, but I'm unable to add the host as a host in IPA as the > kerberos principal is already used. > > I suppose there is a LDAP ACL preventing me from doing this? > > Can I work around this somehow, having the host account in IPA and using > kclient to configure Solaris hosts at the same time? > > > > > I have edited /var/kerberos/krb5kdc/kadm5.acl : > ------------------------------------------------------------------------------------------ > > */admin at IX.TEST.COM * > ------------------------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------------------------ > > # kclient > > Starting client setup > > --------------------------------------------------- > Do you want to use DNS for kerberos lookups ? [y/n]: n > No action performed. > Enter the Kerberos realm: IX.TEST.COM > Specify the KDC hostname for the above realm: ipa01.ix.test.com > ipa01.ix.test.com > > Note, this system and the KDC's time must be within 5 minutes of each > other for Kerberos to function. Both systems should run some form of > time synchronization system like Network Time Protocol (NTP). > > Setting up /etc/krb5/krb5.conf. > > Enter the krb5 administrative principal to be used: soladmin > Obtaining TGT for soladmin/admin ... > Password for soladmin/admin at IX.TEST.COM: > > Do you have multiple DNS domains spanning the Kerberos realm > IX.NIXTRA.COM ? [y/n]: n > No action performed. > > Do you plan on doing Kerberized nfs ? [y/n]: n > No action performed. > > host/server2.ix.nixtra.com entry already exists in KDC database. > Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing > credentials. > kadmin: Insufficient access to perform requested operation while > changing host/server2.ix.nixtra.com's key > > Administration credentials NOT DESTROYED. > > kadmin: ktadd of host/server2.ix.test.com failed, exiting. > --------------------------------------------------- > Setup FAILED. > ------------------------------------------------------------------------------------------ > > > > From /var/log/kadmind.log: > ------------------------------------------------------------------------------------------ > > Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: > kadm5_init, soladmin/admin at IX.TEST.COM, success, > client=soladmin/admin at IX.TEST.COM, > service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, > vers=2, flavor=6 > Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: > kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User > modification failed: Insufficient access, > client=soladmin/admin at IX.TEST.COM, > service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 These have been the Solaris directions for quite a long time. What version of freeIPA does this work against? You might try adding soladmin to the Host Administrators role and see if it works then. If it does you'll probably want to create a new role with more limited permissions. I would imagine that a host added this way would not appear as an IPA-managed host (though adding the host first and using this to just add the key should be ok). rob From sigbjorn at nixtra.com Wed Feb 15 20:23:48 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 15 Feb 2012 21:23:48 +0100 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C1031.10708@redhat.com> References: <4F3C0C37.1040008@nixtra.com> <4F3C1031.10708@redhat.com> Message-ID: <4F3C1454.1000105@nixtra.com> On 02/15/2012 09:06 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> Hi, >> >> I see that the documentation for configuring kerberos on Solaris has >> changed since the last time I looked. >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >> >> >> >> kclient fails if I pre-create the account in IPA, and attempt to kclient >> configure the client. If I don't, it successfully retreives a keytab for >> the host, but I'm unable to add the host as a host in IPA as the >> kerberos principal is already used. >> >> I suppose there is a LDAP ACL preventing me from doing this? >> >> Can I work around this somehow, having the host account in IPA and using >> kclient to configure Solaris hosts at the same time? >> >> >> >> >> I have edited /var/kerberos/krb5kdc/kadm5.acl : >> ------------------------------------------------------------------------------------------ >> >> >> */admin at IX.TEST.COM * >> ------------------------------------------------------------------------------------------ >> >> >> >> >> >> ------------------------------------------------------------------------------------------ >> >> >> # kclient >> >> Starting client setup >> >> --------------------------------------------------- >> Do you want to use DNS for kerberos lookups ? [y/n]: n >> No action performed. >> Enter the Kerberos realm: IX.TEST.COM >> Specify the KDC hostname for the above realm: ipa01.ix.test.com >> ipa01.ix.test.com >> >> Note, this system and the KDC's time must be within 5 minutes of each >> other for Kerberos to function. Both systems should run some form of >> time synchronization system like Network Time Protocol (NTP). >> >> Setting up /etc/krb5/krb5.conf. >> >> Enter the krb5 administrative principal to be used: soladmin >> Obtaining TGT for soladmin/admin ... >> Password for soladmin/admin at IX.TEST.COM: >> >> Do you have multiple DNS domains spanning the Kerberos realm >> IX.NIXTRA.COM ? [y/n]: n >> No action performed. >> >> Do you plan on doing Kerberized nfs ? [y/n]: n >> No action performed. >> >> host/server2.ix.nixtra.com entry already exists in KDC database. >> Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing >> credentials. >> kadmin: Insufficient access to perform requested operation while >> changing host/server2.ix.nixtra.com's key >> >> Administration credentials NOT DESTROYED. >> >> kadmin: ktadd of host/server2.ix.test.com failed, exiting. >> --------------------------------------------------- >> Setup FAILED. >> ------------------------------------------------------------------------------------------ >> >> >> >> >> From /var/log/kadmind.log: >> ------------------------------------------------------------------------------------------ >> >> >> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: >> kadm5_init, soladmin/admin at IX.TEST.COM, success, >> client=soladmin/admin at IX.TEST.COM, >> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, >> vers=2, flavor=6 >> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: >> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User >> modification failed: Insufficient access, >> client=soladmin/admin at IX.TEST.COM, >> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 > > These have been the Solaris directions for quite a long time. > > What version of freeIPA does this work against? > > You might try adding soladmin to the Host Administrators role and see > if it works then. If it does you'll probably want to create a new role > with more limited permissions. > > I would imagine that a host added this way would not appear as an > IPA-managed host (though adding the host first and using this to just > add the key should be ok). > > rob The version is: freeipa-server-2.1.3-2.fc15.x86_64 The kclient script only accepts a parameter "-a adminuser", which it translates into "adminuser/admin". How can I add this to a IPA role? If I attempt to work around that by using kadmin directly instead of the wrapper kclient script on the Solaris host, and specifying the IPA default "admin" account, the same message occur: # kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab host/server2.ix.test.com at IX.TEST.COM" Authenticating as principal admin with password. Password for admin at IX.TEST.COM: kadmin: Insufficient access to perform requested operation while changing host/server2.ix.test.com at IX.TEST.COM's key /var/kerberos/krb5kdc/kadm5.acl: admin at IX.TEST.COM * /var/log/kadmind.log: Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM, service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, vers=2, flavor=6 Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User modification failed: Insufficient access, client=admin at IX.TEST.COM, service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 Rgds, Siggi From simo at redhat.com Wed Feb 15 20:32:42 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 15 Feb 2012 15:32:42 -0500 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C0C37.1040008@nixtra.com> References: <4F3C0C37.1040008@nixtra.com> Message-ID: <1329337962.2859.100.camel@willson.li.ssimo.org> On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote: > Hi, > > I see that the documentation for configuring kerberos on Solaris has > changed since the last time I looked. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > > kclient fails if I pre-create the account in IPA, and attempt to kclient > configure the client. If I don't, it successfully retreives a keytab for > the host, but I'm unable to add the host as a host in IPA as the > kerberos principal is already used. > > I suppose there is a LDAP ACL preventing me from doing this? > > Can I work around this somehow, having the host account in IPA and using > kclient to configure Solaris hosts at the same time? Sigbjorn, running kadmind in FreeIPA < 2.2 is completely unsupported and there are ACLs that explicitly prevent it from changing data in LDAP. I will investigate about those instructions and correct them as necessary, they appear incorrect. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 15 20:34:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2012 15:34:29 -0500 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C1454.1000105@nixtra.com> References: <4F3C0C37.1040008@nixtra.com> <4F3C1031.10708@redhat.com> <4F3C1454.1000105@nixtra.com> Message-ID: <4F3C16D5.2050207@redhat.com> Sigbjorn Lie wrote: > On 02/15/2012 09:06 PM, Rob Crittenden wrote: >> You might try adding soladmin to the Host Administrators role and see >> if it works then. If it does you'll probably want to create a new role >> with more limited permissions. >> >> I would imagine that a host added this way would not appear as an >> IPA-managed host (though adding the host first and using this to just >> add the key should be ok). >> >> rob > The version is: freeipa-server-2.1.3-2.fc15.x86_64 > > The kclient script only accepts a parameter "-a adminuser", which it > translates into "adminuser/admin". How can I add this to a IPA role? > > If I attempt to work around that by using kadmin directly instead of the > wrapper kclient script on the Solaris host, and specifying the IPA > default "admin" account, the same message occur: > > > # kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab > host/server2.ix.test.com at IX.TEST.COM" > Authenticating as principal admin with password. > Password for admin at IX.TEST.COM: > kadmin: Insufficient access to perform requested operation while > changing host/server2.ix.test.com at IX.TEST.COM's key > > > /var/kerberos/krb5kdc/kadm5.acl: > admin at IX.TEST.COM * > > > /var/log/kadmind.log: > Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: > kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM, > service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, > vers=2, flavor=6 > Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: > kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User > modification failed: Insufficient access, client=admin at IX.TEST.COM, > service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 To be honest, the whole section about kclient, kadmin, etc is new to me as well. I don't know when that was added. We'll investigate that, sorry about the confusion. These problems are likely related to the fact that kadmin assumes a different DIT than IPA. We don't recommend kadmin be used. We recommend using ipa-getkeytab on a Linux box and retrieving the keytab that way. Yes, this is less than convenient. On Solaris 10 you may have a fighting chance of building ipa-getkeytab natively. I seem to recall a bunch of optional packages to add various LDAP and compiler parts you'd need but it is less than ideal. I had absolutely no luck on Solaris 9 without having to compile everything myself. rob From sigbjorn at nixtra.com Wed Feb 15 21:53:30 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 15 Feb 2012 22:53:30 +0100 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C16D5.2050207@redhat.com> References: <4F3C0C37.1040008@nixtra.com> <4F3C1031.10708@redhat.com> <4F3C1454.1000105@nixtra.com> <4F3C16D5.2050207@redhat.com> Message-ID: <4F3C295A.20103@nixtra.com> On 02/15/2012 09:34 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 02/15/2012 09:06 PM, Rob Crittenden wrote: >>> You might try adding soladmin to the Host Administrators role and see >>> if it works then. If it does you'll probably want to create a new role >>> with more limited permissions. >>> >>> I would imagine that a host added this way would not appear as an >>> IPA-managed host (though adding the host first and using this to just >>> add the key should be ok). >>> >>> rob >> The version is: freeipa-server-2.1.3-2.fc15.x86_64 >> >> The kclient script only accepts a parameter "-a adminuser", which it >> translates into "adminuser/admin". How can I add this to a IPA role? >> >> If I attempt to work around that by using kadmin directly instead of the >> wrapper kclient script on the Solaris host, and specifying the IPA >> default "admin" account, the same message occur: >> >> >> # kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab >> host/server2.ix.test.com at IX.TEST.COM" >> Authenticating as principal admin with password. >> Password for admin at IX.TEST.COM: >> kadmin: Insufficient access to perform requested operation while >> changing host/server2.ix.test.com at IX.TEST.COM's key >> >> >> /var/kerberos/krb5kdc/kadm5.acl: >> admin at IX.TEST.COM * >> >> >> /var/log/kadmind.log: >> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: >> kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM, >> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, >> vers=2, flavor=6 >> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: >> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User >> modification failed: Insufficient access, client=admin at IX.TEST.COM, >> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238 > > To be honest, the whole section about kclient, kadmin, etc is new to > me as well. I don't know when that was added. We'll investigate that, > sorry about the confusion. > Ok, so it's not just me that was new for. :) > These problems are likely related to the fact that kadmin assumes a > different DIT than IPA. We don't recommend kadmin be used. > Yes, I was a bit surprised when I noticed this in the documentation given other postings on the list where use of kadmin and kadmin.local is advised to be not supported. > We recommend using ipa-getkeytab on a Linux box and retrieving the > keytab that way. Yes, this is less than convenient. > This was my original plan, retreiving all the keytabs for Solaris hosts on one of the IPA servers, and then distribute them to the Solaris hosts using CFengine. > On Solaris 10 you may have a fighting chance of building ipa-getkeytab > natively. I seem to recall a bunch of optional packages to add various > LDAP and compiler parts you'd need but it is less than ideal. I had > absolutely no luck on Solaris 9 without having to compile everything > myself. I remember I did give that a go a while back. Gave up pretty quickly though. I think I will stick with my original plan of distributing keytabs for Solaris using CFengine. :) Thanks. Regards, Siggi From sigbjorn at nixtra.com Wed Feb 15 21:55:04 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 15 Feb 2012 22:55:04 +0100 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <1329337962.2859.100.camel@willson.li.ssimo.org> References: <4F3C0C37.1040008@nixtra.com> <1329337962.2859.100.camel@willson.li.ssimo.org> Message-ID: <4F3C29B8.6040100@nixtra.com> On 02/15/2012 09:32 PM, Simo Sorce wrote: > On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote: >> Hi, >> >> I see that the documentation for configuring kerberos on Solaris has >> changed since the last time I looked. >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >> >> kclient fails if I pre-create the account in IPA, and attempt to kclient >> configure the client. If I don't, it successfully retreives a keytab for >> the host, but I'm unable to add the host as a host in IPA as the >> kerberos principal is already used. >> >> I suppose there is a LDAP ACL preventing me from doing this? >> >> Can I work around this somehow, having the host account in IPA and using >> kclient to configure Solaris hosts at the same time? > > Sigbjorn, > running kadmind in FreeIPA< 2.2 is completely unsupported and there are > ACLs that explicitly prevent it from changing data in LDAP. > > I will investigate about those instructions and correct them as > necessary, they appear incorrect. Yes, I was a bit surprised when I noticed this in the documentation given other postings on the list where use of kadmin and kadmin.local is advised to be not supported. Does something change in 2.2 and upwards to support the use of kadmin ? Regards, Siggi From simo at redhat.com Wed Feb 15 22:51:03 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 15 Feb 2012 17:51:03 -0500 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C29B8.6040100@nixtra.com> References: <4F3C0C37.1040008@nixtra.com> <1329337962.2859.100.camel@willson.li.ssimo.org> <4F3C29B8.6040100@nixtra.com> Message-ID: <1329346263.2859.105.camel@willson.li.ssimo.org> On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote: > On 02/15/2012 09:32 PM, Simo Sorce wrote: > > On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote: > >> Hi, > >> > >> I see that the documentation for configuring kerberos on Solaris has > >> changed since the last time I looked. > >> > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > >> > >> kclient fails if I pre-create the account in IPA, and attempt to kclient > >> configure the client. If I don't, it successfully retreives a keytab for > >> the host, but I'm unable to add the host as a host in IPA as the > >> kerberos principal is already used. > >> > >> I suppose there is a LDAP ACL preventing me from doing this? > >> > >> Can I work around this somehow, having the host account in IPA and using > >> kclient to configure Solaris hosts at the same time? > > > > Sigbjorn, > > running kadmind in FreeIPA< 2.2 is completely unsupported and there are > > ACLs that explicitly prevent it from changing data in LDAP. > > > > I will investigate about those instructions and correct them as > > necessary, they appear incorrect. > > Yes, I was a bit surprised when I noticed this in the documentation > given other postings on the list where use of kadmin and kadmin.local is > advised to be not supported. > > Does something change in 2.2 and upwards to support the use of kadmin ? Yes and no. In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd and use kadmind instead. But I still prevent kadmin from doing a lot of operations, because kadmind has no clue how to properly create an ipa computer object or an ipa user. In time we may teach kadmin how to properly handle some of the principals, but for now I am simply preventing it from messing up the tree by crating bare principals in the wrong place, with the wrong (or missing) data attached to it. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Wed Feb 15 23:07:15 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 16 Feb 2012 00:07:15 +0100 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <1329346263.2859.105.camel@willson.li.ssimo.org> References: <4F3C0C37.1040008@nixtra.com> <1329337962.2859.100.camel@willson.li.ssimo.org> <4F3C29B8.6040100@nixtra.com> <1329346263.2859.105.camel@willson.li.ssimo.org> Message-ID: <4F3C3AA3.1060903@nixtra.com> On 02/15/2012 11:51 PM, Simo Sorce wrote: > On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote: >> On 02/15/2012 09:32 PM, Simo Sorce wrote: >>> On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I see that the documentation for configuring kerberos on Solaris has >>>> changed since the last time I looked. >>>> >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >>>> >>>> kclient fails if I pre-create the account in IPA, and attempt to kclient >>>> configure the client. If I don't, it successfully retreives a keytab for >>>> the host, but I'm unable to add the host as a host in IPA as the >>>> kerberos principal is already used. >>>> >>>> I suppose there is a LDAP ACL preventing me from doing this? >>>> >>>> Can I work around this somehow, having the host account in IPA and using >>>> kclient to configure Solaris hosts at the same time? >>> Sigbjorn, >>> running kadmind in FreeIPA< 2.2 is completely unsupported and there are >>> ACLs that explicitly prevent it from changing data in LDAP. >>> >>> I will investigate about those instructions and correct them as >>> necessary, they appear incorrect. >> Yes, I was a bit surprised when I noticed this in the documentation >> given other postings on the list where use of kadmin and kadmin.local is >> advised to be not supported. >> >> Does something change in 2.2 and upwards to support the use of kadmin ? > Yes and no. > > In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd > and use kadmind instead. > But I still prevent kadmin from doing a lot of operations, because > kadmind has no clue how to properly create an ipa computer object or an > ipa user. > > In time we may teach kadmin how to properly handle some of the > principals, but for now I am simply preventing it from messing up the > tree by crating bare principals in the wrong place, with the wrong (or > missing) data attached to it. Would it be possible to allow it to retreive a keytab for already existing accounts? Regards, Siggi From Steven.Jones at vuw.ac.nz Wed Feb 15 23:11:28 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 15 Feb 2012 23:11:28 +0000 Subject: [Freeipa-users] IPA documentation comment Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBB15DD@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Sort of minor but I find the following a bit inconsistent, I am looking at section 9.3.1, item no 3 I think it should say, 3. Generate the nfs service keytab, there are two methods, i) On the NFS server, with this command "etc etc" ii) On a different machine do a)....b)...c)...d) for your b) You say "Copy over to the NFS host machine" where earlier you said NFS server, you repeat this in d) for consistency it should be "server" it certainly slows my understanding down when I see such things being mixed up.... I also see under 6.5.1 point 6 that there is a ipa-getkeytab command but as per NFS is that run on the server that is providing the service? or on the IPA server, I find it unclear.......thinking about it its on the target server offering the service I think you are saying, but by then Ive lost my train of thought.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Wed Feb 15 23:27:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 15 Feb 2012 23:27:13 +0000 Subject: [Freeipa-users] IPA documentation comment - failure in setting up a NFS server Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBB15F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying to setup NFS, I am getting this failure, also the document says nothing about having to do a kinit to get a valid Credential cache, so that needs to be added... ============ [root at vuwuniconfsipa3 etc]# ipa-getkeytab -s vuwuniconfsipa3.unix.vuw.ac.nz -p nfs/vuwuniconfsipa3.unix.vuw.ac.nz -k /etc/krb5.keytab Kerberos User Principal not found. Do you have a valid Credential Cache? [root at vuwuniconfsipa3 etc]# kinit admin Password for admin at UNIX.VUW.AC.NZ: [root at vuwuniconfsipa3 etc]# ipa-getkeytab -s vuwuniconfsipa3.unix.vuw.ac.nz -p nfs/vuwuniconfsipa3.unix.vuw.ac.nz -k /etc/krb5.keytab SASL Bind failed! [root at vuwuniconfsipa3 etc]# ============ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 16 February 2012 12:11 p.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] IPA documentation comment Hi, Sort of minor but I find the following a bit inconsistent, I am looking at section 9.3.1, item no 3 I think it should say, 3. Generate the nfs service keytab, there are two methods, i) On the NFS server, with this command "etc etc" ii) On a different machine do a)....b)...c)...d) for your b) You say "Copy over to the NFS host machine" where earlier you said NFS server, you repeat this in d) for consistency it should be "server" it certainly slows my understanding down when I see such things being mixed up.... I also see under 6.5.1 point 6 that there is a ipa-getkeytab command but as per NFS is that run on the server that is providing the service? or on the IPA server, I find it unclear.......thinking about it its on the target server offering the service I think you are saying, but by then Ive lost my train of thought.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Feb 16 00:22:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Feb 2012 17:22:59 -0700 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <53332B17-8BEB-49B4-A248-6D95D22B1C93@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> <4F3563C0.6060702@redhat.com> <53332B17-8BEB-49B4-A248-6D95D22B1C93@crystal.harvard.edu> Message-ID: <4F3C4C63.50000@redhat.com> On 02/10/2012 01:00 PM, Ian Levesque wrote: > On Feb 10, 2012, at 1:36 PM, Rich Megginson wrote: > >>>>> This may be related to https://fedorahosted.org/389/ticket/273 and >>>>> https://fedorahosted.org/389/ticket/274 which have been fixed in >>>>> 1.2.10 >>>> In this case Ian please open a bugzilla, it looks like we need to >>>> address this in RHEL6. >>> I'll confess that I don't fully understand what tombstone is... Regardless, I'm not sure that either of those tickets apply to the issue at hand. As I understand it, Ticket 273 outlines an issue with searching for tombstone entries after successfully setting up a replica (which as far as I'm hearing, we haven't done). And ticket 274 concerns indexing the tombstone entries. I am able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) and don't see the errors specified in ticket 274. >> in 1.2.9.9 the ruv tombstone entry was indexed correctly, so that's why you see it. >> >> For ticket 274, you would only see those errors if you actually attempt to reindex the entryrdn index. >> >>> That said, perhaps there's some bug with tombstone re: the automountmap entries in my LDAP instance. Do you think that would be sufficient to cause the replication issues I'm seeing? >> It could be. Taken together, both of those tickets resolve problems with tombstone indexes. At any rate, I would like to know if you can reproduce your issues with 1.2.10.rc1 >> >> To confirm, the first step would be to examine your entryrdn index to see what the problematic entries look like e.g. >> >> dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 | grep -C 2 automountmapname=auto.direct > Here's the output from the primary: > > 139:cn=global_policy > ID: 139; RDN: "cn=global_policy"; NRDN: "cn=global_policy" > 13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct > ID: 13; RDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct" > 141:krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org > ID: 141; RDN: "krbprincipalname=ldap/sbgrid-directory.in.hwlab at SBGRID.ORG"; NRDN: "krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org" > -- > 450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master > ID: 450; RDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master" > 451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct > ID: 451; RDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct" > 452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct > ID: 452; RDN: "nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct"; NRDN: "nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct" > -- > 466:automountmapname=auto.master > ID: 466; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" > 467:automountmapname=auto.direct > ID: 467; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" > 468:description=/- auto.direct > ID: 468; RDN: "description=/- auto.direct"; NRDN: "description=/- auto.direct" > -- > ID: 12; RDN: "nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master" > C11:cn=default > ID: 13; RDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct" > C11:cn=default > ID: 261; RDN: "nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountMapName=auto_master"; NRDN: "nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountmapname=auto_master" > -- > ID: 450; RDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master"; NRDN: "nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master" > C449:cn=test > ID: 451; RDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct"; NRDN: "nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct" > C449:cn=test > ID: 456; RDN: "nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs"; NRDN: "nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs" > -- > ID: 464; RDN: "nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home"; NRDN: "nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home" > C465:cn=default > ID: 467; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" > C465:cn=default > ID: 466; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" > -- > P139:cn=global_policy > ID: 132; RDN: "cn=SBGRID.ORG"; NRDN: "cn=sbgrid.org" > P13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct > ID: 11; RDN: "cn=default"; NRDN: "cn=default" > P141:krbprincipalname=ldap/sbgrid-directory.in.hwlab at sbgrid.org > -- > P450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master > ID: 449; RDN: "cn=test"; NRDN: "cn=test" > P451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct > ID: 449; RDN: "cn=test"; NRDN: "cn=test" > P452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct > -- > P466:automountmapname=auto.master > ID: 465; RDN: "cn=default"; NRDN: "cn=default" > P467:automountmapname=auto.direct > ID: 465; RDN: "cn=default"; NRDN: "cn=default" > P468:description=/- auto.direct > > > The secondary replica doesn't have the same entries: > > 253:automountmapname=auto.master > ID: 253; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" > 254:automountmapname=auto.direct > ID: 254; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" > 255:description=/- auto.direct > ID: 255; RDN: "description=/- auto.direct"; NRDN: "description=/- auto.direct" > -- > ID: 25; RDN: "cn=posix-ids"; NRDN: "cn=posix-ids" > C252:cn=default > ID: 254; RDN: "automountmapname=auto.direct"; NRDN: "automountmapname=auto.direct" > C252:cn=default > ID: 253; RDN: "automountmapname=auto.master"; NRDN: "automountmapname=auto.master" > -- > P253:automountmapname=auto.master > ID: 252; RDN: "cn=default"; NRDN: "cn=default" > P254:automountmapname=auto.direct > ID: 252; RDN: "cn=default"; NRDN: "cn=default" > P255:description=/- auto.direct > Sorry for not getting back to you sooner. I can't say for sure, but it does look like you are running into some of the tombstone issues we have fixed in 1.2.10.1-1 (now in updates-testing) In addition, if you are getting this: NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica - err 20 https://fedorahosted.org/389/ticket/282 You may have deleted and re-added replicas - in that case, you may want to follow the cleanruv procedure here - http://directory.fedoraproject.org/wiki/Howto:CLEANRUV -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at noboost.org Thu Feb 16 01:27:54 2012 From: freeipa at noboost.org (Craig T) Date: Thu, 16 Feb 2012 12:27:54 +1100 Subject: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED) In-Reply-To: <4F3AD82B.9050806@redhat.com> References: <20120212233923.GA12242@noboost.org> <1329225786.5829.195.camel@willson.li.ssimo.org> <4F3AD82B.9050806@redhat.com> Message-ID: <20120216012754.GA24768@noboost.org> On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > Simo Sorce wrote: > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > >>Hi, > >> > >>Server: > >>RHEL6.2 > >> > >> > >>Spec: > >>ipa-admintools-2.1.3-9.el6.x86_64 > >>ipa-client-2.1.3-9.el6.x86_64 > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > >>ipa-python-2.1.3-9.el6.x86_64 > >>ipa-server-2.1.3-9.el6.x86_64 > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > >>python-iniparse-0.3.1-2.1.el6.noarch > >> > >> > >>Error: > >>I had this working on Friday night, came in Monday and then this error appeared? > >> > >>kinit -V craig > >>Using default cache: /tmp/krb5cc_0 > >>Using principal: craig at EXAMPLE.COM > >>kinit: Generic error (see e-text) while getting initial credentials > >> > >>Server Side Error: (File: /var/log/krb5kdc.log) > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) > >> > >> > >>Usual Questions: > >>Should I simply reset the password? > > > >It seem like the only option to quickly recover access to your user. > > > >>Is it a bug? > > > >It may be. Did you do anything special with this user ? Did this happen > >immediately after a password change ? Or immediately after a FreeIPA or > >krb5kdc upgrade ? > >Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea. Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- > > > >Also could you ldapsearch this user entry before you change your > >password using 'cn=Directory Manager' as user in order to retrieve the > >key attribute and send the ldif to me in private ? I want to see if the > >key blob at least looks normal (do not worry about your password, the > >key material is itself encrypted). > > It might also be handy to see who last updated this entry before you > reset the password (if it isn't too late): modifyTimestamp > lastModifiedBy > > > > >>Anyone else seen this error? > > > >Haven't seen any report, and haven't ever occurred in my testing. > > > >Simo, > > > From topping at codehaus.org Thu Feb 16 02:58:01 2012 From: topping at codehaus.org (Brian Topping) Date: Wed, 15 Feb 2012 21:58:01 -0500 Subject: [Freeipa-users] FreeIPA deployment questions (Open Directory) In-Reply-To: <4F3B3FBC.3000601@redhat.com> References: <4F3B3FBC.3000601@redhat.com> Message-ID: Hi Rob, thanks for your responses! On Feb 15, 2012, at 12:16 AM, Rob Crittenden wrote: > 389-ds is our LDAP server so we generally support what it can do. AFAIK it does not do replication with OD. What is it you want to replicate, what direction, etc? It seems like users and groups are going to need to be synchronized, but I don't really know. OD has 'apple-user' and 'apple-group' schemas which have zero mandatory attributes. FreeIPA has ipaObject which has the ipaUniqueid mandatory attribute. This is the first time I'm trying these things with LDAP, but it seems that the if an object is created on FreeIPA, could it be replicated to OD? apple-user and apple-group have no mandatory attributes, and once it is replicated to OD, an admin could run Workgroup Manager and use the "migrate from legacy" tool on the object to create the OD attributes. So I guess that means I am replicating from FreeIPA to OD, but once changes are made on OD, can I replicate back with the additional attributes that are added? If not, changes that are made on FreeIPA would seem to overwrite the new attributes added in OD. Or is there a common way to do this? Is this a reasonable approach or am I overcomplicating things? > I've never used the Apache studio but others have reported success. It is probably just a matter of getting your basedn right (e.g. dc=example,dc=com) and perhaps providing a bind user (cn=Directory Manager). Are you getting specific error messages, that might help troubleshoot things. Ok, for others who may follow, here's what worked for me on connecting with Apache DS: 1. Note that the Directory Manager dn is literally "cn=Directory Manager", not "cn=Directory Manager, dc=example, dc=com". 2. If SSL is desired, be sure to remember to use port 636 instead of 389. This is probably covered in the docs, but alas. :-) Cheers, Brian p.s. Rob, sorry I responded to you directly before, I didn't notice that this list uses "reply-to" of the sender and not the list. From simo at redhat.com Thu Feb 16 04:36:43 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 15 Feb 2012 23:36:43 -0500 Subject: [Freeipa-users] Solaris kerberos - fail In-Reply-To: <4F3C3AA3.1060903@nixtra.com> References: <4F3C0C37.1040008@nixtra.com> <1329337962.2859.100.camel@willson.li.ssimo.org> <4F3C29B8.6040100@nixtra.com> <1329346263.2859.105.camel@willson.li.ssimo.org> <4F3C3AA3.1060903@nixtra.com> Message-ID: <1329367003.2859.108.camel@willson.li.ssimo.org> On Thu, 2012-02-16 at 00:07 +0100, Sigbjorn Lie wrote: > On 02/15/2012 11:51 PM, Simo Sorce wrote: > > On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote: > >> On 02/15/2012 09:32 PM, Simo Sorce wrote: > >>> On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote: > >>>> Hi, > >>>> > >>>> I see that the documentation for configuring kerberos on Solaris has > >>>> changed since the last time I looked. > >>>> > >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > >>>> > >>>> kclient fails if I pre-create the account in IPA, and attempt to kclient > >>>> configure the client. If I don't, it successfully retreives a keytab for > >>>> the host, but I'm unable to add the host as a host in IPA as the > >>>> kerberos principal is already used. > >>>> > >>>> I suppose there is a LDAP ACL preventing me from doing this? > >>>> > >>>> Can I work around this somehow, having the host account in IPA and using > >>>> kclient to configure Solaris hosts at the same time? > >>> Sigbjorn, > >>> running kadmind in FreeIPA< 2.2 is completely unsupported and there are > >>> ACLs that explicitly prevent it from changing data in LDAP. > >>> > >>> I will investigate about those instructions and correct them as > >>> necessary, they appear incorrect. > >> Yes, I was a bit surprised when I noticed this in the documentation > >> given other postings on the list where use of kadmin and kadmin.local is > >> advised to be not supported. > >> > >> Does something change in 2.2 and upwards to support the use of kadmin ? > > Yes and no. > > > > In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd > > and use kadmind instead. > > But I still prevent kadmin from doing a lot of operations, because > > kadmind has no clue how to properly create an ipa computer object or an > > ipa user. > > > > In time we may teach kadmin how to properly handle some of the > > principals, but for now I am simply preventing it from messing up the > > tree by crating bare principals in the wrong place, with the wrong (or > > missing) data attached to it. > > Would it be possible to allow it to retreive a keytab for already > existing accounts? One of the issues with kadmin is that it has no way to pass authentication information to the backend. You could manually add ACLs, but then you'd have to manually synchronize them between servers. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Feb 16 04:39:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2012 23:39:48 -0500 Subject: [Freeipa-users] IPA documentation comment In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBB15DD@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CBB15DD@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F3C8894.4010200@redhat.com> Steven Jones wrote: > Hi, > > Sort of minor but I find the following a bit inconsistent, > > I am looking at section 9.3.1, item no 3 > > I think it should say, > > 3. Generate the nfs service keytab, there are two methods, > > i) On the NFS server, with this command "etc etc" > > ii) On a different machine do a)....b)...c)...d) The distinction is really "whether the machine has ipa-getkeytab or not." The NFS server could be a Solaris machine in which case you'd have to do all this elsewhere. I think this is trying to say "if your NFS server is a Linux machine you can directly update /etc/krb5.keytab with these keys and be done with it." Perhaps a little more language about this distinction would help. > > for your b) You say "Copy over to the NFS host machine" where earlier you said NFS server, you repeat this in d) for consistency it should be "server" it certainly slows my understanding down when I see such things being mixed up.... Yup, I agree. > > I also see under 6.5.1 point 6 that there is a ipa-getkeytab command but as per NFS is that run on the server that is providing the service? or on the IPA server, I find it unclear.......thinking about it its on the target server offering the service I think you are saying, but by then Ive lost my train of thought.... ipa-getkeytab can be run anywhere for any service. It is just more convenient to run it on the target machine because then you don't have to move around keytabs (and do the nasty work in 9.3.1.3 d). Thanks for the feedback, I opened a doc bug, https://bugzilla.redhat.com/show_bug.cgi?id=791077 Feel free to add more details if I've missed something. rob From simo at redhat.com Thu Feb 16 05:13:29 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Feb 2012 00:13:29 -0500 Subject: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED) In-Reply-To: <20120216012754.GA24768@noboost.org> References: <20120212233923.GA12242@noboost.org> <1329225786.5829.195.camel@willson.li.ssimo.org> <4F3AD82B.9050806@redhat.com> <20120216012754.GA24768@noboost.org> Message-ID: <1329369209.2859.109.camel@willson.li.ssimo.org> On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote: > On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > > Simo Sorce wrote: > > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > > >>Hi, > > >> > > >>Server: > > >>RHEL6.2 > > >> > > >> > > >>Spec: > > >>ipa-admintools-2.1.3-9.el6.x86_64 > > >>ipa-client-2.1.3-9.el6.x86_64 > > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>ipa-python-2.1.3-9.el6.x86_64 > > >>ipa-server-2.1.3-9.el6.x86_64 > > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > > >>python-iniparse-0.3.1-2.1.el6.noarch > > >> > > >> > > >>Error: > > >>I had this working on Friday night, came in Monday and then this error appeared? > > >> > > >>kinit -V craig > > >>Using default cache: /tmp/krb5cc_0 > > >>Using principal: craig at EXAMPLE.COM > > >>kinit: Generic error (see e-text) while getting initial credentials > > >> > > >>Server Side Error: (File: /var/log/krb5kdc.log) > > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) > > >> > > >> > > >>Usual Questions: > > >>Should I simply reset the password? > > > > > >It seem like the only option to quickly recover access to your user. > > > > > >>Is it a bug? > > > > > >It may be. Did you do anything special with this user ? Did this happen > > >immediately after a password change ? Or immediately after a FreeIPA or > > >krb5kdc upgrade ? > > >Can you give a little more context around this ? > Issue Solved! > I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea. > > Have a look at the before and after; > BEFORE: > krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK > ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ > /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p > 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI > drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK > E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s > GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX > qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= > > AFTER: > krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= > --- Thanks a lot for getting back to us with the cause. Glad it wasn't our fault :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From topping at codehaus.org Thu Feb 16 05:34:02 2012 From: topping at codehaus.org (Brian Topping) Date: Thu, 16 Feb 2012 00:34:02 -0500 Subject: [Freeipa-users] BIND Views? Message-ID: Hi all, Are configuration and management of BIND views a under consideration for any future releases? I tested that wrapping the dynamic-db element provided by bind-sdb could be wrapped by a "view 'test'" scope and it works fine, so it seems that it could be hacked together by just creating different views pointing to different parts of the DIT. But presumably, the UI would not be able to edit these different views. I searched the archives and the web for any references to using views on FreeIPA and didn't come up with anything, have others requested this functionality? Thanks, Brian From simo at redhat.com Thu Feb 16 06:14:49 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Feb 2012 01:14:49 -0500 Subject: [Freeipa-users] BIND Views? In-Reply-To: References: Message-ID: <1329372889.2859.132.camel@willson.li.ssimo.org> On Thu, 2012-02-16 at 00:34 -0500, Brian Topping wrote: > Hi all, > > Are configuration and management of BIND views a under consideration > for any future releases? I tested that wrapping the dynamic-db > element provided by bind-sdb could be wrapped by a "view 'test'" scope > and it works fine, so it seems that it could be hacked together by > just creating different views pointing to different parts of the > DIT. > > But presumably, the UI would not be able to edit these different > views. It probably wouldn't, it may actually get quite confuse if it finds multiple zones with the same name. > I searched the archives and the web for any references to using views > on FreeIPA and didn't come up with anything, have others requested > this functionality? We haven't planned on adding this functionality at this stage. But it is something we may want to look at in the future. Simo. -- Simo Sorce * Red Hat, Inc * New York From vlamsdoem at gmail.com Thu Feb 16 12:34:48 2012 From: vlamsdoem at gmail.com (Vincent Zakofski) Date: Thu, 16 Feb 2012 13:34:48 +0100 Subject: [Freeipa-users] custom LDAP schemas Message-ID: Hi all, I'm very interested by migrating my openLDAP servers to freeIPA, the only problem is that I have some custom LDAP schemas in my present configuration. Is there a way to add some custom LDAP schemas to ipa-server? If it's possible, where can I find some documentation about adding those custom schemas. Thanks for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Thu Feb 16 15:26:35 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Feb 2012 10:26:35 -0500 Subject: [Freeipa-users] Latest FreeIPA update causing problems Message-ID: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root at fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root at fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root at fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? Thanks, Dan From rmeggins at redhat.com Thu Feb 16 15:37:28 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Feb 2012 08:37:28 -0700 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: References: Message-ID: <4F3D22B8.3080305@redhat.com> On 02/16/2012 08:26 AM, Dan Scott wrote: > Hi, > > I have recently upgraded one of my FreeIPA servers (Fedora 16) with > the latest package versions: > > Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 > Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 > Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 > Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 > Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 > Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 > Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 > Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 > Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 > Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 > Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 > Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 > Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 > Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 > Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 > Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 > Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 > Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 > Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 > Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 > Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 > Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 > Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 > Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 > Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 > Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 > Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 > Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 > Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 > Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 > Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 > > I am having major problems with freeipa services (I replaced my real > domain with example.com): > > [root at fileserver3 ~]# ipactl status > Directory Service: STOPPED > Unknown error when retrieving list of services from LDAP: [Errno 111] > Connection refused > [root at fileserver3 ~]# ipactl start > Starting Directory Service > Failed to read data from Directory Service: Failed to get list of > services to probe status! > Configured hostname 'fileserver3.example.com' does not match any > master server in LDAP: > No master found because of error: {'matched': 'dc=example,dc=com', > 'desc': 'No such object'} > Shutting down > [root at fileserver3 ~]# > > None of the IPA processes will start. The dirsrv error log shows: > > [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 > starting up > [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no > entries set up under cn=groups, cn=compat,dc=example,dc=com > [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no > entries set up under cn=ng, cn=compat,dc=example,dc=com > [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no > entries set up under ou=sudoers,dc=example,dc=com > [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no > entries set up under cn=users, cn=compat,dc=example,dc=com > [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: > Unable to locate shared configuration entry > (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) > [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: > Invalid config entry [cn=posix ids,cn=distributed numeric assignment > plugin,cn=plugins,cn=config] skipped > [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 > for LDAPS requests > [16/Feb/2012:10:20:23 -0500] - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads > [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down > internal subsystems and plugins > [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop > [16/Feb/2012:10:20:24 -0500] - All database threads now stopped > [16/Feb/2012:10:20:24 -0500] - slapd stopped. > > Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" and ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Thu Feb 16 16:12:38 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Feb 2012 11:12:38 -0500 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: <4F3D22B8.3080305@redhat.com> References: <4F3D22B8.3080305@redhat.com> Message-ID: Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginson wrote: > On 02/16/2012 08:26 AM, Dan Scott wrote: >> >> Hi, >> >> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >> the latest package versions: >> >> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >> Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 >> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >> >> I am having major problems with freeipa services (I replaced my real >> domain with example.com): >> >> [root at fileserver3 ~]# ipactl status >> Directory Service: STOPPED >> Unknown error when retrieving list of services from LDAP: [Errno 111] >> Connection refused >> [root at fileserver3 ~]# ipactl start >> Starting Directory Service >> Failed to read data from Directory Service: Failed to get list of >> services to probe status! >> Configured hostname 'fileserver3.example.com' does not match any >> master server in LDAP: >> No master found because of error: {'matched': 'dc=example,dc=com', >> 'desc': 'No such object'} >> Shutting down >> [root at fileserver3 ~]# >> >> None of the IPA processes will start. The dirsrv error log shows: >> >> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >> starting up >> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >> entries set up under cn=groups, cn=compat,dc=example,dc=com >> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat,dc=example,dc=com >> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >> entries set up under ou=sudoers,dc=example,dc=com >> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >> entries set up under cn=users, cn=compat,dc=example,dc=com >> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >> Unable to locate shared configuration entry >> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >> plugin,cn=plugins,cn=config] skipped >> [16/Feb/2012:10:20:23 -0500] - slapd started. ?Listening on All >> Interfaces port 389 for LDAP requests >> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >> for LDAPS requests >> [16/Feb/2012:10:20:23 -0500] - Listening on >> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation >> threads >> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >> internal subsystems and plugins >> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >> >> Can someone help? > > start your directory server - systemctl start dirsrv.target > do a search for the dna entries: > ldapsearch -xLLL -D "cn=directory manager" -W -s one -b > "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" > > and > ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed > numeric assignment > plugin,cn=plugins,cn=config" Results: [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" Enter LDAP Password: No such object (32) Matched DN: dc=example,dc=com [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnatype: uidNumber dnatype: gidNumber dnanextvalue: 1101 dnamaxvalue: 1100 dnamagicregen: 999 dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) dnascope: dc=example,dc=com dnathreshold: 500 dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com It looks like all my data is missing.... do I need to re-initialize the replication? Dan From rmeggins at redhat.com Thu Feb 16 16:56:08 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Feb 2012 09:56:08 -0700 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: References: <4F3D22B8.3080305@redhat.com> Message-ID: <4F3D3528.5020905@redhat.com> On 02/16/2012 09:12 AM, Dan Scott wrote: > Hi, > > On Thu, Feb 16, 2012 at 10:37, Rich Megginson wrote: >> On 02/16/2012 08:26 AM, Dan Scott wrote: >>> Hi, >>> >>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >>> the latest package versions: >>> >>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >>> Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 >>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >>> >>> I am having major problems with freeipa services (I replaced my real >>> domain with example.com): >>> >>> [root at fileserver3 ~]# ipactl status >>> Directory Service: STOPPED >>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>> Connection refused >>> [root at fileserver3 ~]# ipactl start >>> Starting Directory Service >>> Failed to read data from Directory Service: Failed to get list of >>> services to probe status! >>> Configured hostname 'fileserver3.example.com' does not match any >>> master server in LDAP: >>> No master found because of error: {'matched': 'dc=example,dc=com', >>> 'desc': 'No such object'} >>> Shutting down >>> [root at fileserver3 ~]# >>> >>> None of the IPA processes will start. The dirsrv error log shows: >>> >>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>> starting up >>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>> entries set up under cn=groups, cn=compat,dc=example,dc=com >>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>> entries set up under cn=ng, cn=compat,dc=example,dc=com >>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>> entries set up under ou=sudoers,dc=example,dc=com >>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>> entries set up under cn=users, cn=compat,dc=example,dc=com >>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>> Unable to locate shared configuration entry >>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >>> plugin,cn=plugins,cn=config] skipped >>> [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [16/Feb/2012:10:20:23 -0500] - Listening on >>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation >>> threads >>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >>> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >>> >>> Can someone help? >> start your directory server - systemctl start dirsrv.target >> do a search for the dna entries: >> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b >> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >> >> and >> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed >> numeric assignment >> plugin,cn=plugins,cn=config" > Results: > > [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s > one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" > Enter LDAP Password: > No such object (32) > Matched DN: dc=example,dc=com > [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s > one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" > Enter LDAP Password: > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: Posix IDs > dnatype: uidNumber > dnatype: gidNumber > dnanextvalue: 1101 > dnamaxvalue: 1100 > dnamagicregen: 999 > dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) > dnascope: dc=example,dc=com > dnathreshold: 500 > dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com > > It looks like all my data is missing.... do I need to re-initialize > the replication? Is this your master or a replica? You can look at the database directly with dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4 you can also export it to ldif with /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif > Dan From danieljamesscott at gmail.com Thu Feb 16 17:40:34 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Feb 2012 12:40:34 -0500 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: <4F3D3528.5020905@redhat.com> References: <4F3D22B8.3080305@redhat.com> <4F3D3528.5020905@redhat.com> Message-ID: Hi, On Thu, Feb 16, 2012 at 11:56, Rich Megginson wrote: > On 02/16/2012 09:12 AM, Dan Scott wrote: >> >> Hi, >> >> On Thu, Feb 16, 2012 at 10:37, Rich Megginson ?wrote: >>> >>> On 02/16/2012 08:26 AM, Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >>>> the latest package versions: >>>> >>>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >>>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >>>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >>>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >>>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >>>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >>>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >>>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >>>> Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 >>>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >>>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >>>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >>>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >>>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >>>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >>>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >>>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >>>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >>>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >>>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >>>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >>>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >>>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >>>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >>>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >>>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >>>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >>>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >>>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >>>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >>>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >>>> >>>> I am having major problems with freeipa services (I replaced my real >>>> domain with example.com): >>>> >>>> [root at fileserver3 ~]# ipactl status >>>> Directory Service: STOPPED >>>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>>> Connection refused >>>> [root at fileserver3 ~]# ipactl start >>>> Starting Directory Service >>>> Failed to read data from Directory Service: Failed to get list of >>>> services to probe status! >>>> Configured hostname 'fileserver3.example.com' does not match any >>>> master server in LDAP: >>>> No master found because of error: {'matched': 'dc=example,dc=com', >>>> 'desc': 'No such object'} >>>> Shutting down >>>> [root at fileserver3 ~]# >>>> >>>> None of the IPA processes will start. The dirsrv error log shows: >>>> >>>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>>> starting up >>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>> entries set up under cn=groups, cn=compat,dc=example,dc=com >>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>> entries set up under cn=ng, cn=compat,dc=example,dc=com >>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>> entries set up under ou=sudoers,dc=example,dc=com >>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>> entries set up under cn=users, cn=compat,dc=example,dc=com >>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>> Unable to locate shared configuration entry >>>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >>>> plugin,cn=plugins,cn=config] skipped >>>> [16/Feb/2012:10:20:23 -0500] - slapd started. ?Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> [16/Feb/2012:10:20:23 -0500] - Listening on >>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation >>>> threads >>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >>>> internal subsystems and plugins >>>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >>>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >>>> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >>>> >>>> Can someone help? >>> >>> start your directory server - systemctl start dirsrv.target >>> do a search for the dna entries: >>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b >>> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>> >>> and >>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed >>> numeric assignment >>> plugin,cn=plugins,cn=config" >> >> Results: >> >> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >> one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >> Enter LDAP Password: >> No such object (32) >> Matched DN: dc=example,dc=com >> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >> one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" >> Enter LDAP Password: >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: Posix IDs >> dnatype: uidNumber >> dnatype: gidNumber >> dnanextvalue: 1101 >> dnamaxvalue: 1100 >> dnamagicregen: 999 >> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) >> dnascope: dc=example,dc=com >> dnathreshold: 500 >> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >> >> It looks like all my data is missing.... do I need to re-initialize >> the replication? > > Is this your master or a replica? > You can look at the database directly with > dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4 > you can also export it to ldif with > /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a > /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif It's a replica. Luckily the master hasn't been updated yet. I have another replica running Fedora 15 which seems OK as well. The dbscan command looks good, I think. I can see an entry for "rdn: uid=djscott". I ran the export, and got: Exported ldif file: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif ldiffile: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif [16/Feb/2012:12:37:40 -0500] - export userRoot: Processed 437 entries (100%). [16/Feb/2012:12:37:40 -0500] - All database threads now stopped The ldif file looks good, thanks. Nice to know that the data is all still there. Any ideas why it's not showing up when I query LDAP? Dan From rmeggins at redhat.com Thu Feb 16 19:24:57 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Feb 2012 12:24:57 -0700 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: References: <4F3D22B8.3080305@redhat.com> <4F3D3528.5020905@redhat.com> Message-ID: <4F3D5809.3040604@redhat.com> On 02/16/2012 10:40 AM, Dan Scott wrote: > Hi, > > On Thu, Feb 16, 2012 at 11:56, Rich Megginson wrote: >> On 02/16/2012 09:12 AM, Dan Scott wrote: >>> Hi, >>> >>> On Thu, Feb 16, 2012 at 10:37, Rich Megginson wrote: >>>> On 02/16/2012 08:26 AM, Dan Scott wrote: >>>>> Hi, >>>>> >>>>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >>>>> the latest package versions: >>>>> >>>>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >>>>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >>>>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >>>>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >>>>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >>>>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >>>>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >>>>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >>>>> Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 >>>>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >>>>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >>>>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >>>>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >>>>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >>>>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >>>>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >>>>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >>>>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >>>>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >>>>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >>>>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >>>>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >>>>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >>>>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >>>>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >>>>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >>>>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >>>>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >>>>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >>>>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >>>>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >>>>> >>>>> I am having major problems with freeipa services (I replaced my real >>>>> domain with example.com): >>>>> >>>>> [root at fileserver3 ~]# ipactl status >>>>> Directory Service: STOPPED >>>>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>>>> Connection refused >>>>> [root at fileserver3 ~]# ipactl start >>>>> Starting Directory Service >>>>> Failed to read data from Directory Service: Failed to get list of >>>>> services to probe status! >>>>> Configured hostname 'fileserver3.example.com' does not match any >>>>> master server in LDAP: >>>>> No master found because of error: {'matched': 'dc=example,dc=com', >>>>> 'desc': 'No such object'} >>>>> Shutting down >>>>> [root at fileserver3 ~]# >>>>> >>>>> None of the IPA processes will start. The dirsrv error log shows: >>>>> >>>>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>>>> starting up >>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>> entries set up under cn=groups, cn=compat,dc=example,dc=com >>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>> entries set up under cn=ng, cn=compat,dc=example,dc=com >>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>> entries set up under ou=sudoers,dc=example,dc=com >>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>> entries set up under cn=users, cn=compat,dc=example,dc=com >>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>> Unable to locate shared configuration entry >>>>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >>>>> plugin,cn=plugins,cn=config] skipped >>>>> [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >>>>> for LDAPS requests >>>>> [16/Feb/2012:10:20:23 -0500] - Listening on >>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation >>>>> threads >>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >>>>> internal subsystems and plugins >>>>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >>>>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >>>>> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >>>>> >>>>> Can someone help? >>>> start your directory server - systemctl start dirsrv.target >>>> do a search for the dna entries: >>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b >>>> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>>> >>>> and >>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed >>>> numeric assignment >>>> plugin,cn=plugins,cn=config" >>> Results: >>> >>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>> one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>> Enter LDAP Password: >>> No such object (32) >>> Matched DN: dc=example,dc=com >>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>> one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" >>> Enter LDAP Password: >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: Posix IDs >>> dnatype: uidNumber >>> dnatype: gidNumber >>> dnanextvalue: 1101 >>> dnamaxvalue: 1100 >>> dnamagicregen: 999 >>> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) >>> dnascope: dc=example,dc=com >>> dnathreshold: 500 >>> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >>> >>> It looks like all my data is missing.... do I need to re-initialize >>> the replication? >> Is this your master or a replica? >> You can look at the database directly with >> dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4 >> you can also export it to ldif with >> /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a >> /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif > It's a replica. Luckily the master hasn't been updated yet. I have > another replica running Fedora 15 which seems OK as well. > > The dbscan command looks good, I think. I can see an entry for "rdn: > uid=djscott". > > I ran the export, and got: > > Exported ldif file: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif > ldiffile: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif > [16/Feb/2012:12:37:40 -0500] - export userRoot: Processed 437 entries (100%). > [16/Feb/2012:12:37:40 -0500] - All database threads now stopped > > The ldif file looks good, thanks. Nice to know that the data is all > still there. Any ideas why it's not showing up when I query LDAP? So you do see an entry for cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com in your dbscan output and in the mydb.ldif file? The dbscan output should contain an entry ID and a parent entry ID - this will be a one, two, or three digit integer. try the following, where X is the entry ID, and Y is the parent entry ID: dbscan -k X -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 dbscan -k Y -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 dbscan -k PX -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 dbscan -k CY -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 > Dan From ian at crystal.harvard.edu Thu Feb 16 19:38:16 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 16 Feb 2012 14:38:16 -0500 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4F3C4C63.50000@redhat.com> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> <4F3563C0.6060702@redhat.com> <53332B17-8BEB-49B4-A248-6D95D22B1C93@crystal.harvard.edu> <4F3C4C63.50000@redhat.com> Message-ID: <4C6FCDF6-AF8E-4B32-910E-CAE2280A6E1A@crystal.harvard.edu> On Feb 15, 2012, at 7:22 PM, Rich Megginson wrote: > Sorry for not getting back to you sooner. I can't say for sure, but it does look like you are running into some of the tombstone issues we have fixed in 1.2.10.1-1 (now in updates-testing) OK, are these errors anything to worry about in a production replicated environment? > In addition, if you are getting this: > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica - err 20 > https://fedorahosted.org/389/ticket/282 > You may have deleted and re-added replicas - in that case, you may want to follow the cleanruv procedure here - http://directory.fedoraproject.org/wiki/Howto:CLEANRUV I did indeed have about 13 replica configs in the RUV. After cleaning per the instructions, that error above has gone away. Thanks! Ian From danieljamesscott at gmail.com Thu Feb 16 20:12:40 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Feb 2012 15:12:40 -0500 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: <4F3D5809.3040604@redhat.com> References: <4F3D22B8.3080305@redhat.com> <4F3D3528.5020905@redhat.com> <4F3D5809.3040604@redhat.com> Message-ID: On Thu, Feb 16, 2012 at 14:24, Rich Megginson wrote: > On 02/16/2012 10:40 AM, Dan Scott wrote: >> >> Hi, >> >> On Thu, Feb 16, 2012 at 11:56, Rich Megginson ?wrote: >>> >>> On 02/16/2012 09:12 AM, Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> On Thu, Feb 16, 2012 at 10:37, Rich Megginson >>>> ?wrote: >>>>> >>>>> On 02/16/2012 08:26 AM, Dan Scott wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >>>>>> the latest package versions: >>>>>> >>>>>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >>>>>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >>>>>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >>>>>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >>>>>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >>>>>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >>>>>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >>>>>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >>>>>> Feb 15 14:10:24 Updated: >>>>>> device-mapper-event-libs-1.02.65-6.fc16.x86_64 >>>>>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >>>>>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >>>>>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >>>>>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >>>>>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >>>>>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >>>>>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >>>>>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >>>>>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >>>>>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >>>>>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >>>>>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >>>>>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >>>>>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >>>>>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >>>>>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >>>>>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >>>>>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >>>>>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >>>>>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >>>>>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >>>>>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >>>>>> >>>>>> I am having major problems with freeipa services (I replaced my real >>>>>> domain with example.com): >>>>>> >>>>>> [root at fileserver3 ~]# ipactl status >>>>>> Directory Service: STOPPED >>>>>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>>>>> Connection refused >>>>>> [root at fileserver3 ~]# ipactl start >>>>>> Starting Directory Service >>>>>> Failed to read data from Directory Service: Failed to get list of >>>>>> services to probe status! >>>>>> Configured hostname 'fileserver3.example.com' does not match any >>>>>> master server in LDAP: >>>>>> No master found because of error: {'matched': 'dc=example,dc=com', >>>>>> 'desc': 'No such object'} >>>>>> Shutting down >>>>>> [root at fileserver3 ~]# >>>>>> >>>>>> None of the IPA processes will start. The dirsrv error log shows: >>>>>> >>>>>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>>>>> starting up >>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>> entries set up under cn=groups, cn=compat,dc=example,dc=com >>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>> entries set up under cn=ng, cn=compat,dc=example,dc=com >>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>> entries set up under ou=sudoers,dc=example,dc=com >>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>> entries set up under cn=users, cn=compat,dc=example,dc=com >>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>>> Unable to locate shared configuration entry >>>>>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >>>>>> plugin,cn=plugins,cn=config] skipped >>>>>> [16/Feb/2012:10:20:23 -0500] - slapd started. ?Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >>>>>> for LDAPS requests >>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on >>>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling >>>>>> operation >>>>>> threads >>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >>>>>> internal subsystems and plugins >>>>>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >>>>>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >>>>>> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >>>>>> >>>>>> Can someone help? >>>>> >>>>> start your directory server - systemctl start dirsrv.target >>>>> do a search for the dna entries: >>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b >>>>> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>>>> >>>>> and >>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed >>>>> numeric assignment >>>>> plugin,cn=plugins,cn=config" >>>> >>>> Results: >>>> >>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>>> one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>>> Enter LDAP Password: >>>> No such object (32) >>>> Matched DN: dc=example,dc=com >>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>>> one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" >>>> Enter LDAP Password: >>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>>> Plugin,cn=plugins,cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> cn: Posix IDs >>>> dnatype: uidNumber >>>> dnatype: gidNumber >>>> dnanextvalue: 1101 >>>> dnamaxvalue: 1100 >>>> dnamagicregen: 999 >>>> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) >>>> dnascope: dc=example,dc=com >>>> dnathreshold: 500 >>>> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >>>> >>>> It looks like all my data is missing.... do I need to re-initialize >>>> the replication? >>> >>> Is this your master or a replica? >>> You can look at the database directly with >>> dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4 >>> you can also export it to ldif with >>> /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a >>> /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >> >> It's a replica. Luckily the master hasn't been updated yet. I have >> another replica running Fedora 15 which seems OK as well. >> >> The dbscan command looks good, I think. I can see an entry for "rdn: >> uid=djscott". >> >> I ran the export, and got: >> >> Exported ldif file: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >> ldiffile: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >> [16/Feb/2012:12:37:40 -0500] - export userRoot: Processed 437 entries >> (100%). >> [16/Feb/2012:12:37:40 -0500] - All database threads now stopped >> >> The ldif file looks good, thanks. Nice to know that the data is all >> still there. Any ideas why it's not showing up when I query LDAP? > > So you do see an entry for > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com in your dbscan output > and in the mydb.ldif file? > The dbscan output should contain an entry ID and a parent entry ID - this > will be a one, two, or three digit integer. > try the following, where X is the entry ID, and Y is the parent entry ID: > dbscan -k X -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 > dbscan -k Y -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 > dbscan -k PX -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 > dbscan -k CY -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 Yep, there's an entry for posix-ids, and an entry for each of my replica servers (I only show 1 here, but there are others): # entry-id: 29 dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com nsUniqueId: 4fff5921-e48611e0-bf3681aa-d1a3957d modifyTimestamp: 20110921191715Z createTimestamp: 20110921191715Z modifiersName: cn=directory manager creatorsName: cn=directory manager cn: posix-ids objectClass: nsContainer objectClass: top # entry-id: 446 dn: dnaHostname=fileserver3.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn= ipa,cn=etc,dc=example,dc=com nsUniqueId: 47743a07-57fc11e1-b1edce26-60f19ec1 objectClass: extensibleObject objectClass: top dnahostname: fileserver3.example.com dnaportnum: 389 dnasecureportnum: 636 dnaremainingvalues: 0 creatorsName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config createTimestamp: 20120215174154Z modifyTimestamp: 20120215174154Z The: dbscan -k 29 ..... Gives: "Can't find key '29'". But from the manpage, you maybe mean 'K'? Even so, it still doesn't look good with either -K 29 or -K P29. Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair found dbscan -r shows (with some manual grepping): 29:cn=posix-ids ID: 29; RDN: "cn=posix-ids"; NRDN: "cn=posix-ids" P29:cn=posix-ids ID: 28; RDN: "cn=dna"; NRDN: "cn=dna" Does this mean that the index is OK but the data is missing? I'm not really sure what we're looking for here. Does LDAP have indexes similar to the way that RDBMSs do? Thanks, From rmeggins at redhat.com Thu Feb 16 20:39:57 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Feb 2012 13:39:57 -0700 Subject: [Freeipa-users] Latest FreeIPA update causing problems In-Reply-To: References: <4F3D22B8.3080305@redhat.com> <4F3D3528.5020905@redhat.com> <4F3D5809.3040604@redhat.com> Message-ID: <4F3D699D.3040701@redhat.com> On 02/16/2012 01:12 PM, Dan Scott wrote: > On Thu, Feb 16, 2012 at 14:24, Rich Megginson wrote: >> On 02/16/2012 10:40 AM, Dan Scott wrote: >>> Hi, >>> >>> On Thu, Feb 16, 2012 at 11:56, Rich Megginson wrote: >>>> On 02/16/2012 09:12 AM, Dan Scott wrote: >>>>> Hi, >>>>> >>>>> On Thu, Feb 16, 2012 at 10:37, Rich Megginson >>>>> wrote: >>>>>> On 02/16/2012 08:26 AM, Dan Scott wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with >>>>>>> the latest package versions: >>>>>>> >>>>>>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 >>>>>>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 >>>>>>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 >>>>>>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 >>>>>>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 >>>>>>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 >>>>>>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 >>>>>>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 >>>>>>> Feb 15 14:10:24 Updated: >>>>>>> device-mapper-event-libs-1.02.65-6.fc16.x86_64 >>>>>>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 >>>>>>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 >>>>>>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 >>>>>>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 >>>>>>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 >>>>>>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 >>>>>>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 >>>>>>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 >>>>>>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 >>>>>>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 >>>>>>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 >>>>>>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 >>>>>>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 >>>>>>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 >>>>>>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 >>>>>>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 >>>>>>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 >>>>>>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 >>>>>>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 >>>>>>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 >>>>>>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 >>>>>>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 >>>>>>> >>>>>>> I am having major problems with freeipa services (I replaced my real >>>>>>> domain with example.com): >>>>>>> >>>>>>> [root at fileserver3 ~]# ipactl status >>>>>>> Directory Service: STOPPED >>>>>>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>>>>>> Connection refused >>>>>>> [root at fileserver3 ~]# ipactl start >>>>>>> Starting Directory Service >>>>>>> Failed to read data from Directory Service: Failed to get list of >>>>>>> services to probe status! >>>>>>> Configured hostname 'fileserver3.example.com' does not match any >>>>>>> master server in LDAP: >>>>>>> No master found because of error: {'matched': 'dc=example,dc=com', >>>>>>> 'desc': 'No such object'} >>>>>>> Shutting down >>>>>>> [root at fileserver3 ~]# >>>>>>> >>>>>>> None of the IPA processes will start. The dirsrv error log shows: >>>>>>> >>>>>>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>>>>>> starting up >>>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>>> entries set up under cn=groups, cn=compat,dc=example,dc=com >>>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>>> entries set up under cn=ng, cn=compat,dc=example,dc=com >>>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>>> entries set up under ou=sudoers,dc=example,dc=com >>>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no >>>>>>> entries set up under cn=users, cn=compat,dc=example,dc=com >>>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>>>> Unable to locate shared configuration entry >>>>>>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) >>>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: >>>>>>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment >>>>>>> plugin,cn=plugins,cn=config] skipped >>>>>>> [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All >>>>>>> Interfaces port 389 for LDAP requests >>>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 >>>>>>> for LDAPS requests >>>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on >>>>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling >>>>>>> operation >>>>>>> threads >>>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down >>>>>>> internal subsystems and plugins >>>>>>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop >>>>>>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped >>>>>>> [16/Feb/2012:10:20:24 -0500] - slapd stopped. >>>>>>> >>>>>>> Can someone help? >>>>>> start your directory server - systemctl start dirsrv.target >>>>>> do a search for the dna entries: >>>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b >>>>>> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>>>>> >>>>>> and >>>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed >>>>>> numeric assignment >>>>>> plugin,cn=plugins,cn=config" >>>>> Results: >>>>> >>>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>>>> one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com" >>>>> Enter LDAP Password: >>>>> No such object (32) >>>>> Matched DN: dc=example,dc=com >>>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s >>>>> one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config" >>>>> Enter LDAP Password: >>>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>>>> Plugin,cn=plugins,cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> cn: Posix IDs >>>>> dnatype: uidNumber >>>>> dnatype: gidNumber >>>>> dnanextvalue: 1101 >>>>> dnamaxvalue: 1100 >>>>> dnamagicregen: 999 >>>>> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) >>>>> dnascope: dc=example,dc=com >>>>> dnathreshold: 500 >>>>> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >>>>> >>>>> It looks like all my data is missing.... do I need to re-initialize >>>>> the replication? >>>> Is this your master or a replica? >>>> You can look at the database directly with >>>> dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4 >>>> you can also export it to ldif with >>>> /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a >>>> /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >>> It's a replica. Luckily the master hasn't been updated yet. I have >>> another replica running Fedora 15 which seems OK as well. >>> >>> The dbscan command looks good, I think. I can see an entry for "rdn: >>> uid=djscott". >>> >>> I ran the export, and got: >>> >>> Exported ldif file: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >>> ldiffile: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif >>> [16/Feb/2012:12:37:40 -0500] - export userRoot: Processed 437 entries >>> (100%). >>> [16/Feb/2012:12:37:40 -0500] - All database threads now stopped >>> >>> The ldif file looks good, thanks. Nice to know that the data is all >>> still there. Any ideas why it's not showing up when I query LDAP? >> So you do see an entry for >> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com in your dbscan output >> and in the mydb.ldif file? >> The dbscan output should contain an entry ID and a parent entry ID - this >> will be a one, two, or three digit integer. >> try the following, where X is the entry ID, and Y is the parent entry ID: >> dbscan -k X -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 >> dbscan -k Y -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 >> dbscan -k PX -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 >> dbscan -k CY -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 > Yep, there's an entry for posix-ids, and an entry for each of my > replica servers (I only show 1 here, but there are others): > > # entry-id: 29 > dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com > nsUniqueId: 4fff5921-e48611e0-bf3681aa-d1a3957d > modifyTimestamp: 20110921191715Z > createTimestamp: 20110921191715Z > modifiersName: cn=directory manager > creatorsName: cn=directory manager > cn: posix-ids > objectClass: nsContainer > objectClass: top > > # entry-id: 446 > dn: dnaHostname=fileserver3.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn= > ipa,cn=etc,dc=example,dc=com > nsUniqueId: 47743a07-57fc11e1-b1edce26-60f19ec1 > objectClass: extensibleObject > objectClass: top > dnahostname: fileserver3.example.com > dnaportnum: 389 > dnasecureportnum: 636 > dnaremainingvalues: 0 > creatorsName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > createTimestamp: 20120215174154Z > modifyTimestamp: 20120215174154Z > > The: > > dbscan -k 29 ..... > > Gives: > > "Can't find key '29'". > > But from the manpage, you maybe mean 'K'? Even so, it still doesn't > look good with either -K 29 or -K P29. It is confusing - for the id2entry.db4 file, and only for that file, you use -K - for the entryrdn.db4 and the other index files, you use -k > Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair found > > dbscan -r shows (with some manual grepping): > > 29:cn=posix-ids > ID: 29; RDN: "cn=posix-ids"; NRDN: "cn=posix-ids" > > P29:cn=posix-ids > ID: 28; RDN: "cn=dna"; NRDN: "cn=dna" > > Does this mean that the index is OK but the data is missing? I'm not > really sure what we're looking for here. The entryrdn index was supposed to be upgraded during the yum update to 1.2.10.rc1. It looks as though that did not happen. The format should be 29 ID: 29; RDN: "cn=posix-ids"; NRDN: "cn=posix-ids" The fact that there is still the ":" in there means the upgrade didn't work. Do you have your errors log from around the time you did the yum upgrade that upgraded 389-ds-base to 1.2.10.rc1? > Does LDAP have indexes > similar to the way that RDBMSs do? Yes. > Thanks, From rmeggins at redhat.com Thu Feb 16 20:54:38 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Feb 2012 13:54:38 -0700 Subject: [Freeipa-users] Replicas in a state of confusion In-Reply-To: <4C6FCDF6-AF8E-4B32-910E-CAE2280A6E1A@crystal.harvard.edu> References: <2D89DDCB-5E07-4DD2-980B-A4D24DCF36E7@crystal.harvard.edu> <4F3186E7.7080003@redhat.com> <8E7D19AB-E84C-4502-B5EA-1BCC8C193659@crystal.harvard.edu> <4F318BEF.8080103@redhat.com> <4F319E27.4090707@redhat.com> <8482DEAC-803C-4796-B201-3DB7B24F8648@crystal.harvard.edu> <1328813867.5829.90.camel@willson.li.ssimo.org> <4DE3709C-66FD-4C38-8FA0-8122427E3E11@crystal.harvard.edu> <4F3441B1.3010103@redhat.com> <559BEF79-C3DA-4290-82A8-F0E4C69074DF@crystal.harvard.edu> <4F345E5D.7040404@redhat.com> <1328883331.5829.128.camel@willson.li.ssimo.org> <011DBA78-6550-4C89-A2F2-B5D718C637F4@crystal.harvard.edu> <4F3563C0.6060702@redhat.com> <53332B17-8BEB-49B4-A248-6D95D22B1C93@crystal.harvard.edu> <4F3C4C63.50000@redhat.com> <4C6FCDF6-AF8E-4B32-910E-CAE2280A6E1A@crystal.harvard.edu> Message-ID: <4F3D6D0E.6050207@redhat.com> On 02/16/2012 12:38 PM, Ian Levesque wrote: > On Feb 15, 2012, at 7:22 PM, Rich Megginson wrote: > >> Sorry for not getting back to you sooner. I can't say for sure, but it does look like you are running into some of the tombstone issues we have fixed in 1.2.10.1-1 (now in updates-testing) > OK, are these errors anything to worry about in a production replicated environment? id2entry - str2entry returned NULL for id 12, string="rdn" _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN yes - there seems to be a problem with "orphan" tombstone entries https://fedorahosted.org/389/ticket/298 we are working on a patch that we will likely release in 1.2.10.2 if you want to remove the orphan tombstone entries and just start from scratch, you will have to export your database to LDIF and re-import it. Do this on your primary master. You will then have to re-initialize all replicas from this master. NOTE: The following documentation refers to scripts such as db2bak, db2ldif, etc. In an IPA installation, these scripts are found in /var/lib/dirsrv/scripts-DOMAIN Step 1) make a backup of your database files http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html#Backing_Up_and_Restoring_Data-Backing_Up_All_Databases Step 2) export your userRoot (-n userRoot) database to LDIF http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html Step 3) import your LDIF file into your userRoot database http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html#Populating_Directory_Databases-Importing_Data use ipa-replica-manage to initialize your replicas from this server > >> In addition, if you are getting this: >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica - err 20 >> https://fedorahosted.org/389/ticket/282 >> You may have deleted and re-added replicas - in that case, you may want to follow the cleanruv procedure here - http://directory.fedoraproject.org/wiki/Howto:CLEANRUV > I did indeed have about 13 replica configs in the RUV. After cleaning per the instructions, that error above has gone away. > > > Thanks! > Ian > From simo at redhat.com Thu Feb 16 21:33:25 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Feb 2012 16:33:25 -0500 Subject: [Freeipa-users] custom LDAP schemas In-Reply-To: References: Message-ID: <1329428005.2392.82.camel@willson.li.ssimo.org> On Thu, 2012-02-16 at 13:34 +0100, Vincent Zakofski wrote: > Hi all, > > I'm very interested by migrating my openLDAP servers to freeIPA, the > only problem is that I have some custom LDAP schemas in my present > configuration. > Is there a way to add some custom LDAP schemas to ipa-server? > If it's possible, where can I find some documentation about adding > those custom schemas. You can read up about how to extended the Directory schema here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Extending_the_Directory_Schema.html If you are planning on extending objects that are managed by FreeIPA as opposed to just add new objects in a custom subtree, you may need to change the way the UI manages these objects by telling it what mandatory attributes you need to add. We do not have a clearly documented procedure for this yet I think, but it is not too difficult to do. Simo. -- Simo Sorce * Red Hat, Inc * New York From kelvin at kindsight.net Fri Feb 17 03:10:14 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Thu, 16 Feb 2012 22:10:14 -0500 Subject: [Freeipa-users] user unable to change password after admin resets pw Message-ID: Hi all, I am trying to roll out ipa as our central authentication system, and am running into problems with password changes on CentOS 5. Scenario: Admin user resets a user's password. The user, on a non-IPA-managed system, logs into a CentOS 5 server (IPA-managed) via ssh. The temporary password is accepted and the user is immediately prompted to change the password, but the password change fails with the message 'System is offline, password change not possible'. $ ssh kelvin at testhost kelvin at testhost's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Thu Feb 16 21:54:59 2012 from vpn WARNING: Your password has expired. You must change your password now and login again! Changing password for user kelvin. Current Password: New UNIX password: Retype new UNIX password: System is offline, password change not possible Warning: Your password will expire in less than one hour. Warning: Your password will expire in less than one hour. passwd: Authentication token manipulation error Connection to testhost closed. What am I missing? Can someone please help me get this working? Thanks, Kelvin From topping at codehaus.org Fri Feb 17 03:21:06 2012 From: topping at codehaus.org (Brian Topping) Date: Thu, 16 Feb 2012 22:21:06 -0500 Subject: [Freeipa-users] user unable to change password after admin resets pw In-Reply-To: References: Message-ID: <1C8EED75-A540-4C8C-847D-A1F54EDCE9C5@codehaus.org> Firewall issue? Maybe do a tcpdump on one of the machines while trying this? On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: > Hi all, > > I am trying to roll out ipa as our central authentication system, and am > running into problems with password changes on CentOS 5. > > Scenario: > Admin user resets a user's password. > The user, on a non-IPA-managed system, logs into a CentOS 5 server > (IPA-managed) via ssh. The temporary password is accepted and the user is > immediately prompted to change the password, but the password change fails > with the message 'System is offline, password change not possible'. > > $ ssh kelvin at testhost > kelvin at testhost's password: > Warning: Your password will expire in less than one hour. > Password expired. Change your password now. > Last login: Thu Feb 16 21:54:59 2012 from vpn > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user kelvin. > Current Password: > New UNIX password: > Retype new UNIX password: > System is offline, password change not possible > Warning: Your password will expire in less than one hour. > Warning: Your password will expire in less than one hour. > passwd: Authentication token manipulation error > Connection to testhost closed. > > What am I missing? Can someone please help me get this working? > > Thanks, > Kelvin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From kelvin at kindsight.net Fri Feb 17 03:52:42 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Thu, 16 Feb 2012 22:52:42 -0500 Subject: [Freeipa-users] user unable to change password after admin resets pw In-Reply-To: <1C8EED75-A540-4C8C-847D-A1F54EDCE9C5@codehaus.org> Message-ID: I had sworn that I had faithfully followed the firewall configs, but this was it; thanks! Off to tcpdump to see which port I missed. Kelvin On 12-02-16 10:21 PM, "Brian Topping" wrote: > Firewall issue? Maybe do a tcpdump on one of the machines while trying this? > > On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: > >> Hi all, >> >> I am trying to roll out ipa as our central authentication system, and am >> running into problems with password changes on CentOS 5. >> >> Scenario: >> Admin user resets a user's password. >> The user, on a non-IPA-managed system, logs into a CentOS 5 server >> (IPA-managed) via ssh. The temporary password is accepted and the user is >> immediately prompted to change the password, but the password change fails >> with the message 'System is offline, password change not possible'. >> >> $ ssh kelvin at testhost >> kelvin at testhost's password: >> Warning: Your password will expire in less than one hour. >> Password expired. Change your password now. >> Last login: Thu Feb 16 21:54:59 2012 from vpn >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user kelvin. >> Current Password: >> New UNIX password: >> Retype new UNIX password: >> System is offline, password change not possible >> Warning: Your password will expire in less than one hour. >> Warning: Your password will expire in less than one hour. >> passwd: Authentication token manipulation error >> Connection to testhost closed. >> >> What am I missing? Can someone please help me get this working? >> >> Thanks, >> Kelvin >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From kelvin at kindsight.net Fri Feb 17 04:23:38 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Thu, 16 Feb 2012 23:23:38 -0500 Subject: [Freeipa-users] user unable to change password after admin resets pw In-Reply-To: Message-ID: It turns out I had missed the UDP ports for kerberos (88) and kpasswd (464) in the firewall configuration. I had the TCP ports open, just not the UDP ones. I missed the fine print that said these two ports had to be open via both TCP and UDP. I think this constitutes a vote of support for https://fedorahosted.org/freeipa/ticket/2110 :) While on the topic of firewall configuration, why are the list of ports different in bug 2110 versus the Red Hat IPA documentation http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_M anagement_Guide/Preparing_for_an_IPA_Installation.html ? Bug 2110 appears to skip all the dogtag ports, even though the RedHat IPA document says that they 'cannot be in use by another service or blocked by a firewall'. Cheers, Kelvin On 12-02-16 10:52 PM, "Kelvin Edmison" wrote: > I had sworn that I had faithfully followed the firewall configs, but this > was it; thanks! Off to tcpdump to see which port I missed. > > Kelvin > > > On 12-02-16 10:21 PM, "Brian Topping" wrote: > >> Firewall issue? Maybe do a tcpdump on one of the machines while trying this? >> >> On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: >> >>> Hi all, >>> >>> I am trying to roll out ipa as our central authentication system, and am >>> running into problems with password changes on CentOS 5. >>> >>> Scenario: >>> Admin user resets a user's password. >>> The user, on a non-IPA-managed system, logs into a CentOS 5 server >>> (IPA-managed) via ssh. The temporary password is accepted and the user is >>> immediately prompted to change the password, but the password change fails >>> with the message 'System is offline, password change not possible'. >>> >>> $ ssh kelvin at testhost >>> kelvin at testhost's password: >>> Warning: Your password will expire in less than one hour. >>> Password expired. Change your password now. >>> Last login: Thu Feb 16 21:54:59 2012 from vpn >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user kelvin. >>> Current Password: >>> New UNIX password: >>> Retype new UNIX password: >>> System is offline, password change not possible >>> Warning: Your password will expire in less than one hour. >>> Warning: Your password will expire in less than one hour. >>> passwd: Authentication token manipulation error >>> Connection to testhost closed. >>> >>> What am I missing? Can someone please help me get this working? >>> >>> Thanks, >>> Kelvin >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From vlamsdoem at gmail.com Fri Feb 17 09:02:17 2012 From: vlamsdoem at gmail.com (Vincent Zakofski) Date: Fri, 17 Feb 2012 10:02:17 +0100 Subject: [Freeipa-users] custom LDAP schemas In-Reply-To: <1329428005.2392.82.camel@willson.li.ssimo.org> References: <1329428005.2392.82.camel@willson.li.ssimo.org> Message-ID: 2012/2/16 Simo Sorce > On Thu, 2012-02-16 at 13:34 +0100, Vincent Zakofski wrote: > > Hi all, > > > > I'm very interested by migrating my openLDAP servers to freeIPA, the > > only problem is that I have some custom LDAP schemas in my present > > configuration. > > Is there a way to add some custom LDAP schemas to ipa-server? > > If it's possible, where can I find some documentation about adding > > those custom schemas. > > You can read up about how to extended the Directory schema here: > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Extending_the_Directory_Schema.html > > If you are planning on extending objects that are managed by FreeIPA as > opposed to just add new objects in a custom subtree, you may need to > change the way the UI manages these objects by telling it what mandatory > attributes you need to add. > > We do not have a clearly documented procedure for this yet I think, but > it is not too difficult to do. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Ok I will read the documentation. Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 17 14:48:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Feb 2012 09:48:24 -0500 Subject: [Freeipa-users] user unable to change password after admin resets pw In-Reply-To: References: Message-ID: <4F3E68B8.1050100@redhat.com> Kelvin Edmison wrote: > It turns out I had missed the UDP ports for kerberos (88) and kpasswd (464) > in the firewall configuration. > > I had the TCP ports open, just not the UDP ones. I missed the fine print > that said these two ports had to be open via both TCP and UDP. I think this > constitutes a vote of support for > https://fedorahosted.org/freeipa/ticket/2110 :) > > While on the topic of firewall configuration, why are the list of ports > different in bug 2110 versus the Red Hat IPA documentation > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_M > anagement_Guide/Preparing_for_an_IPA_Installation.html ? > > Bug 2110 appears to skip all the dogtag ports, even though the RedHat IPA > document says that they 'cannot be in use by another service or blocked by a > firewall'. dogtag is now proxied behind the Apache web server so ports 9xxx no longer need to be open. I'll get the docs updated. rob From rcritten at redhat.com Fri Feb 17 17:21:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Feb 2012 12:21:45 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2.1.90 Alpha 2 Release Message-ID: <4F3E8CA9.5080100@redhat.com> The FreeIPA team is proud to announce version 2.1.90 alpha 2. Alpha 1 was an internal-only release. This will eventually become FreeIPA v2.2.0. It can be downloaded from http://www.freeipa.org/Downloads or from our development repo (http://freeipa.org/downloads/freeipa-devel.repo). Fedora 15, 16 and 17 builds are available. For Fedora 17 users the the required version of 389-ds-base has not been pushed to updates-testing yet. You can retrieve it manually from http://koji.fedoraproject.org/koji/buildinfo?buildID=299543 or download the packages with: # koji download-build 299543 == Highlights in 2.1.90 alpha 2 == * A new KDC LDAP backend, ipa-kdb. This simplifies our set up code and will is a big piece of future MS PAC support. It also removes the need for the separate ipa_kpasswd daemon, kadmind is used instead. * Support for storing SSH user and host public keys. * SELinux user map rules. These let you set the SELinux context for users in an HBAC rule. * Improved DNS UI and command-line with vastly improved argument handling. * UI screens for Automember were added. * Session support in the Web UI. This removes the need to do Kerberos negotiation with every request significantly improving Web UI performance. * Support for S4U2Proxy. This is a Kerberos feature which allows a delegated service (HTTP in our case) to request a ticket (ldap) on a user's behalf. We no longer require the TGT to be delegated to the server. A delegatable TGT is still required. * Improved command-line performance. It is approximately 50% faster. * MAC address has been added to hosts. == Upgrading == We tested upgrades from 2.1.4 successfully but this is alpha code. We do not recommend upgrading a production server. Installing updated rpms is all that is required to upgrade from 2.1.4. It is unlikely that downgrading to a previous release once 2.1.90 is installed will work. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 2.1.4 == Adam Young (4): * remove enrolled column * Add priority to pwpolicy list * Remove delegation from browser config * ignore generated services file. Alexander Bokovoy (14): * Re-enable web password migration on Fedora 16 after SE Linux policy restrictions * Check for Python.h during build of py_default_encoding extension * Add configure check for libintl.h * Create directories for client install * Add "Extending FreeIPA" developer guide * Small fix to the guide CSS: enable vertical scroll bar * Rename included snippets to avoid problems with pylint * Fix dependency for samba4-devel package * Check through all LDAP servers in the domain during IPA discovery * Validate sudo RunAsUser/RunAsGroup arguments * Allow hbactest to work with HBAC rules exceeding default IPA limits * Add management of inifiles to allow manipulation of systemd units * Handle upgrade issues with systemd in Fedora 16 and above * Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore Endi S. Dewata (60): * Updated DNS zone details page. * Replaced description text fields with text areas. * Use editable combobox for service type. * Added confirmation when adding multiple entries. * Added selectable labels for radio buttons. * Fixed dependency problem in UI test. * Fixed inconsistent required/optional attributes. * Fixed host Enrolled column. * Fixed problem clearing validation error on checkboxes. * Fixed "enroll" labels. * Merged widget's metadata and param_info. * Refactored validation code. * Fixed inconsistent image names. * Fixed inconsistent details facet validation. * Added password field in user adder dialog. * Fixed blank krbtpolicy and config pages. * Moved facet code into facet.js. * Added extensible UI framework. * Fixed problem changing page in association facet. * Updated sample data. * Added paging on search facet. * Refactored permission target section. * Removed develop.js. * Added commands into metadata. * Removed HBAC rule type. * Removed HBAC deny rule warning. * Refactored entity object resolution. * Fixed ipa.js for sessions. * Fixed entity definition in test cases. * Added support for radio buttons in table widget. * Fixed entity metadata resolution. * Refactored facet.load(). * Added HBAC Test page. * Fixed navigation buttons for HBAC Test. * Fixed search filter in HBAC Test. * Added external fields for HBAC Test. * Fixed CSS for HBAC Test * Fixed I18n labels for HBAC Test * Fixed matched/unmatched checkboxes in HBAC Test * Added HBAC Test input validation. * Fixed problem loading DNS records. * Fixed unmatched checkbox name. * Fixed combobox icon position. * Fixed combobox search icon position. * Reload UI when the user changes. * Reload UI on server upgrade. * Added account status into user search facet. * Added policies into user details page. * Load user data and policies in a single batch. * Added instructions to generate CSR. * Fixed problem removing automount keys and DNS records. * Enabled paging on self-service permissions and delegations. * Enabled paging on automount keys. * Show disabled entries in gray. * Fixed inconsistent status labels. * Fixed host managed-by adder dialog. * Added icons for status column. * Hide Add/Delete buttons in self-service mode. * Use fixed font when displaying certificate. * Show password expiration date. JR Aquino (1): * Replication: Adjust replica installation to omit processing memberof computations Jan Cholasta (15): * Finalize plugin initialization on demand. * Don't leak passwords through kdb5_ldap_util command line arguments. * Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True. * Fix make-lint crash under certain circumstances. * Fix attempted write to attribute of read-only object. * Add LDAP schema for SSH public keys. * Add LDAP ACIs for SSH public key schema. * Add support for SSH public keys to user and host objects. * Add API initialization to ipa-client-install. * Move the nsupdate functionality to separate function in ipa-client-install. * Update host SSH public keys on the server during client install. * Configure ssh and sshd during ipa-client-install. * Base64-decode unicode values in Bytes parameters. * Add SSH service to platform-specific services. * Move the compat module from ipalib to ipapython. John Dennis (10): * If "make rpms" fails so will the next make * Remove old RPMROOT contents before it is used for rpmbuild * update i18n pot file for branch ipa-2-1 * Add log manager module * modify codebase to utilize IPALogManager, obsoletes logging * IPAdmin undefined anonymous parameter lists * subclass SimpleLDAPObject * Restore default log level in server to INFO * Add ipa_memcached service * add session manager and cache krb auth Marko Myllynen (1): * include for uintptr_t Martin Kosek (52): * Add connection failure recovery to IPAdmin * Make sure that install tools log * Add --zonemgr/--admin-mail validator * Create pkey-only option for find commands * Allow custom server backend encoding * Fix DNS zone --allow-dynupdate option behavior * Improve DNS record data validation * Polish ipa config help * Hosts file not updated when IP is passed as option * Fix API.txt * Fix LDAP object parameter encoding * Remove redundant information from API.txt * Fix coverity issues in client CLI tools * Make ipa-server-install clean after itself * Add --delattr option to complement --setattr/--addattr * Improve zonemgr validator and normalizer * Change default DNS zone manager to hostmaster * Fix config migration option * Ask for user confirmation in ipa-server-install * Add DNS check to conncheck port probe * Refactor dnsrecord processing * Fix Parameter csv parsing * Improve CLI output for complex commands * Create per-type DNS API * Fix maxvalue in DNS plugin * Fix LDAP add calls in replication module * Prevent service restart failures in ipa-replica-install * Fix LDAP updates in ipa-replica-install * Let replicas install without DNS * Restore ACI when aci_mod fails * Add missing --pkey-only option for selfservice and delegation * Replace float with Decimal * Improve host-add error message * Fix ipa-server-install for dual NICs * Fix selfservice-find crashes * Mark optional DNS record parts * Fix ldap2 combine_filters for ldap2.MATCH_NONE * Add missing managing hosts filtering options * Improve netgroup-add error messages * Fix TXT record parsing * Fix NSEC record conversion * Add SRV record target validator * Add data field for A6 record * Improve dnszone-add error message * Improve migration help * Fix raw format for ACI commands * Improve password change error message * Remove debug messages * Add argument help to CLI * Return proper DN in netgroup-add * Remove unused options from ipa-managed-entries * Add Petr Viktor?n to Contributors.txt Ondrej Hamada (9): * Misleading Keytab field * Sort password policy by priority * Client install checks for nss_ldap * User-add random password support * HBAC test optional sourcehost option * localhost.localdomain clients refused to join * Leave nsds5replicaupdateschedule parameter unset * Fix 'no-reverse' option description * Memberof attribute control and update Petr Viktorin (5): * Switch --group and --membergroup in example for delegation * Fix/add options in ipa-managed-entries man page * Honor default home directory and login shell in user_add * Clean up i18n strings * Internationalization for HBAC and ipalib.output Petr Voborn?k (55): * Circular entity dependency * Fixed: Duplicate CSS definitions * Fixing infinite loop in UI navigation unit test. * Minor visual enhancement of required indicator * Page is cleared before it is visible * Field for DNS SOA class changed to combobox with options * Extending facet's mechanism of gathering changes * Added cross browser support of Array.indexOf method * Splitting widget into widget and field * Splitting basic widgets into visual widgets and fields * Improved fields dirty status detection logic * Builders and collections for fields and widgets * Removing sections as special type of object * Added possibility to define facet/dialog specific policies * Modifying users to work with new concept * Modifying hosts to work with new concept * Modifying dns to work with new concept * Modifying services to work with new concept * Separation of writable update from field load method * Modifying ACI to work with new concept * Modifying groups to work with new concept * Code cleanup of HBAC, Sudo rules * Changing definition of basic fields in section from factory to type * Modifying automount to work with new concept * Fixed unit tests after widget refactoring * Removed usage of bitwise assignment operators in logical operations * Search facets show translated boolean values * Better displaying of long names in tables and facet headers * Additional better displaying of long names * Reordered facets in ACI * Association facets are read only in self service * Added facet tabs coloring * Fixed displaying of external records in rule association widgets * Distinguishing of external values in association tables * Better table column width computing * Fixed labels in Sudo, HBAC rules * Parsing of IPv4 and IPv6 addresses * Added support of custom field validators * Added validation logic to multivalued text field * Added client-side validation of A and AAAA DNS records * Fixed IPv6 validation special case: single colon * Added support for memberof attribute in permission * Added IP address validator to Host and DNS record adder dialog * Fixed entity link disabling * UI for SELinux user mapping * Added refresh button for UI * Modifying DNS UI to benefit from new DNS API * Added paging to DNS record search facet * Navigation and redirection to various facets * Automember UI * Automember UI - default groups * Automember UI - Fixed I18n labels * Removed question marks from field labels * UI support for ssh keys * Redirection to PTR records from A,AAAA records Rob Crittenden (54): * Use absolute paths when trying to find certmonger request id. * Reorder privileges so that memberof for permissions are generated properly. * Fix some pylint issues found in F-16 * Fix two typos in role help. * Move ONLY_CLIENT in spec so services.py always gets generated in %install * Remove calls to has_managed_entries() * Fix copy/paste error in parameter description. * Add Ondrej Hamada to Contributors.txt * Don't check for 389-instances. * Clarify usage of --posix argument in group plugin. * Add plugin framework to LDAP updates. * Fix some issues introduced when rebasing update patch * Mark some attributes required to match the schema. * Add SELinux user mapping framework. * Display the value of memberOf ACIs in permission plugin. * Set minimum version of 389-ds to 1.2.10-0.5.a5 * Fix typos in in 60basev3.ldif * Remove include for errno.h that was specific to 2.1 branch * Remove ipa_get_random_salt() from ipapwd_encoding.c * update i18n pot file for branch ipa-2-2 * Remove buffer log handling. * Configure s4u2proxy during installation. * Document the ping plugin. * Catch exception when trying to list missing managed entries definitions * Fix some typos in automember help and paramters. * Add labels so HBAC and Sudo rules show under hosts/hostgroups. * Use correct template variable for hosts, FQDN. * In sudo when the category is all do not allow members, and vice versa. * Update and package ipa-upgradeconfig man page. * Fix deletion of HBAC Rules when there are SELinux user maps defined * Add support for storing MAC address in host entries. * Don't try to bind on TLS failure * Check for the existence of a replication agreement before deleting it. * %ghost the UI files that we install/create on the fly * Make submount automount maps work. * Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf. * Consolidate external member code into two functions in baseldap.py * Make ipaconfigstring modifiable by users. * Don't use sets when calculating the modlist so order is preserved. * Add update files for SELinuxUserMap * Add update file for new schema in v2.2/3.0 * Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf * Don't set delegation flag in client, we're using S4U2Proxy now * Update S4U2proxy delegation list when creating replicas * Correct update syntax in 30-s4u2proxy.update * Remove Apache ccache on upgrade. * Add S4U2Proxy delegation permissions on upgrades * Disable false pylint error in freeipa-systemd-upgrade * Enable ipa_memcached when upgrading * Configure ipa_memcached when a replica is installed. * Use FQDN in place of FQHN for consistency in sub_dict. * Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication. Simo Sorce (77): * Fix build warnings * ipa-pwd_extop: use endian.h instead of nih function * krbinstance: use helper function to get realm suffix * ipa-pwd-extop: Remove unused variables and code to set them * ipa-pwd-extop: do not append mkvno to krbExtraData * ipa-pwd-extop: Use the proper mkvno number in keys * ipa-pwd-extop: re-indent code using old style * ipa-pwd-extop: Use common krb5 structs from kdb.h * ipa-pwd-extop: Move encryption of keys in common * ipa-pwd-extop: Move encoding in common too * ipa-pwd-extop: make encsalt parsing function common * ipa-kdb: Initial plugin skeleton * ipa-kdb: add exports file * ipa-kdb: initialize module functions * ipa-kdb: implement get_time function * ipa-kdb: add common utility ldap wrapper functions * ipa-kdb: functions to get principal * ipa-kdb: add function to free principals * ipa-kdb: add functions to delete principals * ipa-kdb: add function to iterate over principals * ipa-kdb: add functions to change principals * ipa-kdb: Get/Store Master Key directly from LDAP * ipa-kdb: implement function to retrieve password policies * ipa-kdb: implement change_pwd function * util: add password policy manipulation functions * ipa-pwd-extop: Use common password policy code * ipa-kdb: add password policy support * ipa-pwd-extop: Allow kadmin to set krb keys * ipa-kdb: Change install to use the new ipa-kdb kdc backend * install: Remove uid=kdc user * ipa-kdb: Be flexible * install: Use proper case for boolean values * daemons: Remove ipa_kpasswd * schema: Split ipadns definitions from basev2 ones * v3-schema: Add new ipaExternalGroup objectclass * install: We do not need a ldap password anymore * install: We do not need a kpasswd keytab anymore * ipa-kdb: Properly set password expiration time. * conncheck: Additional check to verify the admin password is ok * ipa-kdb: Fix expiration time calculation * ipa-kdb: Fix legacy password hashes generation * ipa-kdb: Fix memory leak * Fix CID 10742: Unchecked return value * Fix CID 10743: Unchecked return value * Fix CID 10745: Unchecked return value * Fix CID 11019: Resource leak * Fix CID 11020: Resource leak * Fix CID 11021: Resource leak * Fix CID 11022: Resource leak * Fix CID 11023: Resource leak * Fix CID 11024: Resource leak * Fix CID 11025: Resource leak * Fix CID 11026: Resource leak * Fix CID 11027: Wrong sizeof argument * Add support for generating PAC for AS requests for user principals * MS-PAC: Add support for verifying PAC in TGS requests * Modify random salt creation for interoperability * Amend #2038 fix * Add missing copyright header * ipa-kdb: Support re-signing PAC with different checksum * spec: We do not need krb5-server-ldap anymore * ipa-kdb: fix free() of uninitialized var * ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles * ipa-kdb: fix memleaks in ipa_kdb_mspac.c * ipa-kdb: Fix copy and paste typo * ipa-kdb: enhance deref searches * ipa-kdb: Add delgation access control support * ipa-kdb: return properly when no PAC is available * ipa-kdb: Verify the correct checksum in PAC validation * ipa-kdb: Create PAC's KDC checksum with right key * Disable MS-PAC handling in 2.2 * Fix replication setup * slapi-plugins: use thread-safe ldap library * ipa-kdb: add AS auditing support * ipa-kdb: Avoid lookup on modify if possible * ipa-kdb: set krblastpwdchange only when keys have been effectively changed From dpal at redhat.com Sat Feb 18 21:31:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 18 Feb 2012 16:31:10 -0500 Subject: [Freeipa-users] custom LDAP schemas In-Reply-To: References: <1329428005.2392.82.camel@willson.li.ssimo.org> Message-ID: <4F40189E.8020202@redhat.com> On 02/17/2012 04:02 AM, Vincent Zakofski wrote: > > > 2012/2/16 Simo Sorce > > > On Thu, 2012-02-16 at 13:34 +0100, Vincent Zakofski wrote: > > Hi all, > > > > I'm very interested by migrating my openLDAP servers to freeIPA, the > > only problem is that I have some custom LDAP schemas in my present > > configuration. > > Is there a way to add some custom LDAP schemas to ipa-server? > > If it's possible, where can I find some documentation about adding > > those custom schemas. > > You can read up about how to extended the Directory schema here: > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Extending_the_Directory_Schema.html > > If you are planning on extending objects that are managed by > FreeIPA as > opposed to just add new objects in a custom subtree, you may need to > change the way the UI manages these objects by telling it what > mandatory > attributes you need to add. > > We do not have a clearly documented procedure for this yet I > think, but > it is not too difficult to do. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Ok I will read the documentation. > Attached document is the guide to extending the existing objects with the new schema and adding handling to those attributes via UI and CLI. It is an untested procedure as no one to the best of our knowledge followed the described recommendations. So be aware - there will be dragons. > > Thanks, > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-extensibility.pdf Type: application/pdf Size: 355019 bytes Desc: not available URL: From marco.pizzoli at gmail.com Sun Feb 19 16:23:19 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 19 Feb 2012 17:23:19 +0100 Subject: [Freeipa-users] automatic dns update failing Message-ID: Hi, During my setup today I'm always failing in enrolling clients with automatic dns updates. I'm playing with FreeIPA 2.1.90, but I guess this is a general problem, not strictly due to the alpha version. I'm doing a "ipa-client-install --enable-dns-updates" and at the console I see: Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) I see in server logs that named refuses it: Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: update ' internet.unix.mydomain.it/IN' denied Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: update ' internet.unix.mydomain.it/IN' denied What is the cause? What other informations do you need about my deployment? Thanks in advance as usual Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sun Feb 19 19:47:43 2012 From: simo at redhat.com (Simo Sorce) Date: Sun, 19 Feb 2012 14:47:43 -0500 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: References: Message-ID: <1329680863.18690.19.camel@willson.li.ssimo.org> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > Hi, > During my setup today I'm always failing in enrolling clients with > automatic dns updates. > I'm playing with FreeIPA 2.1.90, but I guess this is a general > problem, not strictly due to the alpha version. > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > console I see: > Failed to update DNS A record. (Command '/usr/bin/nsupdate > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > I see in server logs that named refuses it: > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > update 'internet.unix.mydomain.it/IN' denied > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > update 'internet.unix.mydomain.it/IN' denied > > What is the cause? What other informations do you need about my > deployment? Did you install freeipa with the --setup-dns option ? And does your client use the freeipa dns server in that case ? If either answer is no, it is normal to see the update fail as a non freeipa dns server wouldn't be able to accept the update (unless you manually configured the external server to handle GSS-TSIG updates). If both answers are yes then we may need to activate debug logging in named, as it is supposed to work. Simo. -- Simo Sorce * Red Hat, Inc * New York From marco.pizzoli at gmail.com Sun Feb 19 20:36:08 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 19 Feb 2012 21:36:08 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: <1329680863.18690.19.camel@willson.li.ssimo.org> References: <1329680863.18690.19.camel@willson.li.ssimo.org> Message-ID: On Sun, Feb 19, 2012 at 8:47 PM, Simo Sorce wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > Did you install freeipa with the --setup-dns option ? > And does your client use the freeipa dns server in that case ? > > If either answer is no, it is normal to see the update fail as a non > freeipa dns server wouldn't be able to accept the update (unless you > manually configured the external server to handle GSS-TSIG updates). > > If both answers are yes then we may need to activate debug logging in > named, as it is supposed to work. > Yes to both. Please let me know the best way to do it and I will follow it. ----------- I already found a bug with the web ui. I'll send another mail in a few minutes. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Feb 20 08:46:34 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 20 Feb 2012 09:46:34 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: References: Message-ID: <1329727594.2810.9.camel@balmora.brq.redhat.com> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > Hi, > During my setup today I'm always failing in enrolling clients with > automatic dns updates. > I'm playing with FreeIPA 2.1.90, but I guess this is a general > problem, not strictly due to the alpha version. > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > console I see: > Failed to update DNS A record. (Command '/usr/bin/nsupdate > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > I see in server logs that named refuses it: > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > update 'internet.unix.mydomain.it/IN' denied > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > update 'internet.unix.mydomain.it/IN' denied > > What is the cause? What other informations do you need about my > deployment? > > Thanks in advance as usual > Marco Hello Marco, please check the settings of the zone you are trying to add clients to. GSS-TSIG updates are not enabled by default for new zones, it may be your case. This is an entry for my zone 'example.com' where dynamic updates are enabled: # ipa dnszone-show example.com --all dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Zone name: example.com Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 2012200201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BOS.REDHAT.COM > krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP; Active zone: TRUE > Dynamic update: TRUE nsrecord: ns.example.com. objectclass: top, idnsrecord, idnszone I have marked the important attributes with ">". I would also make sure that the zone is properly loaded in bind-dyndb-ldap plugin (you can for example try to retrieve its SOA record with dig). HTH, Martin From marco.pizzoli at gmail.com Mon Feb 20 16:08:29 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Mon, 20 Feb 2012 17:08:29 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: <1329727594.2810.9.camel@balmora.brq.redhat.com> References: <1329727594.2810.9.camel@balmora.brq.redhat.com> Message-ID: On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > > > Thanks in advance as usual > > Marco > > Hello Marco, > > please check the settings of the zone you are trying to add clients to. > GSS-TSIG updates are not enabled by default for new zones, it may be > your case. > > This is an entry for my zone 'example.com' where dynamic updates are > enabled: > > # ipa dnszone-show example.com --all > dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant > IDM.LAB.BOS.REDHAT.COM > > krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COMkrb5-self * SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com. > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also make sure > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for > example try to retrieve its SOA record with dig). > Hi Martin, yes this is the case: [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all dn: idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it Zone name: internet.unix.mydomain.it Authoritative nameserver: freeipa01.unix.mydomain.it. Administrator e-mail address: hostmaster.internet.unix.mydomain.it. SOA serial: 2012180201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE nsrecord: freeipa01.unix.mydomain.it. objectclass: top, idnsrecord, idnszone So, could you tell me how should I do to have my (new) zone being eventually updated? A link to a doc page would suffices. Thanks a lot Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Feb 20 21:06:21 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Feb 2012 22:06:21 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: References: <1329727594.2810.9.camel@balmora.brq.redhat.com> Message-ID: <4F42B5CD.6010307@redhat.com> On 02/20/2012 05:08 PM, Marco Pizzoli wrote: > On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek > wrote: > > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN > ' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN > ' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > > > Thanks in advance as usual > > Marco > > Hello Marco, > > please check the settings of the zone you are trying to add clients to. > GSS-TSIG updates are not enabled by default for new zones, it may be > your case. > > This is an entry for my zone 'example.com ' > where dynamic updates are > enabled: > > # ipa dnszone-show example.com --all > dn: idnsname=example.com > ,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com . > Administrator e-mail address: hostmaster.example.com > . > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM > krb5-self * A; grant > IDM.LAB.BOS.REDHAT.COM > > krb5-self * AAAA; grant > IDM.LAB.BOS.REDHAT.COM krb5-self * > SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com . > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also make sure > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for > example try to retrieve its SOA record with dig). > > > Hi Martin, > yes this is the case: > > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it > --all > dn: idnsname=internet.unix.mydomain.it > ,cn=dns,dc=unix,dc=mydomain,dc=it > Zone name: internet.unix.mydomain.it > Authoritative nameserver: freeipa01.unix.mydomain.it > . > Administrator e-mail address: hostmaster.internet.unix.mydomain.it > . > SOA serial: 2012180201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Active zone: TRUE > Dynamic update: FALSE > nsrecord: freeipa01.unix.mydomain.it . > objectclass: top, idnsrecord, idnszone > > So, could you tell me how should I do to have my (new) zone being > eventually updated? > A link to a doc page would suffices. > > Thanks a lot > Marco Hello Marco, I think the important part of configuration is: On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it > Dynamic update: FALSE Please try to enable dynamic update for this zone and then retry ipa-client-install Dynamic update setting can be changed with command: ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE This command in current aplha doesn't work for me, so please create/modify idnsAllowDynUpdate attribute for zone in LDAP manually. Value has to be TRUE with capital letters. Documentation about DNS-in-LDAP can be found in /usr/share/doc/bind-dyndb-ldap-1.1.0/README . You can allow dynamic updates generally in /etc/named.conf or per-zone through idnsAllowDynUpdate in LDAP, see README. After altering named.conf it is necessary to reload bind via 'rndc reload', changes in LDAP are reflected immediately. If problem persists, try to set zone's idnsUpdatePolicy to 'grant * wildcard *;' (relaxes/disables various access policy checks) Best regards, -- Petr Spacek From jhrozek at redhat.com Mon Feb 20 21:27:57 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Feb 2012 22:27:57 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: <4F42B5CD.6010307@redhat.com> References: <1329727594.2810.9.camel@balmora.brq.redhat.com> <4F42B5CD.6010307@redhat.com> Message-ID: <20120220212757.GA8113@hendrix.redhat.com> On Mon, Feb 20, 2012 at 10:06:21PM +0100, Petr Spacek wrote: > On 02/20/2012 05:08 PM, Marco Pizzoli wrote: > >On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek >> wrote: > > > > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > > Hi, > > > During my setup today I'm always failing in enrolling clients with > > > automatic dns updates. > > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > > problem, not strictly due to the alpha version. > > > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > > console I see: > > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > > > I see in server logs that named refuses it: > > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > > update 'internet.unix.mydomain.it/IN > > ' denied > > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > > update 'internet.unix.mydomain.it/IN > > ' denied > > > > > > What is the cause? What other informations do you need about my > > > deployment? > > > > > > Thanks in advance as usual > > > Marco > > > > Hello Marco, > > > > please check the settings of the zone you are trying to add clients to. > > GSS-TSIG updates are not enabled by default for new zones, it may be > > your case. > > > > This is an entry for my zone 'example.com ' > > where dynamic updates are > > enabled: > > > > # ipa dnszone-show example.com --all > > dn: idnsname=example.com > > ,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > Zone name: example.com > > Authoritative nameserver: ns.example.com . > > Administrator e-mail address: hostmaster.example.com > > . > > SOA serial: 2012200201 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM > > krb5-self * A; grant > > IDM.LAB.BOS.REDHAT.COM > > > krb5-self * AAAA; grant > > IDM.LAB.BOS.REDHAT.COM krb5-self * > > SSHFP; > > Active zone: TRUE > > > Dynamic update: TRUE > > nsrecord: ns.example.com . > > objectclass: top, idnsrecord, idnszone > > > > I have marked the important attributes with ">". I would also make sure > > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for > > example try to retrieve its SOA record with dig). > > > > > >Hi Martin, > >yes this is the case: > > > >[root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it > > --all > > dn: idnsname=internet.unix.mydomain.it > >,cn=dns,dc=unix,dc=mydomain,dc=it > > Zone name: internet.unix.mydomain.it > > Authoritative nameserver: freeipa01.unix.mydomain.it > >. > > Administrator e-mail address: hostmaster.internet.unix.mydomain.it > >. > > SOA serial: 2012180201 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > Active zone: TRUE > > Dynamic update: FALSE > > nsrecord: freeipa01.unix.mydomain.it . > > objectclass: top, idnsrecord, idnszone > > > >So, could you tell me how should I do to have my (new) zone being > >eventually updated? > >A link to a doc page would suffices. > > > >Thanks a lot > >Marco > > Hello Marco, > > I think the important part of configuration is: > > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it > > Dynamic update: FALSE > > Please try to enable dynamic update for this zone and then retry > ipa-client-install > > > Dynamic update setting can be changed with command: > > ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE > > This command in current aplha doesn't work for me, so please > create/modify idnsAllowDynUpdate attribute for zone in LDAP > manually. Value has to be TRUE with capital letters. > > Documentation about DNS-in-LDAP can be found in > /usr/share/doc/bind-dyndb-ldap-1.1.0/README . > > You can allow dynamic updates generally in /etc/named.conf or > per-zone through idnsAllowDynUpdate in LDAP, see README. > > After altering named.conf it is necessary to reload bind via 'rndc > reload', changes in LDAP are reflected immediately. > > > If problem persists, try to set zone's idnsUpdatePolicy to 'grant * > wildcard *;' (relaxes/disables various access policy checks) > > You can also enable logging by putting this snippet into your named.conf: ---- logging { channel ldap { file "data/ldap.log"; severity debug 9; }; category database { ldap; }; }; ---- And restarting named. The logs should then be written to /var/named/data/ldap.log From mkosek at redhat.com Tue Feb 21 07:37:44 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 21 Feb 2012 08:37:44 +0100 Subject: [Freeipa-users] automatic dns update failing In-Reply-To: References: <1329727594.2810.9.camel@balmora.brq.redhat.com> Message-ID: <1329809864.23970.5.camel@balmora.brq.redhat.com> On Mon, 2012-02-20 at 17:08 +0100, Marco Pizzoli wrote: > > > On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek > wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > > Hi, > > During my setup today I'm always failing in enrolling > clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a > general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at > the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status > 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client > 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client > 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about > my > > deployment? > > > > Thanks in advance as usual > > Marco > > > Hello Marco, > > please check the settings of the zone you are trying to add > clients to. > GSS-TSIG updates are not enabled by default for new zones, it > may be > your case. > > This is an entry for my zone 'example.com' where dynamic > updates are > enabled: > > # ipa dnszone-show example.com --all > dn: > idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * > A; grant IDM.LAB.BOS.REDHAT.COM > > krb5-self * AAAA; grant > IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com. > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also > make sure > that the zone is properly loaded in bind-dyndb-ldap plugin > (you can for > example try to retrieve its SOA record with dig). > > Hi Martin, > yes this is the case: > > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all > dn: > idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it > Zone name: internet.unix.mydomain.it > Authoritative nameserver: freeipa01.unix.mydomain.it. > Administrator e-mail address: hostmaster.internet.unix.mydomain.it. > SOA serial: 2012180201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Active zone: TRUE > Dynamic update: FALSE > nsrecord: freeipa01.unix.mydomain.it. > objectclass: top, idnsrecord, idnszone > > So, could you tell me how should I do to have my (new) zone being > eventually updated? > A link to a doc page would suffices. > > Thanks a lot > Marco > Hello Marco, glad we found the root cause. You can update the zone with this command: # ipa dnszone-mod internet.unix.mydomain.it --dynamic-update=TRUE --update-policy="grant MYDOMAIN.IT krb5-self * A; grant MYDOMAIN.IT krb5-self * AAAA; grant MYDOMAIN.IT krb5-self * SSHFP;" # service named reload (or "rndc reload") It enables dynamic updates and configures an update policy for it - every host in this domain can now add/delete its own A/AAAA/SSHFP records. Sources of DNS documentation: 1. Our command help: # ipa help dns 2. FreeIPA guide: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS.html 3. And freeipa-users of course :-) Martin From g17jimmy at gmail.com Tue Feb 21 17:04:43 2012 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 21 Feb 2012 12:04:43 -0500 Subject: [Freeipa-users] named exits Message-ID: This has happened a couple times in the past few weeks and I thought it was an admin error before, but looking at /var/log/messages the named daemon does something every evening after 10pm local time(3am UTC.) As you see in this log clip DNS reloads at 03:34UTC on 2/19- Feb 19 03:34:01 csp-idm named[20761]: received control channel command 'reload' Feb 19 03:34:01 csp-idm named[20761]: loading configuration from '/etc/named.conf' But then on 2/20 the reload doesn't happen, it exits. Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process exited, code=exited status=1 I don't see any reference to named in other log files. Where else should I look to debug this issue? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 21 18:26:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Feb 2012 13:26:48 -0500 Subject: [Freeipa-users] named exits In-Reply-To: References: Message-ID: <4F43E1E8.70409@redhat.com> Jimmy wrote: > This has happened a couple times in the past few weeks and I thought it > was an admin error before, but looking at /var/log/messages the named > daemon does something every evening after 10pm local time(3am UTC.) As > you see in this log clip DNS reloads at 03:34UTC on 2/19- > > Feb 19 03:34:01 csp-idm named[20761]: received control channel command > 'reload' > Feb 19 03:34:01 csp-idm named[20761]: loading configuration from > '/etc/named.conf' > > But then on 2/20 the reload doesn't happen, it exits. > > Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process > exited, code=exited status=1 > > I don't see any reference to named in other log files. Where else should > I look to debug this issue? > Thanks Hmm, abrt, dmesg or /var/log/messages to see if it dropped core? What version of bind and bind-dyndb-ldap do you have installed? rob From sigbjorn at nixtra.com Tue Feb 21 18:57:22 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 21 Feb 2012 19:57:22 +0100 Subject: [Freeipa-users] named exits In-Reply-To: <4F43E1E8.70409@redhat.com> References: <4F43E1E8.70409@redhat.com> Message-ID: <4F43E912.7070705@nixtra.com> On 02/21/2012 07:26 PM, Rob Crittenden wrote: > Jimmy wrote: >> This has happened a couple times in the past few weeks and I thought it >> was an admin error before, but looking at /var/log/messages the named >> daemon does something every evening after 10pm local time(3am UTC.) As >> you see in this log clip DNS reloads at 03:34UTC on 2/19- >> >> Feb 19 03:34:01 csp-idm named[20761]: received control channel command >> 'reload' >> Feb 19 03:34:01 csp-idm named[20761]: loading configuration from >> '/etc/named.conf' >> >> But then on 2/20 the reload doesn't happen, it exits. >> >> Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process >> exited, code=exited status=1 >> >> I don't see any reference to named in other log files. Where else should >> I look to debug this issue? >> Thanks > > Hmm, abrt, dmesg or /var/log/messages to see if it dropped core? > > What version of bind and bind-dyndb-ldap do you have installed? > I have the exact same issue, around the same time at night, and only on Monday mornings. But at only 1 out 3 IPA servers in the domain! All 3 servers has been kickstarted with the exact same configuration, and just run ipa-server-install, and ipa-replica-install. Our versions are the ones shipped with RHEL 6.2. I have installed 3 different IPA domains, with 3, 3, and 2 servers in each domain. I have only seen this issue on one of the installations. I have an open request with Red Hat support for the issue I've encountered. Regards, Siggi From g17jimmy at gmail.com Tue Feb 21 18:17:47 2012 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 21 Feb 2012 13:17:47 -0500 Subject: [Freeipa-users] named exits In-Reply-To: References: Message-ID: I have checked and there is no cron job scheduled to do anything with named. On Tue, Feb 21, 2012 at 12:04 PM, Jimmy wrote: > This has happened a couple times in the past few weeks and I thought it > was an admin error before, but looking at /var/log/messages the named > daemon does something every evening after 10pm local time(3am UTC.) As you > see in this log clip DNS reloads at 03:34UTC on 2/19- > > Feb 19 03:34:01 csp-idm named[20761]: received control channel command > 'reload' > Feb 19 03:34:01 csp-idm named[20761]: loading configuration from > '/etc/named.conf' > > But then on 2/20 the reload doesn't happen, it exits. > > Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process exited, > code=exited status=1 > > I don't see any reference to named in other log files. Where else should I > look to debug this issue? > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Tue Feb 21 19:33:30 2012 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 21 Feb 2012 14:33:30 -0500 Subject: [Freeipa-users] named exits In-Reply-To: <4F43E912.7070705@nixtra.com> References: <4F43E1E8.70409@redhat.com> <4F43E912.7070705@nixtra.com> Message-ID: We have this on FC15 and have bind-9.8.1-1.fc15.x86_64, bind-dyndb-ldap-1.0.0-0.2.b1.fc15.x86_64. There were no logs or other indication as to why named exited other than that one line in /var/log/messages. This has happened the past two Mondays. I'm copying the system to a new VM where I can simulate this more readily. On Tue, Feb 21, 2012 at 1:57 PM, Sigbjorn Lie wrote: > On 02/21/2012 07:26 PM, Rob Crittenden wrote: > >> Jimmy wrote: >> >>> This has happened a couple times in the past few weeks and I thought it >>> was an admin error before, but looking at /var/log/messages the named >>> daemon does something every evening after 10pm local time(3am UTC.) As >>> you see in this log clip DNS reloads at 03:34UTC on 2/19- >>> >>> Feb 19 03:34:01 csp-idm named[20761]: received control channel command >>> 'reload' >>> Feb 19 03:34:01 csp-idm named[20761]: loading configuration from >>> '/etc/named.conf' >>> >>> But then on 2/20 the reload doesn't happen, it exits. >>> >>> Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process >>> exited, code=exited status=1 >>> >>> I don't see any reference to named in other log files. Where else should >>> I look to debug this issue? >>> Thanks >>> >> >> Hmm, abrt, dmesg or /var/log/messages to see if it dropped core? >> >> What version of bind and bind-dyndb-ldap do you have installed? >> >> I have the exact same issue, around the same time at night, and only on > Monday mornings. But at only 1 out 3 IPA servers in the domain! All 3 > servers has been kickstarted with the exact same configuration, and just > run ipa-server-install, and ipa-replica-install. > > Our versions are the ones shipped with RHEL 6.2. > > I have installed 3 different IPA domains, with 3, 3, and 2 servers in each > domain. I have only seen this issue on one of the installations. > > I have an open request with Red Hat support for the issue I've encountered. > > > > Regards, > Siggi > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Feb 21 20:59:00 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Feb 2012 21:59:00 +0100 Subject: [Freeipa-users] named exits In-Reply-To: References: Message-ID: <4F440594.20805@redhat.com> On 02/21/2012 07:17 PM, Jimmy wrote: > I have checked and there is no cron job scheduled to do anything with named. > > On Tue, Feb 21, 2012 at 12:04 PM, Jimmy > wrote: > > This has happened a couple times in the past few weeks and I thought > it was an admin error before, but looking at /var/log/messages the > named daemon does something every evening after 10pm local time(3am > UTC.) As you see in this log clip DNS reloads at 03:34UTC on 2/19- > > Feb 19 03:34:01 csp-idm named[20761]: received control channel > command 'reload' > Feb 19 03:34:01 csp-idm named[20761]: loading configuration from > '/etc/named.conf' > > But then on 2/20 the reload doesn't happen, it exits. > > Feb 20 03:48:01 csp-idm systemd[1]: named.service: control process > exited, code=exited status=1 > > I don't see any reference to named in other log files. Where else > should I look to debug this issue? > Thanks I suspect log rotating system from reloading BIND. Usual behaviour is: 1) rename log file 2) restart/reload daemon (to force closing old and opening new log file) Do you have some log rotating system installed? If so, please look into it's configuration to confirm this suspicion. Does BIND crash only after reload command is received? (Or at "usual" reload time?) It will be very handy, if you can provide more details from log or coredump/files collected with ABRT. Is you DNS server under heavy load? Or it does nothing at reload/crash time? -- Best regards, Petr Spacek From Steven.Jones at vuw.ac.nz Tue Feb 21 21:11:47 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 21 Feb 2012 21:11:47 +0000 Subject: [Freeipa-users] samba & IPA Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From marco.pizzoli at gmail.com Wed Feb 22 21:07:22 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Wed, 22 Feb 2012 22:07:22 +0100 Subject: [Freeipa-users] Bug in documentation or in CLI tools? Message-ID: Hi guys, in a previous question about FreeIPA 2.1.90 I submitted to you, I received from Martin the answer to use the command: "ipa dnszone-mod *--dynamic-update=TRUE* " I used it and I successfully achieved my purpose, but comparing this command against the documentation (both RHEL and Fedora) I think I found an incongruence. Both here[1] and here[2] the parameter of dnszone-mod to enable dynamic updates is reported being "*--allow-dynupdate*". Have I found a bug in the documentation? Or is it a difference from FreeIPA 2.1 and FreeIPA 2.1.90? Thanks in advance Marco [1] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/modifying-dns-zones.html#editing-dns-zone-cmd [2] https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/modifying-dns-zones.html#editing-dns-zone-cmd -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Wed Feb 22 21:24:55 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Wed, 22 Feb 2012 22:24:55 +0100 Subject: [Freeipa-users] A way to rename a host and/or a host group? Message-ID: Hi guys, I see that there's no way to rename a host once created. Same issue with host groups. Could you confirm that it is by design and so I never will be able to do that? Thanks Marco (wanting to rename everything :-( ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed Feb 22 21:34:54 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 22 Feb 2012 21:34:54 +0000 Subject: [Freeipa-users] A way to rename a host and/or a host group? In-Reply-To: References: Message-ID: <93ED55A3-F178-40F3-AA8F-CE2E3D4BE594@citrixonline.com> On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote: > Hi guys, > I see that there's no way to rename a host once created. Same issue with host groups. > Could you confirm that it is by design and so I never will be able to do that? > > Thanks > Marco (wanting to rename everything :-( ) Hi Marco. Yes, you do need to fully delete and uninstall a host from FreeIPA before readding it with a new name. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html What may make this easier for you is a feature in 389 DS called Automember: http://directory.fedoraproject.org/wiki/Auto_Membership_Design Automember is a way to use regular expression to tie a given fqdn-type to a given hostgroup. So that when you 'add' a host with a similar name. say: webserver2.example.com, the host automatically ends up in the 'webservers' host group. If you wish for a bunch of hosts to be "renamed"/re-provisioned, and automatically assigned to a new hostgroup, you can predefine the regex mapping and make this process a little easier. FreeIPA provides a CLI (and in 2.1.90, a WebUI) for managing these entries. Here is the help doc from the cli tool: Auto Membership Rule. Bring clarity to the membership of hosts and users by configuring inclusive or exclusive regex paterns, you can automatically assign a new entries into a group or hostgroup based upon attribute information. A rule is directly associated with a group by name, so you cannot create a rule without an accompanying group or hostgroup A condition is a regular expression used by 389-ds to match a new incoming entry with an automember rule. If it matches an inclusive rule then the entry is added to the appropriate group or hostgroup. EXAMPLES: Create the initial group or hostgroup: ipa hostgroup-add --desc="Web Servers" webservers ipa group-add --desc="Developers" devel Create the initial rule: ipa automember-add --type=hostgroup webservers ipa automember-add --type=group devel Add a condition to the rule: ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel Add an exclusive condition to the rule to prevent auto assignment: ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers Add a host: ipa host-add web1.example.com Add a user: ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott Verify automembership: ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web1.example.com ipa group-show devel Group name: devel Description: Developers GID: 1004200000 Member users: tuser Remove a condition from the rule: ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers Modify the automember rule: ipa automember-mod Set the default target group: ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=group Set the default target group: ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=group Show the default target group: ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=group Find all of the automember rules: ipa automember-find Display a automember rule: ipa automember-show --type=hostgroup webservers ipa automember-show --type=group devel Delete an automember rule: ipa automember-del --type=hostgroup webservers ipa automember-del --type=group devel Topic commands: automember-add Add an automember rule. automember-add-condition Add conditions to an automember rule. automember-default-group-remove Remove default group for all unmatched entries. automember-default-group-set Set default group for all unmatched entries. automember-default-group-show Display information about the default automember groups. automember-del Delete an automember rule. automember-find Search for automember rules. automember-mod Modify an automember rule. automember-remove-condition Remove conditions from an automember rule. automember-show Display information about an automember rule. From marco.pizzoli at gmail.com Wed Feb 22 21:38:10 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Wed, 22 Feb 2012 22:38:10 +0100 Subject: [Freeipa-users] A way to rename a host and/or a host group? In-Reply-To: <93ED55A3-F178-40F3-AA8F-CE2E3D4BE594@citrixonline.com> References: <93ED55A3-F178-40F3-AA8F-CE2E3D4BE594@citrixonline.com> Message-ID: On Wed, Feb 22, 2012 at 10:34 PM, JR Aquino wrote: > On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote: > > > Hi guys, > > I see that there's no way to rename a host once created. Same issue with > host groups. > > Could you confirm that it is by design and so I never will be able to do > that? > > > > Thanks > > Marco (wanting to rename everything :-( ) > > Hi Marco. Yes, you do need to fully delete and uninstall a host from > FreeIPA before readding it with a new name. > > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html > > What may make this easier for you is a feature in 389 DS called Automember: > > http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > Automember is a way to use regular expression to tie a given fqdn-type to > a given hostgroup. So that when you 'add' a host with a similar name. say: > webserver2.example.com, the host automatically ends up in the > 'webservers' host group. > > If you wish for a bunch of hosts to be "renamed"/re-provisioned, and > automatically assigned to a new hostgroup, you can predefine the regex > mapping and make this process a little easier. > > FreeIPA provides a CLI (and in 2.1.90, a WebUI) for managing these entries. > > > > Here is the help doc from the cli tool: > > Auto Membership Rule. > > Bring clarity to the membership of hosts and users by configuring inclusive > or exclusive regex paterns, you can automatically assign a new entries into > a group or hostgroup based upon attribute information. > > A rule is directly associated with a group by name, so you cannot create > a rule without an accompanying group or hostgroup > > A condition is a regular expression used by 389-ds to match a new incoming > entry with an automember rule. If it matches an inclusive rule then the > entry is added to the appropriate group or hostgroup. > > EXAMPLES: > > Create the initial group or hostgroup: > ipa hostgroup-add --desc="Web Servers" webservers > ipa group-add --desc="Developers" devel > > Create the initial rule: > ipa automember-add --type=hostgroup webservers > ipa automember-add --type=group devel > > Add a condition to the rule: > ipa automember-add-condition --key=fqdn --type=hostgroup > --inclusive-regex=^web[1-9]+\.example\.com webservers > ipa automember-add-condition --key=manager --type=group > --inclusive-regex=^uid=mscott devel > > Add an exclusive condition to the rule to prevent auto assignment: > ipa automember-add-condition --key=fqdn --type=hostgroup > --exclusive-regex=^web5\.example\.com webservers > > Add a host: > ipa host-add web1.example.com > > Add a user: > ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott > > Verify automembership: > ipa hostgroup-show webservers > Host-group: webservers > Description: Web Servers > Member hosts: web1.example.com > > ipa group-show devel > Group name: devel > Description: Developers > GID: 1004200000 > Member users: tuser > > Remove a condition from the rule: > ipa automember-remove-condition --key=fqdn --type=hostgroup > --inclusive-regex=^web[1-9]+\.example\.com webservers > > Modify the automember rule: > ipa automember-mod > > Set the default target group: > ipa automember-default-group-set --default-group=webservers > --type=hostgroup > ipa automember-default-group-set --default-group=ipausers --type=group > > Set the default target group: > ipa automember-default-group-remove --type=hostgroup > ipa automember-default-group-remove --type=group > > Show the default target group: > ipa automember-default-group-show --type=hostgroup > ipa automember-default-group-show --type=group > > Find all of the automember rules: > ipa automember-find > > Display a automember rule: > ipa automember-show --type=hostgroup webservers > ipa automember-show --type=group devel > > Delete an automember rule: > ipa automember-del --type=hostgroup webservers > ipa automember-del --type=group devel > > Topic commands: > automember-add Add an automember rule. > automember-add-condition Add conditions to an automember rule. > automember-default-group-remove Remove default group for all unmatched > entries. > automember-default-group-set Set default group for all unmatched > entries. > automember-default-group-show Display information about the default > automember groups. > automember-del Delete an automember rule. > automember-find Search for automember rules. > automember-mod Modify an automember rule. > automember-remove-condition Remove conditions from an automember > rule. > automember-show Display information about an automember > rule. > > Hey, thanks a lot! Now I have something to read before falling asleep.... :-) Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Feb 22 22:21:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Feb 2012 22:21:09 +0000 Subject: [Freeipa-users] can ipa control samba shares aka a kerberos's nfs setup? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBE8EE@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From erinn.looneytriggs at gmail.com Wed Feb 22 23:57:03 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 22 Feb 2012 14:57:03 -0900 Subject: [Freeipa-users] Searching for subjectKeyIdentifier in SSL certs Message-ID: <4F4580CF.1070603@gmail.com> It looks like, as far as I can tell, the IPA pki setup does not by default include subjectKeyIdentifier in the SSL certificates issued. I am using ipa-getcert -f foo -k bar, to generate and submit the request. I am a little hazy about how all of this fits together at this point, so please forgive me. However, it looks like the RFC states that the CA SHOULD be included with all end certificates: https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is not included, but is there a way to modify IPA so that it does? I assume this is all part of dogtag and it's operations, and it looks like from my research it should be possible in dogtag, but how IPA and dogtag work together etc. well I just don't know enough. Environment: RHEL 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-2.1.3-9.el6.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 certmonger-0.50-3.el6.x86_64 -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Feb 23 04:25:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Feb 2012 23:25:04 -0500 Subject: [Freeipa-users] can ipa control samba shares aka a kerberos's nfs setup? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBE8EE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CBBE8EE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F45BFA0.7020108@redhat.com> What do you mean by control? All we do for NFS is generate a keytab. rob From rcritten at redhat.com Thu Feb 23 04:26:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Feb 2012 23:26:07 -0500 Subject: [Freeipa-users] samba & IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F45BFDF.90607@redhat.com> Steven Jones wrote: > Hi, > > Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google.... What is it you're looking to do? The more details the better. regards rob From mkosek at redhat.com Thu Feb 23 15:37:47 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Feb 2012 16:37:47 +0100 Subject: [Freeipa-users] Bug in documentation or in CLI tools? In-Reply-To: References: Message-ID: <1330011467.30722.39.camel@balmora.brq.redhat.com> On Wed, 2012-02-22 at 22:07 +0100, Marco Pizzoli wrote: > Hi guys, > in a previous question about FreeIPA 2.1.90 I submitted to you, I > received from Martin the answer to use the command: > > "ipa dnszone-mod --dynamic-update=TRUE > " > > I used it and I successfully achieved my purpose, but comparing this > command against the documentation (both RHEL and Fedora) I think I > found an incongruence. > > Both here[1] and here[2] the parameter of dnszone-mod to enable > dynamic updates is reported being "--allow-dynupdate". > > Have I found a bug in the documentation? Or is it a difference from > FreeIPA 2.1 and FreeIPA 2.1.90? > > Thanks in advance > Marco > > > [1] > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/modifying-dns-zones.html#editing-dns-zone-cmd > [2] > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/modifying-dns-zones.html#editing-dns-zone-cmd Thanks Marco, this is indeed a bug in our documentation. I have created a ticket to fix [1]: https://fedorahosted.org/freeipa/ticket/2434 and [2]: https://bugzilla.redhat.com/show_bug.cgi?id=796751 Just a notice: even though the CLI option name is changed, the option is still backward compatible, i.e. pre-2.1.90 clients will be able to change the attribute value. Martin From Steven.Jones at vuw.ac.nz Thu Feb 23 20:12:39 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Feb 2012 20:12:39 +0000 Subject: [Freeipa-users] samba & IPA In-Reply-To: <4F45BFDF.90607@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F45BFDF.90607@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBF4AA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Control samba with IPA, aka IPA controlling say ssh, so hbacl control between a samba user group and a samba host group per samba share. So redhat linux clients to redhat linux samba server (rhel6.2's) I need to automount smb shares for linux users who are in IPA. So far I have kerberos going, but I cant control a samba share based on IPA groups....or even users...so far it seems to be valid users = guest1 in the smb.conf, which is close to useless. I need the control of the share(s) valid users = ipaserver/sambagroup/user1,2,3 etc type of thing, can this be done? A useable alternative would be a IPA kerberos ticket to login and use AD for group control, clunky but centralised...I know in ipav3? domain trusts will be possible to look up AD groups......but really I want to use IPA s groups as I have linux users who do not want to be / are not in AD.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 23 February 2012 5:26 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] samba & IPA Steven Jones wrote: > Hi, > > Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google.... What is it you're looking to do? The more details the better. regards rob From rcritten at redhat.com Thu Feb 23 20:57:10 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Feb 2012 15:57:10 -0500 Subject: [Freeipa-users] samba & IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBF4AA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F45BFDF.90607@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF4AA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F46A826.3060802@redhat.com> Steven Jones wrote: > Hi, > > Control samba with IPA, aka IPA controlling say ssh, so hbacl control between a samba user group and a samba host group per samba share. > > So redhat linux clients to redhat linux samba server (rhel6.2's) > > I need to automount smb shares for linux users who are in IPA. > > So far I have kerberos going, but I cant control a samba share based on IPA groups....or even users...so far it seems to be valid users = guest1 in the smb.conf, which is close to useless. > > I need the control of the share(s) valid users = ipaserver/sambagroup/user1,2,3 etc type of thing, can this be done? I know next to nothing about Samba but I don't think anyone has tried any of this before. In your tests to date where are you storing your Samba users, in IPA? You added the objectclasses to the users, assigned a SID and all that? How/where does one define the kind of controls you're looking for? We don't provide anything like that in IPA now. IPA can provide automount files, so I presume you can store your Samba maps there, as for access control that would be done by automount itself. > A useable alternative would be a IPA kerberos ticket to login and use AD for group control, clunky but centralised...I know in ipav3? domain trusts will be possible to look up AD groups......but really I want to use IPA s groups as I have linux users who do not want to be / are not in AD.... I don't know, I barely grok what it is you're asking (gladly ignorant of AD). regards rob From bcook at redhat.com Thu Feb 23 20:59:26 2012 From: bcook at redhat.com (Brian Cook) Date: Thu, 23 Feb 2012 12:59:26 -0800 Subject: [Freeipa-users] need info on AD / IPA coexistence Message-ID: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bcook at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Feb 23 21:28:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Feb 2012 21:28:13 +0000 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bcook at redhat.com From abokovoy at redhat.com Thu Feb 23 22:01:31 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Feb 2012 00:01:31 +0200 Subject: [Freeipa-users] samba & IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120223220131.GO13458@redhat.com> On Tue, 21 Feb 2012, Steven Jones wrote: > Hi, > > Any good docs on making samba / smbclient / clients work with ipa? > not having much luck with google.... The stack of protocols that Samba is implementing disassociates authentication and actual connection to the shares. First you authenticate and once authenticated, you can connect to any share within the server. At this point there might be per-share limitations put on but authentication step is done already. As part of authentication, Samba may enforce PAM accounting restrictions if 'obey pam restriction' option is set in the configuration file. This would give you a way to enforce HBAC rules per user connected to the server -- make sure your smbd PAM config is using sssd for accounting purposes and then SSSD would do checks over HBAC rules with 'smbd' service. However, this would only limit access to the host globally as it happens during authentication phase, not later, when actual connection to the share would be done. In order to limit per-share connection, Samba has 'valid users' and 'allow hosts' options. These specify lists of users and hosts correspondingly. Unfortunately, the way it is implemented in Samba, these lists are taken directly from the configuration source, thus no way to dynamically change them other than playing with configuration files. One could do configuration file tuning per connected host, for example, or per user, using 'include = /path/to/config' and Samba configuration macros. This would still not give you dynamic configuration though. One could also do a 'preexec script' hook that is run before connection to a share is made. This approach allows you to implement a simple PAM-enabled tool that could be spawned from Samba at connection to share time and use SSSD HBAC tests (on PAM account) plus something additional to perform per-share restriction (see below why). All other methods would require modifying Samba to change 'allow_access()' function API and implementation. This is not planned at the moment -- neither from FreeIPA nor from Samba Team side. There are also considerable performance requirements to this particular function. However, even if anything like that is performed, we have one specific issue that HBAC rules do not allow to differentiate between service and its (optional) sub-services. You can think about shares as sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to specify those. Ideally, ipaHBACService object class could be extended to include sub-services but handling those in UI would become a nightmare -- after all, you'll need to have as much ipaHBACService objects as number of servers x number of shares. Something better needs to be created. -- / Alexander Bokovoy From Steven.Jones at vuw.ac.nz Thu Feb 23 22:31:54 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Feb 2012 22:31:54 +0000 Subject: [Freeipa-users] samba & IPA In-Reply-To: <20120223220131.GO13458@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120223220131.GO13458@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBF64C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, thanks for the great explanation.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Alexander Bokovoy [abokovoy at redhat.com] Sent: Friday, 24 February 2012 11:01 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] samba & IPA On Tue, 21 Feb 2012, Steven Jones wrote: > Hi, > > Any good docs on making samba / smbclient / clients work with ipa? > not having much luck with google.... The stack of protocols that Samba is implementing disassociates authentication and actual connection to the shares. First you authenticate and once authenticated, you can connect to any share within the server. At this point there might be per-share limitations put on but authentication step is done already. As part of authentication, Samba may enforce PAM accounting restrictions if 'obey pam restriction' option is set in the configuration file. This would give you a way to enforce HBAC rules per user connected to the server -- make sure your smbd PAM config is using sssd for accounting purposes and then SSSD would do checks over HBAC rules with 'smbd' service. However, this would only limit access to the host globally as it happens during authentication phase, not later, when actual connection to the share would be done. In order to limit per-share connection, Samba has 'valid users' and 'allow hosts' options. These specify lists of users and hosts correspondingly. Unfortunately, the way it is implemented in Samba, these lists are taken directly from the configuration source, thus no way to dynamically change them other than playing with configuration files. One could do configuration file tuning per connected host, for example, or per user, using 'include = /path/to/config' and Samba configuration macros. This would still not give you dynamic configuration though. One could also do a 'preexec script' hook that is run before connection to a share is made. This approach allows you to implement a simple PAM-enabled tool that could be spawned from Samba at connection to share time and use SSSD HBAC tests (on PAM account) plus something additional to perform per-share restriction (see below why). All other methods would require modifying Samba to change 'allow_access()' function API and implementation. This is not planned at the moment -- neither from FreeIPA nor from Samba Team side. There are also considerable performance requirements to this particular function. However, even if anything like that is performed, we have one specific issue that HBAC rules do not allow to differentiate between service and its (optional) sub-services. You can think about shares as sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to specify those. Ideally, ipaHBACService object class could be extended to include sub-services but handling those in UI would become a nightmare -- after all, you'll need to have as much ipaHBACService objects as number of servers x number of shares. Something better needs to be created. -- / Alexander Bokovoy From jagee at redhat.com Thu Feb 23 23:48:40 2012 From: jagee at redhat.com (Jeremy Agee) Date: Thu, 23 Feb 2012 18:48:40 -0500 Subject: [Freeipa-users] samba & IPA In-Reply-To: <20120223220131.GO13458@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120223220131.GO13458@redhat.com> Message-ID: <4F46D058.4060807@redhat.com> On 02/23/2012 05:01 PM, Alexander Bokovoy wrote: > On Tue, 21 Feb 2012, Steven Jones wrote: > >> Hi, >> >> Any good docs on making samba / smbclient / clients work with ipa? >> not having much luck with google.... > The stack of protocols that Samba is implementing disassociates > authentication and actual connection to the shares. First you > authenticate and once authenticated, you can connect to any share > within the server. At this point there might be per-share limitations > put on but authentication step is done already. > > As part of authentication, Samba may enforce PAM accounting > restrictions if 'obey pam restriction' option is set in the > configuration file. This would give you a way to enforce HBAC rules > per user connected to the server -- make sure your smbd PAM config is > using sssd for accounting purposes and then SSSD would do checks over > HBAC rules with 'smbd' service. > > However, this would only limit access to the host globally as it > happens during authentication phase, not later, when actual connection > to the share would be done. > > In order to limit per-share connection, Samba has 'valid users' and > 'allow hosts' options. These specify lists of users and hosts > correspondingly. Unfortunately, the way it is implemented in Samba, > these lists are taken directly from the configuration source, thus no > way to dynamically change them other than playing with configuration > files. > > One could do configuration file tuning per connected host, for > example, or per user, using 'include = /path/to/config' and Samba > configuration macros. This would still not give you dynamic > configuration though. > > One could also do a 'preexec script' hook that is run before > connection to a share is made. This approach allows you to implement a > simple PAM-enabled tool that could be spawned from Samba at connection > to share time and use SSSD HBAC tests (on PAM account) plus something > additional to perform per-share restriction (see below why). > > All other methods would require modifying Samba to change > 'allow_access()' function API and implementation. This is not planned > at the moment -- neither from FreeIPA nor from Samba Team side. There > are also considerable performance requirements to this particular > function. > > However, even if anything like that is performed, we have one specific > issue that HBAC rules do not allow to differentiate between service > and its (optional) sub-services. You can think about shares as > sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to > specify those. Ideally, ipaHBACService object class could be extended > to include sub-services but handling those in UI would become a > nightmare -- after all, you'll need to have as much ipaHBACService > objects as number of servers x number of shares. Something better > needs to be created. > You should also be able to use the filesystem to control access to the smb share. If acl support is on the filesytem, you can use these as well. Samba should have "nt acl support = Yes" set by default. /etc/samba/smb.conf [global] workgroup = HOME netbios name = corona realm = HOME.LAN security = user kerberos method = system keytab [test] comment = test path = /samba writable = yes read only = no create mask = 0660 directory mask = 770 [test2] comment = test2 path = /samba2 writable = yes read only = no create mask = 0660 directory mask = 770 [root at corona samba]# ls -la /samba* /samba: total 108 drwxrws---. 2 jagee ipausers 4096 Feb 23 18:11 . /samba2: total 8 drwxrws---. 2 bob bob 4096 Feb 23 18:14 . [jagee at ultra ~]$ smbclient -k //corona.home.lan/test Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6] smb: \> put Resume.odt putting file Resume.odt as \Resume.odt (403.6 kb/s) (average 403.6 kb/s) [jagee at ultra ~]$ smbclient -k //corona.home.lan/test2 Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6] smb: \> ls NT_STATUS_ACCESS_DENIED listing \* Error in dskattr: NT_STATUS_ACCESS_DENIED [jagee at ultra ~]$ klist Ticket cache: FILE:/tmp/krb5cc_10003_I3kJiy Default principal: jagee at HOME.LAN Valid starting Expires Service principal 02/23/12 17:11:46 02/24/12 17:11:46 krbtgt/HOME.LAN at HOME.LAN 02/23/12 17:14:33 02/24/12 17:11:46 cifs/corona.home.lan at HOME.LAN AD support is a lot different from basic security=user access. Regards, Jeremy Agee From nalin at redhat.com Fri Feb 24 01:18:51 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 23 Feb 2012 20:18:51 -0500 Subject: [Freeipa-users] Searching for subjectKeyIdentifier in SSL certs In-Reply-To: <4F4580CF.1070603@gmail.com> References: <4F4580CF.1070603@gmail.com> Message-ID: <20120224011851.GB2320@redhat.com> On Wed, Feb 22, 2012 at 02:57:03PM -0900, Erinn Looney-Triggs wrote: > It looks like, as far as I can tell, the IPA pki setup does not by > default include subjectKeyIdentifier in the SSL certificates issued. I > am using ipa-getcert -f foo -k bar, to generate and submit the request. > > I am a little hazy about how all of this fits together at this point, so > please forgive me. However, it looks like the RFC states that the CA > SHOULD be included with all end certificates: > https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is > not included, but is there a way to modify IPA so that it does? While certmonger doesn't currently add a subjectKeyIdentifier value to the list of requested extensions which it includes in signing requests, I guess it could, but you're right in thinking that it's more important to get the CA to do it -- the CA can (and almost always should) ignore anything we put in the signing request anyway. And Dogtag is flexible enough that we can do that without the rest of IPA being any the wiser. > I assume this is all part of dogtag and it's operations, and it looks > like from my research it should be possible in dogtag, but how IPA and > dogtag work together etc. well I just don't know enough. The short version is that certmonger uses XML-RPC to talk to the IPA server, which then turns around and talks to the Dogtag instance running on the same server (using an HTTP-based protocol that looks a lot like XML-RPC), asking it to issue certificates using Dogtag's "caIPAserviceCert" profile. The profile, in turn, specifies to Dogtag what requirements a client which asks it to issue a certificate using that profile should meet (i.e., that it needs to authenticate using the a certificate and key that belongs to a registration agent, like IPA's) and what to put into any certificates that issues using that profile. As you've noticed, that currently doesn't include a subjectKeyIdentifier extension. The profile itself is just a configuration file, and while its syntax is very flexible, based on what I have here, I'd suggest stopping your CA and adding this to /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg: policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default policyset.serverCertSet.10.default.params.critical=false The "10" doesn't have to be "10", exactly. Any identifier should do, so long as it's not already being used. Then append that identifier to the "policyset.serverCertSet.list" value so that the server components will find it. I changed mine from this: policyset.serverCertSet.list=1,2,3,4,5,6,7,8 to this: policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10 Then restart the CA (or all of the IPA services, if it's easier), and from the client, use "ipa-getcert resubmit" to get certmonger to re-submit the signing requests for the certificates in question. IPA will ask Dogtag to issue new certificates, and those new certificates should contain the subjectKeyIdentifier extension. That all works when I try it here. And since it's a SHOULD in the spec, it'd probably make for a decent enhancement request to have the profile include that by default. HTH, Nalin From bcook at redhat.com Fri Feb 24 02:12:37 2012 From: bcook at redhat.com (Brian Cook) Date: Thu, 23 Feb 2012 21:12:37 -0500 (EST) Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones wrote: > Hi, > > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? > > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... > > eg I find the auto-discovery is working fine... > > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... > > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] > Sent: Friday, 24 February 2012 9:59 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] need info on AD / IPA coexistence > > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. > > Thanks, > Brian > > --- > Brian Cook > Solutions Architect, West Region > Red Hat, Inc. > 407-212-7079 > bcook at redhat.com > From freeipa at noboost.org Fri Feb 24 02:27:58 2012 From: freeipa at noboost.org (Craig T) Date: Fri, 24 Feb 2012 05:27:58 +0300 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120224022758.GA9834@noboost.org> Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers & a master DNS for "group.example.com". All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux --> AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: > I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? > > -Brian > > On Feb 23, 2012, at 3:28 PM, Steven Jones wrote: > > > Hi, > > > > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? > > > > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. > > > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... > > > > eg I find the auto-discovery is working fine... > > > > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... > > > > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. > > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________ > > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] > > Sent: Friday, 24 February 2012 9:59 a.m. > > To: freeipa-users at redhat.com > > Subject: [Freeipa-users] need info on AD / IPA coexistence > > > > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. > > > > Thanks, > > Brian > > > > --- > > Brian Cook > > Solutions Architect, West Region > > Red Hat, Inc. > > 407-212-7079 > > bcook at redhat.com > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Fri Feb 24 02:36:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 24 Feb 2012 02:36:30 +0000 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBFA04@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Well I can give you how I think this works, but I stand to be corrected... So, there is auto-discovery for kerberos going on via DNS, but AD's DNS already has such kerberos for its services, so a Linux client is going to try and do this, but its going to get AD results and not IPA results, so fail, so you have to be specific in commands, For instance on install with IPA DNS I can type, ip-client-install --mkhomdir and it figures out the DNS entries of the IPA server(s) and picks one to join via.... If you cant do this as you are using AD's DNS then you have to specify the server and domain.... I think this might also impact load balancing across IPA' LDAP/kerberos servers, so if you have hard coded the KDC the client wont use dns to pick one of the others (assuming you have any). I assume that any dis-advantage AD suffers from not having its own integrated DNS will also apply to IPA, from my limited reading this seems to be the case. With joining a Linux client to IPA with its own DNS, dns also gets updated.....if you are using an AD DNS then that is a manual process? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Brian Cook [bcook at redhat.com] Sent: Friday, 24 February 2012 3:12 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones wrote: > Hi, > > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? > > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... > > eg I find the auto-discovery is working fine... > > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... > > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] > Sent: Friday, 24 February 2012 9:59 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] need info on AD / IPA coexistence > > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. > > Thanks, > Brian > > --- > Brian Cook > Solutions Architect, West Region > Red Hat, Inc. > 407-212-7079 > bcook at redhat.com > From Steven.Jones at vuw.ac.nz Fri Feb 24 02:44:59 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 24 Feb 2012 02:44:59 +0000 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: <20120224022758.GA9834@noboost.org> References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> , <20120224022758.GA9834@noboost.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CBBFA28@STAWINCOX10MBX1.staff.vuw.ac.nz> I think we are doing the same thing here, seemed to have arrived at the same conclusion!.....I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Craig T [freeipa at noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers & a master DNS for "group.example.com". All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux --> AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: > I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? > > -Brian > > On Feb 23, 2012, at 3:28 PM, Steven Jones wrote: > > > Hi, > > > > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? > > > > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. > > > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... > > > > eg I find the auto-discovery is working fine... > > > > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... > > > > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. > > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________ > > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] > > Sent: Friday, 24 February 2012 9:59 a.m. > > To: freeipa-users at redhat.com > > Subject: [Freeipa-users] need info on AD / IPA coexistence > > > > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. > > > > Thanks, > > Brian > > > > --- > > Brian Cook > > Solutions Architect, West Region > > Red Hat, Inc. > > 407-212-7079 > > bcook at redhat.com > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From freeipa at noboost.org Fri Feb 24 02:58:30 2012 From: freeipa at noboost.org (Craig T) Date: Fri, 24 Feb 2012 05:58:30 +0300 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CBBFA28@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120224022758.GA9834@noboost.org> <833D8E48405E064EBC54C84EC6B36E404CBBFA28@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120224025830.GA9970@noboost.org> We use the group.example.com as the primary domain name, even for windows clients. So a typical windows pc has: ip: 192.168.0.100 dns1: linux-dns-server1 dns2: linux-dns-server2 search: group.example.com That way the windows pcs only use their "melb.example.com" domain for authentication and then switch back to "group.example.com" to communicate with other hosts on the network. Anyaywaz, this is just how I worked it out, there must be a better way out there... cya Craig On Fri, Feb 24, 2012 at 02:44:59AM +0000, Steven Jones wrote: > I think we are doing the same thing here, seemed to have arrived at the same conclusion!.....I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically.... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Craig T [freeipa at noboost.org] > Sent: Friday, 24 February 2012 3:27 p.m. > To: Brian Cook > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] need info on AD / IPA coexistence > > Hi Brian, > > I spent a lot of time on this topic. In the end we decided to do the > following; > > Microsoft domain: melb.example.com > Linux Domain: group.example.com > > The linux DNS server is a slave to the Windows AD DNS servers & a > master DNS for "group.example.com". > > All PCs point to our Linux DNS server which is hosting a slave copy of > the melb.example.com. Amazingly this all works fine. > > note: at the moment at least, we are keeping two separate user lists. I > had sync working at one stage, but couldn't get the group memberships to > come over correctly when going from Linux --> AD. > > cya > > Craig > > On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: > > I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? > > > > -Brian > > > > On Feb 23, 2012, at 3:28 PM, Steven Jones wrote: > > > > > Hi, > > > > > > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? > > > > > > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. > > > > > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced... > > > > > > eg I find the auto-discovery is working fine... > > > > > > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD..... > > > > > > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have. > > > > > > > > > regards > > > > > > Steven Jones > > > > > > Technical Specialist - Linux RHCE > > > > > > Victoria University, Wellington, NZ > > > > > > 0064 4 463 6272 > > > > > > ________________________________ > > > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com] > > > Sent: Friday, 24 February 2012 9:59 a.m. > > > To: freeipa-users at redhat.com > > > Subject: [Freeipa-users] need info on AD / IPA coexistence > > > > > > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. > > > > > > Thanks, > > > Brian > > > > > > --- > > > Brian Cook > > > Solutions Architect, West Region > > > Red Hat, Inc. > > > 407-212-7079 > > > bcook at redhat.com > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Fri Feb 24 04:47:56 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Feb 2012 23:47:56 -0500 Subject: [Freeipa-users] need info on AD / IPA coexistence In-Reply-To: References: <74B15185-79AA-40FB-80D2-87E737E2D840@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CBBF614@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1330058876.18690.117.camel@willson.li.ssimo.org> On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote: > I would not expect that there would be any problem with AD and IPA > coexisting when the realm names are different, but I have heard > reports that there are problems, especially when Linux clients are > configured to use AD for DNS. Trying to figure out what the problem > is. I understand your delegated dns setup. What if the customer must > use AD for all DNS? The only "problem" you may have is that you have to manually set all the SRV and TXT records. It's tedious but nothing heart breaking. Clients will not be able to do DNS updates if the DNS is not managed by IPA. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Feb 24 06:07:55 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Feb 2012 08:07:55 +0200 Subject: [Freeipa-users] samba & IPA In-Reply-To: <4F46D058.4060807@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CBBB127@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120223220131.GO13458@redhat.com> <4F46D058.4060807@redhat.com> Message-ID: <20120224060755.GP13458@redhat.com> On Thu, 23 Feb 2012, Jeremy Agee wrote: > You should also be able to use the filesystem to control access to > the smb share. If acl support is on the filesytem, you can use > these as well. Samba should have "nt acl support = Yes" set by > default. Yes, this will work -- as long as SSSD or nss_ldap would be delivering IPA users and groups properly. This does not give the same centralized way of managing things though, ACLs need to be set on each server separately (for better, probably). Also, you'd still give out the fact test2 is existing on the server which might be unreasonable information leak in certain circumstances. -- / Alexander Bokovoy From nsollars at gmail.com Fri Feb 24 13:33:12 2012 From: nsollars at gmail.com (Nigel Sollars) Date: Fri, 24 Feb 2012 08:33:12 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: <4F300CBA.1010400@redhat.com> Message-ID: Hello, Ive been away for a little while, did I miss any posting of this information?. Thanks Nigel Sollars On Thu, Feb 9, 2012 at 9:51 AM, Jimmy wrote: > Yes, I'll find that and post it. I've been traveling for work the past few > weeks and haven't had it with me. > > > On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars wrote: > >> Hi, >> >> Could you point me to the document please :). >> >> Thanks in advance. >> >> >> On Mon, Feb 6, 2012 at 1:34 PM, Jimmy wrote: >> >>> I am not making the windows systems part of an AD. I only need to >>> replicate users from an AD group to FreeIPA and I've had issues making that >>> work. I was working on that with a couple guys here on the list a couple >>> weeks ago but have been traveling so it's been hard to make time to work on >>> that. >>> >>> I submitted the doc to configure Win7 a while back but will look for it >>> and re-submit. >>> >>> Jimmy >>> >>> On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal wrote: >>> >>>> ** >>>> On 02/06/2012 11:31 AM, Jimmy wrote: >>>> >>>> I don't think you have to put it anywhere, the ipa.getkeytab mainly >>>> sets the workstation password in freeipa. I keep the client keytabs in /etc >>>> (krb5.keytab.[clientname].) >>>> >>>> I have many Win7 and WinXP workstations authenticating but I'm still >>>> working on getting user/password sync working. >>>> >>>> Jimmy >>>> >>>> >>>> Jimmy, >>>> >>>> Are you using Windows systems directly with IPA or you make them a part >>>> of the AD domain and use winsync to sync data from AD to IPA? >>>> If you managed to setup Win7 directly with IPA please share how you >>>> have done this. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>> >>>> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: >>>> >>>>> Hi all, >>>>> >>>>> Quick question, >>>>> >>>>> I want to setup a Windows system to use my realm, ive followed the >>>>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >>>>> not mention where I place this keytab. I thought I would check before >>>>> running any of the ksetup commands. >>>>> >>>>> Also just for reference has anyone gotten Windows 7 / server 2008 >>>>> authenticated? ( I guess that should also include server 2003 ). >>>>> >>>>> Thanks in advance >>>>> >>>>> Nigel Sollars >>>>> >>>>> >>>>> -- >>>>> ?Science is a differential equation. Religion is a boundary condition.? >>>>> >>>>> Alan Turing >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IPA project, >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> -- >> ?Science is a differential equation. Religion is a boundary condition.? >> >> Alan Turing >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Fri Feb 24 15:36:24 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 24 Feb 2012 16:36:24 +0100 Subject: [Freeipa-users] Fwd: Question about alpha release process In-Reply-To: References: Message-ID: Hi guys, Sorry to resend this, but this information would be helpful to me. Thanks in advance as usual Marco ---------- Forwarded message ---------- From: Marco Pizzoli Date: Wed, Feb 22, 2012 at 11:08 AM Subject: Question about alpha release process To: freeipa-devel at redhat.com Hi guys, during next days I'm going to put more effort on my FreeIPA project, so I would appreciate to test (and report problems/bugs, of course) with other alpha versions of FreeIPA 2.2. Have you got any plan to release other alpha versions shortly? Just to know, thanks a lot as usual. Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 24 15:54:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Feb 2012 10:54:32 -0500 Subject: [Freeipa-users] Fwd: Question about alpha release process In-Reply-To: References: Message-ID: <4F47B2B8.4060608@redhat.com> Marco Pizzoli wrote: > Hi guys, > Sorry to resend this, but this information would be helpful to me. > > Thanks in advance as usual > Marco > > ---------- Forwarded message ---------- > From: *Marco Pizzoli* > > Date: Wed, Feb 22, 2012 at 11:08 AM > Subject: Question about alpha release process > To: freeipa-devel at redhat.com > > > Hi guys, > during next days I'm going to put more effort on my FreeIPA project, so > I would appreciate to test (and report problems/bugs, of course) with > other alpha versions of FreeIPA 2.2. > Have you got any plan to release other alpha versions shortly? > > Just to know, thanks a lot as usual. > Marco Nice timing, I had a response started to your original e-mail in another e-mail window :-) The changes so far since the last alpha have been relatively minor which is why I haven't done another alpha so far (DNS being the exception). We have quite a lot of pending fixes I'm going to roll up into a release at the end of next week. Since we'll be feature complete I'll probably call it beta 1. regards rob From marco.pizzoli at gmail.com Fri Feb 24 16:00:41 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 24 Feb 2012 17:00:41 +0100 Subject: [Freeipa-users] Fwd: Question about alpha release process In-Reply-To: <4F47B2B8.4060608@redhat.com> References: <4F47B2B8.4060608@redhat.com> Message-ID: On Fri, Feb 24, 2012 at 4:54 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> Hi guys, >> Sorry to resend this, but this information would be helpful to me. >> >> Thanks in advance as usual >> Marco >> >> ---------- Forwarded message ---------- >> From: *Marco Pizzoli* > >> >> Date: Wed, Feb 22, 2012 at 11:08 AM >> Subject: Question about alpha release process >> To: freeipa-devel at redhat.com >> > >> >> >> Hi guys, >> during next days I'm going to put more effort on my FreeIPA project, so >> I would appreciate to test (and report problems/bugs, of course) with >> other alpha versions of FreeIPA 2.2. >> Have you got any plan to release other alpha versions shortly? >> >> Just to know, thanks a lot as usual. >> Marco >> > > Nice timing, I had a response started to your original e-mail in another > e-mail window :-) > Have I won something? :-) > The changes so far since the last alpha have been relatively minor which > is why I haven't done another alpha so far (DNS being the exception). We > have quite a lot of pending fixes I'm going to roll up into a release at > the end of next week. Since we'll be feature complete I'll probably call it > beta 1. > Thanks a lot for letting me know! > regards > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From erinn.looneytriggs at gmail.com Fri Feb 24 18:02:31 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Fri, 24 Feb 2012 09:02:31 -0900 Subject: [Freeipa-users] Searching for subjectKeyIdentifier in SSL certs In-Reply-To: <20120224011851.GB2320@redhat.com> References: <4F4580CF.1070603@gmail.com> <20120224011851.GB2320@redhat.com> Message-ID: <4F47D0B7.9010206@gmail.com> On 02/23/2012 04:18 PM, Nalin Dahyabhai wrote: > On Wed, Feb 22, 2012 at 02:57:03PM -0900, Erinn Looney-Triggs wrote: >> It looks like, as far as I can tell, the IPA pki setup does not by >> default include subjectKeyIdentifier in the SSL certificates issued. I >> am using ipa-getcert -f foo -k bar, to generate and submit the request. >> >> I am a little hazy about how all of this fits together at this point, so >> please forgive me. However, it looks like the RFC states that the CA >> SHOULD be included with all end certificates: >> https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is >> not included, but is there a way to modify IPA so that it does? > > While certmonger doesn't currently add a subjectKeyIdentifier value to > the list of requested extensions which it includes in signing requests, > I guess it could, but you're right in thinking that it's more important > to get the CA to do it -- the CA can (and almost always should) ignore > anything we put in the signing request anyway. And Dogtag is flexible > enough that we can do that without the rest of IPA being any the wiser. > >> I assume this is all part of dogtag and it's operations, and it looks >> like from my research it should be possible in dogtag, but how IPA and >> dogtag work together etc. well I just don't know enough. > > The short version is that certmonger uses XML-RPC to talk to the IPA > server, which then turns around and talks to the Dogtag instance running > on the same server (using an HTTP-based protocol that looks a lot like > XML-RPC), asking it to issue certificates using Dogtag's > "caIPAserviceCert" profile. > > The profile, in turn, specifies to Dogtag what requirements a client > which asks it to issue a certificate using that profile should meet > (i.e., that it needs to authenticate using the a certificate and key > that belongs to a registration agent, like IPA's) and what to put into > any certificates that issues using that profile. As you've noticed, > that currently doesn't include a subjectKeyIdentifier extension. > > The profile itself is just a configuration file, and while its syntax is > very flexible, based on what I have here, I'd suggest stopping your CA > and adding this to /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg: > > policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > policyset.serverCertSet.10.constraint.name=No Constraint > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default > policyset.serverCertSet.10.default.params.critical=false > > The "10" doesn't have to be "10", exactly. Any identifier should do, so > long as it's not already being used. Then append that identifier to the > "policyset.serverCertSet.list" value so that the server components will > find it. I changed mine from this: > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > > to this: > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10 > > Then restart the CA (or all of the IPA services, if it's easier), and > from the client, use "ipa-getcert resubmit" to get certmonger to > re-submit the signing requests for the certificates in question. IPA > will ask Dogtag to issue new certificates, and those new certificates > should contain the subjectKeyIdentifier extension. > > That all works when I try it here. > > And since it's a SHOULD in the spec, it'd probably make for a decent > enhancement request to have the profile include that by default. > > HTH, > > Nalin Nalin, Brilliant, absolutely brilliant. Thanks for putting some of the pieces together for me, it is much appreciated. As well, the config worked out perfectly. I will put in a BZ request for this to be in the default template. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From danieljamesscott at gmail.com Fri Feb 24 16:45:18 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Feb 2012 11:45:18 -0500 Subject: [Freeipa-users] Replica install problem Message-ID: Hi, I have another replica install problem. I ran into some issues a couple of weeks ago when 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 was released. My master server is running 389-ds-base-1.2.10-0.6.a6.fc16.x86_64 and I'd like to make sure I have some good replicas before I go any further. I'm trying to create a new replica from a fresh install so that I have a new master and can wipe and re-install the old master. When I try to create the replica, I receive the following: Configuring directory server: Estimated time 1 minute [1/29]: creating directory server user [2/29]: creating directory server instance [3/29]: adding default schema [4/29]: enabling memberof plugin [5/29]: enabling referential integrity plugin [6/29]: enabling winsync plugin [7/29]: configuring replication version plugin [8/29]: enabling IPA enrollment plugin [9/29]: enabling ldapi [10/29]: configuring uniqueness plugin [11/29]: configuring uuid plugin [12/29]: configuring modrdn plugin [13/29]: enabling entryUSN plugin [14/29]: configuring lockout plugin [15/29]: creating indices [16/29]: configuring ssl for ds instance [17/29]: configuring certmap.conf [18/29]: configure autobind for root [19/29]: configure new location for managed entries [20/29]: restarting directory server [21/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update succeeded [22/29]: adding replication acis root : CRITICAL Failed to load replica-acis.ldif: Command '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp6_sd0Z -x -D cn=Directory Manager -y /tmp/tmp9_IlSZ' returned non-zero exit status 255 [23/29]: setting Auto Member configuration root : CRITICAL Failed to load replica-automember.ldif: Command '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmpr1oE3X -x -D cn=Directory Manager -y /tmp/tmpmgvTdj' returned non-zero exit status 255 [24/29]: initializing group membership root : CRITICAL Failed to load memberof-task.ldif: Command '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp5MDKm5 -x -D cn=Directory Manager -y /tmp/tmpgj0hdk' returned non-zero exit status 255 creation of replica failed: {'desc': "Can't contact LDAP server"} Your system may be partly configured. The /var/log/ipareplica-install.log contains the following: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) (once for each of the 3 critical errors above). So I guess there's a problem (re)starting LDAP, or it crashes? The 'interesting' lines from /var/log/dirsrv/slapd-EXAMPLE-COM/errors are: [24/Feb/2012:10:29:53 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [24/Feb/2012:10:29:58 -0500] - I'm resizing my cache now...cache was 840777728 and is now 8000000 [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [24/Feb/2012:10:29:58 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [24/Feb/2012:10:29:58 -0500] - libdb: unable to join the environment [24/Feb/2012:10:29:59 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [24/Feb/2012:10:29:59 -0500] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [24/Feb/2012:10:30:12 -0500] - Warning: Adding configuration attribute "nsslapd-security" [24/Feb/2012:10:30:13 -0500] - slapd shutting down - signaling operation threads [24/Feb/2012:10:30:13 -0500] - slapd shutting down - waiting for 1 thread to terminate [24/Feb/2012:10:30:13 -0500] - slapd shutting down - closing down internal subsystems and plugins [24/Feb/2012:10:30:13 -0500] - Waiting for 4 database threads to stop [24/Feb/2012:10:30:13 -0500] - All database threads now stopped [24/Feb/2012:10:30:13 -0500] - slapd stopped. [24/Feb/2012:10:30:14 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher AES successfully generated and stored [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher 3DES successfully generated and stored [24/Feb/2012:10:30:14 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [24/Feb/2012:10:30:14 -0500] - Listening on All Interfaces port 636 for LDAPS requests [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - agmt="cn=meTofileserver1.example.com" (fileserver1:389): Replica has a different generation ID than the local data. [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 20 [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=example,dc=com is going offline; disabling replication Any ideas? Thanks, Dan From danieljamesscott at gmail.com Fri Feb 24 18:33:44 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Feb 2012 13:33:44 -0500 Subject: [Freeipa-users] Feature request Message-ID: Hi, I have an idea for a new feature. I've been having a lot of problems with replication recently and I think the following would be useful. Can we show the replication status of the masters/replicas? And also show whether they contain a CA? Something like: ipa-replica-manage -v list server1.example.com: master,CA [Up-to-date] server2.example.com: master,CA [Not replicating!] server3.example.com: master [Up-to-date] Some of the recent updates to IPA have caused replication problems for me. The first that I know about it is when I start getting weird problems like inconsistent results from user lookups, etc. Or when users start complaining. This would be a useful way to get the overall status of my IPA servers. I would also like a related feature which would check the servers remotely to ensure that the required services are running. i.e. Test that I can get a kerberos ticket, perform an LDAP lookup, the CA is working, etc. Thanks, Dan From rcritten at redhat.com Fri Feb 24 18:43:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Feb 2012 13:43:04 -0500 Subject: [Freeipa-users] Feature request In-Reply-To: References: Message-ID: <4F47DA38.8080405@redhat.com> Dan Scott wrote: > Hi, > > I have an idea for a new feature. I've been having a lot of problems > with replication recently and I think the following would be useful. > > Can we show the replication status of the masters/replicas? And also > show whether they contain a CA? > > Something like: > > ipa-replica-manage -v list > > server1.example.com: master,CA [Up-to-date] > server2.example.com: master,CA [Not replicating!] > server3.example.com: master [Up-to-date] Add a server name to the end of that command and you'll get the status: # ipa-replica-manage list -v rawhide.greyoak.com Directory Manager password: pony.greyoak.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-02-24 18:12:59+00:00 win2003.greyoak.com: replica last init status: 0 Total update succeeded last init ended: 2012-02-24 18:07:26+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-02-24 18:37:25+00:00 > > Some of the recent updates to IPA have caused replication problems for > me. The first that I know about it is when I start getting weird > problems like inconsistent results from user lookups, etc. Or when > users start complaining. This would be a useful way to get the overall > status of my IPA servers. > > I would also like a related feature which would check the servers > remotely to ensure that the required services are running. i.e. Test > that I can get a kerberos ticket, perform an LDAP lookup, the CA is > working, etc. ipactl status will at least make sure the processes are running. Only works on the local box though. I filed RFE https://fedorahosted.org/freeipa/ticket/2443 for the rest. regards rob From danieljamesscott at gmail.com Fri Feb 24 20:34:36 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Feb 2012 15:34:36 -0500 Subject: [Freeipa-users] Feature request In-Reply-To: <4F47DA38.8080405@redhat.com> References: <4F47DA38.8080405@redhat.com> Message-ID: On Fri, Feb 24, 2012 at 13:43, Rob Crittenden wrote: > Dan Scott wrote: >> >> Hi, >> >> I have an idea for a new feature. I've been having a lot of problems >> with replication recently and I think the following would be useful. >> >> Can we show the replication status of the masters/replicas? And also >> show whether they contain a CA? >> >> Something like: >> >> ipa-replica-manage -v list >> >> server1.example.com: master,CA [Up-to-date] >> server2.example.com: master,CA ?[Not replicating!] >> server3.example.com: master ?[Up-to-date] > > > Add a server name to the end of that command and you'll get the status: > > # ipa-replica-manage list -v rawhide.greyoak.com > Directory Manager password: > > pony.greyoak.com: replica > ?last init status: None > ?last init ended: None > ?last update status: 0 Replica acquired successfully: Incremental update > succeeded > ?last update ended: 2012-02-24 18:12:59+00:00 > win2003.greyoak.com: replica > ?last init status: 0 Total update succeeded > ?last init ended: 2012-02-24 18:07:26+00:00 > ?last update status: 0 Replica acquired successfully: Incremental update > succeeded > ?last update ended: 2012-02-24 18:37:25+00:00 Excellent! Thanks. Unfortunately, I have a problem: [root at fileserver1 ~]# ipa-replica-manage -v list fileserver1 fileserver2: replica last init status: None last init ended: None last update status: -1 Incremental update has failed and requires administrator actionSystem error last update ended: 2012-02-15 22:02:39+00:00 fileserver4: replica last init status: 0 Total update succeeded last init ended: 2012-02-24 18:13:51+00:00 last update status: -1 - System error last update ended: 2012-02-24 18:09:22+00:00 Neither of those look good.... :( Any ideas to solve the problems? Thanks, Dan From rmeggins at redhat.com Fri Feb 24 20:47:03 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Feb 2012 13:47:03 -0700 Subject: [Freeipa-users] Replica install problem In-Reply-To: References: Message-ID: <4F47F747.1050901@redhat.com> On 02/24/2012 09:45 AM, Dan Scott wrote: > Hi, > > I have another replica install problem. > > I ran into some issues a couple of weeks ago when > 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 was released. My master server > is running 389-ds-base-1.2.10-0.6.a6.fc16.x86_64 and I'd like to make > sure I have some good replicas before I go any further. I suggest using 389-ds-base-1.2.10.2-1.fc16.x86_64 now in updates-testing > I'm trying to create a new replica from a fresh install so that I have > a new master and can wipe and re-install the old master. > > When I try to create the replica, I receive the following: > > Configuring directory server: Estimated time 1 minute > [1/29]: creating directory server user > [2/29]: creating directory server instance > [3/29]: adding default schema > [4/29]: enabling memberof plugin > [5/29]: enabling referential integrity plugin > [6/29]: enabling winsync plugin > [7/29]: configuring replication version plugin > [8/29]: enabling IPA enrollment plugin > [9/29]: enabling ldapi > [10/29]: configuring uniqueness plugin > [11/29]: configuring uuid plugin > [12/29]: configuring modrdn plugin > [13/29]: enabling entryUSN plugin > [14/29]: configuring lockout plugin > [15/29]: creating indices > [16/29]: configuring ssl for ds instance > [17/29]: configuring certmap.conf > [18/29]: configure autobind for root > [19/29]: configure new location for managed entries > [20/29]: restarting directory server > [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress > Update in progress > Update in progress > Update in progress > Update succeeded > [22/29]: adding replication acis > root : CRITICAL Failed to load replica-acis.ldif: Command > '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp6_sd0Z > -x -D cn=Directory Manager -y /tmp/tmp9_IlSZ' returned non-zero exit > status 255 > [23/29]: setting Auto Member configuration > root : CRITICAL Failed to load replica-automember.ldif: Command > '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmpr1oE3X > -x -D cn=Directory Manager -y /tmp/tmpmgvTdj' returned non-zero exit > status 255 > [24/29]: initializing group membership > root : CRITICAL Failed to load memberof-task.ldif: Command > '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp5MDKm5 > -x -D cn=Directory Manager -y /tmp/tmpgj0hdk' returned non-zero exit > status 255 > creation of replica failed: {'desc': "Can't contact LDAP server"} > > Your system may be partly configured. > > The /var/log/ipareplica-install.log contains the following: > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > (once for each of the 3 critical errors above). So I guess there's a > problem (re)starting LDAP, or it crashes? Looks like a crash. > The 'interesting' lines from /var/log/dirsrv/slapd-EXAMPLE-COM/errors are: > > [24/Feb/2012:10:29:53 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. > Processed 1 entries in 1 seconds. (1.00 entries/sec) > [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. > Processed 1 entries in 1 seconds. (1.00 entries/sec) > [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 > starting up > [24/Feb/2012:10:29:58 -0500] - I'm resizing my cache now...cache was > 840777728 and is now 8000000 > [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 > starting up > [24/Feb/2012:10:29:58 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. This means it crashed. > [24/Feb/2012:10:29:58 -0500] - libdb: unable to join the environment > [24/Feb/2012:10:29:59 -0500] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [24/Feb/2012:10:29:59 -0500] - The change of nsslapd-ldapilisten will > not take effect until the server is restarted > [24/Feb/2012:10:30:12 -0500] - Warning: Adding configuration attribute > "nsslapd-security" > [24/Feb/2012:10:30:13 -0500] - slapd shutting down - signaling operation threads > [24/Feb/2012:10:30:13 -0500] - slapd shutting down - waiting for 1 > thread to terminate > [24/Feb/2012:10:30:13 -0500] - slapd shutting down - closing down > internal subsystems and plugins > [24/Feb/2012:10:30:13 -0500] - Waiting for 4 database threads to stop > [24/Feb/2012:10:30:13 -0500] - All database threads now stopped > [24/Feb/2012:10:30:13 -0500] - slapd stopped. > [24/Feb/2012:10:30:14 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 > starting up > [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for > cipher AES in backend userRoot, attempting to create one... > [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher AES > successfully generated and stored > [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for > cipher 3DES in backend userRoot, attempting to create one... > [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher 3DES > successfully generated and stored > [24/Feb/2012:10:30:14 -0500] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [24/Feb/2012:10:30:14 -0500] - Listening on All Interfaces port 636 > for LDAPS requests > [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - > agmt="cn=meTofileserver1.example.com" (fileserver1:389): Replica has a > different generation ID than the local data. > [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=example,dc=com: 20 > [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=example,dc=com is going > offline; disabling replication > > Any ideas? 389-ds-base-1.2.10.2 fixes some of the crashing issues seen with rc1, .0, and .1. > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Fri Feb 24 20:48:33 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Feb 2012 13:48:33 -0700 Subject: [Freeipa-users] Feature request In-Reply-To: References: <4F47DA38.8080405@redhat.com> Message-ID: <4F47F7A1.2000006@redhat.com> On 02/24/2012 01:34 PM, Dan Scott wrote: > On Fri, Feb 24, 2012 at 13:43, Rob Crittenden wrote: >> Dan Scott wrote: >>> Hi, >>> >>> I have an idea for a new feature. I've been having a lot of problems >>> with replication recently and I think the following would be useful. >>> >>> Can we show the replication status of the masters/replicas? And also >>> show whether they contain a CA? >>> >>> Something like: >>> >>> ipa-replica-manage -v list >>> >>> server1.example.com: master,CA [Up-to-date] >>> server2.example.com: master,CA [Not replicating!] >>> server3.example.com: master [Up-to-date] >> >> Add a server name to the end of that command and you'll get the status: >> >> # ipa-replica-manage list -v rawhide.greyoak.com >> Directory Manager password: >> >> pony.greyoak.com: replica >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental update >> succeeded >> last update ended: 2012-02-24 18:12:59+00:00 >> win2003.greyoak.com: replica >> last init status: 0 Total update succeeded >> last init ended: 2012-02-24 18:07:26+00:00 >> last update status: 0 Replica acquired successfully: Incremental update >> succeeded >> last update ended: 2012-02-24 18:37:25+00:00 > Excellent! Thanks. Unfortunately, I have a problem: > > [root at fileserver1 ~]# ipa-replica-manage -v list fileserver1 > fileserver2: replica > last init status: None > last init ended: None > last update status: -1 Incremental update has failed and requires > administrator actionSystem error > last update ended: 2012-02-15 22:02:39+00:00 > fileserver4: replica > last init status: 0 Total update succeeded > last init ended: 2012-02-24 18:13:51+00:00 > last update status: -1 - System error > last update ended: 2012-02-24 18:09:22+00:00 > > Neither of those look good.... :( Any ideas to solve the problems? I would suggest upgrading to 389-ds-base-1.2.10.2 - then we can investigate further > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Fri Feb 24 20:59:53 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Feb 2012 15:59:53 -0500 Subject: [Freeipa-users] Feature request In-Reply-To: <4F47F7A1.2000006@redhat.com> References: <4F47DA38.8080405@redhat.com> <4F47F7A1.2000006@redhat.com> Message-ID: On Fri, Feb 24, 2012 at 15:48, Rich Megginson wrote: > On 02/24/2012 01:34 PM, Dan Scott wrote: >> >> On Fri, Feb 24, 2012 at 13:43, Rob Crittenden ?wrote: >>> >>> Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> I have an idea for a new feature. I've been having a lot of problems >>>> with replication recently and I think the following would be useful. >>>> >>>> Can we show the replication status of the masters/replicas? And also >>>> show whether they contain a CA? >>>> >>>> Something like: >>>> >>>> ipa-replica-manage -v list >>>> >>>> server1.example.com: master,CA [Up-to-date] >>>> server2.example.com: master,CA ?[Not replicating!] >>>> server3.example.com: master ?[Up-to-date] >>> >>> >>> Add a server name to the end of that command and you'll get the status: >>> >>> # ipa-replica-manage list -v rawhide.greyoak.com >>> Directory Manager password: >>> >>> pony.greyoak.com: replica >>> ?last init status: None >>> ?last init ended: None >>> ?last update status: 0 Replica acquired successfully: Incremental update >>> succeeded >>> ?last update ended: 2012-02-24 18:12:59+00:00 >>> win2003.greyoak.com: replica >>> ?last init status: 0 Total update succeeded >>> ?last init ended: 2012-02-24 18:07:26+00:00 >>> ?last update status: 0 Replica acquired successfully: Incremental update >>> succeeded >>> ?last update ended: 2012-02-24 18:37:25+00:00 >> >> Excellent! Thanks. Unfortunately, I have a problem: >> >> [root at fileserver1 ~]# ipa-replica-manage -v list fileserver1 >> fileserver2: replica >> ? last init status: None >> ? last init ended: None >> ? last update status: -1 Incremental update has failed and requires >> administrator actionSystem error >> ? last update ended: 2012-02-15 22:02:39+00:00 >> fileserver4: replica >> ? last init status: 0 Total update succeeded >> ? last init ended: 2012-02-24 18:13:51+00:00 >> ? last update status: -1 ?- System error >> ? last update ended: 2012-02-24 18:09:22+00:00 >> >> Neither of those look good.... :( Any ideas to solve the problems? > > I would suggest upgrading to 389-ds-base-1.2.10.2 - then we can investigate > further When I updated Fedora last week on one of my replicas, it completely killed my LDAP server..... I sent another mail to the list about this. Thanks, Dan From rmeggins at redhat.com Fri Feb 24 21:04:10 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Feb 2012 14:04:10 -0700 Subject: [Freeipa-users] Feature request In-Reply-To: References: <4F47DA38.8080405@redhat.com> <4F47F7A1.2000006@redhat.com> Message-ID: <4F47FB4A.6020205@redhat.com> On 02/24/2012 01:59 PM, Dan Scott wrote: > On Fri, Feb 24, 2012 at 15:48, Rich Megginson wrote: >> On 02/24/2012 01:34 PM, Dan Scott wrote: >>> On Fri, Feb 24, 2012 at 13:43, Rob Crittenden wrote: >>>> Dan Scott wrote: >>>>> Hi, >>>>> >>>>> I have an idea for a new feature. I've been having a lot of problems >>>>> with replication recently and I think the following would be useful. >>>>> >>>>> Can we show the replication status of the masters/replicas? And also >>>>> show whether they contain a CA? >>>>> >>>>> Something like: >>>>> >>>>> ipa-replica-manage -v list >>>>> >>>>> server1.example.com: master,CA [Up-to-date] >>>>> server2.example.com: master,CA [Not replicating!] >>>>> server3.example.com: master [Up-to-date] >>>> >>>> Add a server name to the end of that command and you'll get the status: >>>> >>>> # ipa-replica-manage list -v rawhide.greyoak.com >>>> Directory Manager password: >>>> >>>> pony.greyoak.com: replica >>>> last init status: None >>>> last init ended: None >>>> last update status: 0 Replica acquired successfully: Incremental update >>>> succeeded >>>> last update ended: 2012-02-24 18:12:59+00:00 >>>> win2003.greyoak.com: replica >>>> last init status: 0 Total update succeeded >>>> last init ended: 2012-02-24 18:07:26+00:00 >>>> last update status: 0 Replica acquired successfully: Incremental update >>>> succeeded >>>> last update ended: 2012-02-24 18:37:25+00:00 >>> Excellent! Thanks. Unfortunately, I have a problem: >>> >>> [root at fileserver1 ~]# ipa-replica-manage -v list fileserver1 >>> fileserver2: replica >>> last init status: None >>> last init ended: None >>> last update status: -1 Incremental update has failed and requires >>> administrator actionSystem error >>> last update ended: 2012-02-15 22:02:39+00:00 >>> fileserver4: replica >>> last init status: 0 Total update succeeded >>> last init ended: 2012-02-24 18:13:51+00:00 >>> last update status: -1 - System error >>> last update ended: 2012-02-24 18:09:22+00:00 >>> >>> Neither of those look good.... :( Any ideas to solve the problems? >> I would suggest upgrading to 389-ds-base-1.2.10.2 - then we can investigate >> further > When I updated Fedora last week on one of my replicas, it completely > killed my LDAP server..... I sent another mail to the list about this. There are known crashing issues in 389-ds-base before 1.2.10.2 > Thanks, > > Dan From marco.pizzoli at gmail.com Fri Feb 24 21:59:51 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Fri, 24 Feb 2012 22:59:51 +0100 Subject: [Freeipa-users] ipa.keytab - Maybe found bug in documentation Message-ID: Hi guys, please confirm that this is a bug in the documentation: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerberos.html#about-keytabs -------------------- 12.1.2. About Protecting Keytabs To protect keytab files, reset the permissions and ownership to restrict access to the files to only the keytab owner. : For example, set the owner of the Apache keytab (/etc/httpd/conf/ipa.keytab) to httpd and the mode to 0600. -------------------- It should be the "apache" user, isn't it? I only checked on a RHEL6 system that the httpd user is "apache", but I have not checked with a RHEL6-&-FreeIPA system. Thanks as usual Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Feb 24 22:09:50 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 24 Feb 2012 17:09:50 -0500 Subject: [Freeipa-users] ipa.keytab - Maybe found bug in documentation In-Reply-To: References: Message-ID: <1330121390.18690.145.camel@willson.li.ssimo.org> On Fri, 2012-02-24 at 22:59 +0100, Marco Pizzoli wrote: > Hi guys, > please confirm that this is a bug in the documentation: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerberos.html#about-keytabs > -------------------- > > 12.1.2. About Protecting Keytabs > To protect keytab files, reset the permissions and ownership to > restrict access to the files to only the keytab owner. : For example, > set the owner of the Apache keytab (/etc/httpd/conf/ipa.keytab) to > httpd and the mode to 0600. > -------------------- > > It should be the "apache" user, isn't it? > I only checked on a RHEL6 system that the httpd user is "apache", but > I have not checked with a RHEL6-&-FreeIPA system. Yes it's a bug, the user is 'apache'. Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Fri Feb 24 22:23:09 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Feb 2012 17:23:09 -0500 Subject: [Freeipa-users] Replica install problem In-Reply-To: <4F47F747.1050901@redhat.com> References: <4F47F747.1050901@redhat.com> Message-ID: On Fri, Feb 24, 2012 at 15:47, Rich Megginson wrote: > On 02/24/2012 09:45 AM, Dan Scott wrote: >> >> Hi, >> >> I have another replica install problem. >> >> I ran into some issues a couple of weeks ago when >> 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 was released. My master server >> is running 389-ds-base-1.2.10-0.6.a6.fc16.x86_64 and I'd like to make >> sure I have some good replicas before I go any further. > > I suggest using 389-ds-base-1.2.10.2-1.fc16.x86_64 now in updates-testing OK, this seems to be working well. I'll run it for a few days and then I'll think about updating the server which is running the old version. >> I'm trying to create a new replica from a fresh install so that I have >> a new master and can wipe and re-install the old master. >> >> When I try to create the replica, I receive the following: >> >> Configuring directory server: Estimated time 1 minute >> ? [1/29]: creating directory server user >> ? [2/29]: creating directory server instance >> ? [3/29]: adding default schema >> ? [4/29]: enabling memberof plugin >> ? [5/29]: enabling referential integrity plugin >> ? [6/29]: enabling winsync plugin >> ? [7/29]: configuring replication version plugin >> ? [8/29]: enabling IPA enrollment plugin >> ? [9/29]: enabling ldapi >> ? [10/29]: configuring uniqueness plugin >> ? [11/29]: configuring uuid plugin >> ? [12/29]: configuring modrdn plugin >> ? [13/29]: enabling entryUSN plugin >> ? [14/29]: configuring lockout plugin >> ? [15/29]: creating indices >> ? [16/29]: configuring ssl for ds instance >> ? [17/29]: configuring certmap.conf >> ? [18/29]: configure autobind for root >> ? [19/29]: configure new location for managed entries >> ? [20/29]: restarting directory server >> ? [21/29]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update succeeded >> ? [22/29]: adding replication acis >> root ? ? ? ?: CRITICAL Failed to load replica-acis.ldif: Command >> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp6_sd0Z >> -x -D cn=Directory Manager -y /tmp/tmp9_IlSZ' returned non-zero exit >> status 255 >> ? [23/29]: setting Auto Member configuration >> root ? ? ? ?: CRITICAL Failed to load replica-automember.ldif: Command >> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmpr1oE3X >> -x -D cn=Directory Manager -y /tmp/tmpmgvTdj' returned non-zero exit >> status 255 >> ? [24/29]: initializing group membership >> root ? ? ? ?: CRITICAL Failed to load memberof-task.ldif: Command >> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp5MDKm5 >> -x -D cn=Directory Manager -y /tmp/tmpgj0hdk' returned non-zero exit >> status 255 >> creation of replica failed: {'desc': "Can't contact LDAP server"} >> >> Your system may be partly configured. >> >> The /var/log/ipareplica-install.log contains the following: >> >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> >> (once for each of the 3 critical errors above). So I guess there's a >> problem (re)starting LDAP, or it crashes? > > Looks like a crash. > >> The 'interesting' lines from /var/log/dirsrv/slapd-EXAMPLE-COM/errors are: >> >> [24/Feb/2012:10:29:53 -0500] - WARNING: Import is running with >> nsslapd-db-private-import-mem on; No other process is allowed to >> access the database >> [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. >> Processed 1 entries in 1 seconds. (1.00 entries/sec) >> [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. >> Processed 1 entries in 1 seconds. (1.00 entries/sec) >> [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >> starting up >> [24/Feb/2012:10:29:58 -0500] - I'm resizing my cache now...cache was >> 840777728 and is now 8000000 >> [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >> starting up >> [24/Feb/2012:10:29:58 -0500] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. > > This means it crashed. > >> [24/Feb/2012:10:29:58 -0500] - libdb: unable to join the environment >> [24/Feb/2012:10:29:59 -0500] - slapd started. ?Listening on All >> Interfaces port 389 for LDAP requests >> [24/Feb/2012:10:29:59 -0500] - The change of nsslapd-ldapilisten will >> not take effect until the server is restarted >> [24/Feb/2012:10:30:12 -0500] - Warning: Adding configuration attribute >> "nsslapd-security" >> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - signaling operation >> threads >> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - waiting for 1 >> thread to terminate >> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - closing down >> internal subsystems and plugins >> [24/Feb/2012:10:30:13 -0500] - Waiting for 4 database threads to stop >> [24/Feb/2012:10:30:13 -0500] - All database threads now stopped >> [24/Feb/2012:10:30:13 -0500] - slapd stopped. >> [24/Feb/2012:10:30:14 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >> starting up >> [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for >> cipher AES in backend userRoot, attempting to create one... >> [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher AES >> successfully generated and stored >> [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for >> cipher 3DES in backend userRoot, attempting to create one... >> [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher 3DES >> successfully generated and stored >> [24/Feb/2012:10:30:14 -0500] - slapd started. ?Listening on All >> Interfaces port 389 for LDAP requests >> [24/Feb/2012:10:30:14 -0500] - Listening on All Interfaces port 636 >> for LDAPS requests >> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >> agmt="cn=meTofileserver1.example.com" (fileserver1:389): Replica has a >> different generation ID than the local data. >> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica >> dc=example,dc=com: 20 >> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >> multimaster_be_state_change: replica dc=example,dc=com is going >> offline; disabling replication >> >> Any ideas? > > 389-ds-base-1.2.10.2 fixes some of the crashing issues seen with rc1, .0, > and .1. Thanks, any idea when it will be released? Thanks, Dan From rmeggins at redhat.com Fri Feb 24 22:41:03 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Feb 2012 15:41:03 -0700 Subject: [Freeipa-users] Replica install problem In-Reply-To: References: <4F47F747.1050901@redhat.com> Message-ID: <4F4811FF.4090404@redhat.com> On 02/24/2012 03:23 PM, Dan Scott wrote: > On Fri, Feb 24, 2012 at 15:47, Rich Megginson wrote: >> On 02/24/2012 09:45 AM, Dan Scott wrote: >>> Hi, >>> >>> I have another replica install problem. >>> >>> I ran into some issues a couple of weeks ago when >>> 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 was released. My master server >>> is running 389-ds-base-1.2.10-0.6.a6.fc16.x86_64 and I'd like to make >>> sure I have some good replicas before I go any further. >> I suggest using 389-ds-base-1.2.10.2-1.fc16.x86_64 now in updates-testing > OK, this seems to be working well. I'll run it for a few days and then > I'll think about updating the server which is running the old version. > >>> I'm trying to create a new replica from a fresh install so that I have >>> a new master and can wipe and re-install the old master. >>> >>> When I try to create the replica, I receive the following: >>> >>> Configuring directory server: Estimated time 1 minute >>> [1/29]: creating directory server user >>> [2/29]: creating directory server instance >>> [3/29]: adding default schema >>> [4/29]: enabling memberof plugin >>> [5/29]: enabling referential integrity plugin >>> [6/29]: enabling winsync plugin >>> [7/29]: configuring replication version plugin >>> [8/29]: enabling IPA enrollment plugin >>> [9/29]: enabling ldapi >>> [10/29]: configuring uniqueness plugin >>> [11/29]: configuring uuid plugin >>> [12/29]: configuring modrdn plugin >>> [13/29]: enabling entryUSN plugin >>> [14/29]: configuring lockout plugin >>> [15/29]: creating indices >>> [16/29]: configuring ssl for ds instance >>> [17/29]: configuring certmap.conf >>> [18/29]: configure autobind for root >>> [19/29]: configure new location for managed entries >>> [20/29]: restarting directory server >>> [21/29]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update succeeded >>> [22/29]: adding replication acis >>> root : CRITICAL Failed to load replica-acis.ldif: Command >>> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp6_sd0Z >>> -x -D cn=Directory Manager -y /tmp/tmp9_IlSZ' returned non-zero exit >>> status 255 >>> [23/29]: setting Auto Member configuration >>> root : CRITICAL Failed to load replica-automember.ldif: Command >>> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmpr1oE3X >>> -x -D cn=Directory Manager -y /tmp/tmpmgvTdj' returned non-zero exit >>> status 255 >>> [24/29]: initializing group membership >>> root : CRITICAL Failed to load memberof-task.ldif: Command >>> '/usr/bin/ldapmodify -h fileserver4.example.com -v -f /tmp/tmp5MDKm5 >>> -x -D cn=Directory Manager -y /tmp/tmpgj0hdk' returned non-zero exit >>> status 255 >>> creation of replica failed: {'desc': "Can't contact LDAP server"} >>> >>> Your system may be partly configured. >>> >>> The /var/log/ipareplica-install.log contains the following: >>> >>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >>> >>> (once for each of the 3 critical errors above). So I guess there's a >>> problem (re)starting LDAP, or it crashes? >> Looks like a crash. >> >>> The 'interesting' lines from /var/log/dirsrv/slapd-EXAMPLE-COM/errors are: >>> >>> [24/Feb/2012:10:29:53 -0500] - WARNING: Import is running with >>> nsslapd-db-private-import-mem on; No other process is allowed to >>> access the database >>> [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. >>> Processed 1 entries in 1 seconds. (1.00 entries/sec) >>> [24/Feb/2012:10:29:54 -0500] - import userRoot: Import complete. >>> Processed 1 entries in 1 seconds. (1.00 entries/sec) >>> [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>> starting up >>> [24/Feb/2012:10:29:58 -0500] - I'm resizing my cache now...cache was >>> 840777728 and is now 8000000 >>> [24/Feb/2012:10:29:58 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>> starting up >>> [24/Feb/2012:10:29:58 -0500] - Detected Disorderly Shutdown last time >>> Directory Server was running, recovering database. >> This means it crashed. >> >>> [24/Feb/2012:10:29:58 -0500] - libdb: unable to join the environment >>> [24/Feb/2012:10:29:59 -0500] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [24/Feb/2012:10:29:59 -0500] - The change of nsslapd-ldapilisten will >>> not take effect until the server is restarted >>> [24/Feb/2012:10:30:12 -0500] - Warning: Adding configuration attribute >>> "nsslapd-security" >>> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - signaling operation >>> threads >>> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - waiting for 1 >>> thread to terminate >>> [24/Feb/2012:10:30:13 -0500] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [24/Feb/2012:10:30:13 -0500] - Waiting for 4 database threads to stop >>> [24/Feb/2012:10:30:13 -0500] - All database threads now stopped >>> [24/Feb/2012:10:30:13 -0500] - slapd stopped. >>> [24/Feb/2012:10:30:14 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 >>> starting up >>> [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for >>> cipher AES in backend userRoot, attempting to create one... >>> [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher AES >>> successfully generated and stored >>> [24/Feb/2012:10:30:14 -0500] attrcrypt - No symmetric key found for >>> cipher 3DES in backend userRoot, attempting to create one... >>> [24/Feb/2012:10:30:14 -0500] attrcrypt - Key for cipher 3DES >>> successfully generated and stored >>> [24/Feb/2012:10:30:14 -0500] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [24/Feb/2012:10:30:14 -0500] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >>> agmt="cn=meTofileserver1.example.com" (fileserver1:389): Replica has a >>> different generation ID than the local data. >>> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >>> repl_set_mtn_referrals: could not set referrals for replica >>> dc=example,dc=com: 20 >>> [24/Feb/2012:10:30:18 -0500] NSMMReplicationPlugin - >>> multimaster_be_state_change: replica dc=example,dc=com is going >>> offline; disabling replication >>> >>> Any ideas? >> 389-ds-base-1.2.10.2 fixes some of the crashing issues seen with rc1, .0, >> and .1. > Thanks, any idea when it will be released? As soon as it gets enough karma (hint, hint) in the Fedora updates system. https://admin.fedoraproject.org/updates/389-ds-base-1.2.10.2-1.fc16 > Thanks, > > Dan From marco.pizzoli at gmail.com Sat Feb 25 12:48:55 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sat, 25 Feb 2012 13:48:55 +0100 Subject: [Freeipa-users] User Level Ticket Policies from Web UI? Message-ID: Hi guys, I see that there is not a web ui interface for setting user level ticket policies? Is there a particular reason for this? Just a curiousity. Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sat Feb 25 12:53:56 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sat, 25 Feb 2012 13:53:56 +0100 Subject: [Freeipa-users] Strange klist output Message-ID: Hi, as you know I'm working with FreeIPA 2.1.90. By following documentation I checked my tickets by issuing the klist command but I'm obtaining an output slightly different than the one on the doc. [root at freeipa01 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT I see 6 rows as duplicated. Is it normal? Please, could you explain what is happening? Thanks a lot Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Sat Feb 25 13:14:08 2012 From: jdennis at redhat.com (John Dennis) Date: Sat, 25 Feb 2012 08:14:08 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: References: Message-ID: <4F48DEA0.5000700@redhat.com> On 02/25/2012 07:53 AM, Marco Pizzoli wrote: > Hi, as you know I'm working with FreeIPA 2.1.90. > > By following documentation I checked my tickets by issuing the klist > command but I'm obtaining an output slightly different than the one on > the doc. > > [root at freeipa01 ~]# klist -kt /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > > I see 6 rows as duplicated. Is it normal? Please, could you explain what > is happening? I believe that is due to the new s4u2proxy kerberos implmentation, I've seen it too while testing with s4u2proxy. Unfortunately I cannot explain it either and would love for one of our Kerberos gurus to provide an explanation. John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Sat Feb 25 14:20:15 2012 From: simo at redhat.com (Simo Sorce) Date: Sat, 25 Feb 2012 09:20:15 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: References: Message-ID: <1330179615.18690.159.camel@willson.li.ssimo.org> On Sat, 2012-02-25 at 13:53 +0100, Marco Pizzoli wrote: > Hi, as you know I'm working with FreeIPA 2.1.90. > > By following documentation I checked my tickets by issuing the klist > command but I'm obtaining an output slightly different than the one on > the doc. > > [root at freeipa01 ~]# klist -kt /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > 2 02/15/12 18:28:58 > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > I see 6 rows as duplicated. Is it normal? Please, could you explain > what is happening? > Use -e to see what enctypes are reported. Simo. -- Simo Sorce * Red Hat, Inc * New York From marco.pizzoli at gmail.com Sat Feb 25 14:22:40 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sat, 25 Feb 2012 15:22:40 +0100 Subject: [Freeipa-users] Strange klist output In-Reply-To: <1330179615.18690.159.camel@willson.li.ssimo.org> References: <1330179615.18690.159.camel@willson.li.ssimo.org> Message-ID: On Sat, Feb 25, 2012 at 3:20 PM, Simo Sorce wrote: > On Sat, 2012-02-25 at 13:53 +0100, Marco Pizzoli wrote: > > Hi, as you know I'm working with FreeIPA 2.1.90. > > > > By following documentation I checked my tickets by issuing the klist > > command but I'm obtaining an output slightly different than the one on > > the doc. > > > > [root at freeipa01 ~]# klist -kt /etc/krb5.keytab > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Timestamp Principal > > ---- ----------------- > > -------------------------------------------------------- > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > 2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT > > > > I see 6 rows as duplicated. Is it normal? Please, could you explain > > what is happening? > > > > Use -e to see what enctypes are reported. > [root at freeipa01 ~]# klist -kt /etc/krb5.keytab -e Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(aes256-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(aes128-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(des3-cbc-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(arcfour-hmac) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(des-hmac-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain.it at UNIX.MYDOMAIN.IT(des-cbc-md5) Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Sat Feb 25 14:35:26 2012 From: jdennis at redhat.com (John Dennis) Date: Sat, 25 Feb 2012 09:35:26 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: <1330179615.18690.159.camel@willson.li.ssimo.org> References: <1330179615.18690.159.camel@willson.li.ssimo.org> Message-ID: <4F48F1AE.2090305@redhat.com> On 02/25/2012 09:20 AM, Simo Sorce wrote: > Use -e to see what enctypes are reported. Is this difference in any way related to s4u2proxy or did the extra enctypes show up because we upgraded Kerberos and picked up other unrelated behavior at the same time. Why do we now have all these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Sat Feb 25 14:40:55 2012 From: simo at redhat.com (Simo Sorce) Date: Sat, 25 Feb 2012 09:40:55 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: <4F48F1AE.2090305@redhat.com> References: <1330179615.18690.159.camel@willson.li.ssimo.org> <4F48F1AE.2090305@redhat.com> Message-ID: <1330180855.18690.161.camel@willson.li.ssimo.org> On Sat, 2012-02-25 at 09:35 -0500, John Dennis wrote: > On 02/25/2012 09:20 AM, Simo Sorce wrote: > > Use -e to see what enctypes are reported. > > Is this difference in any way related to s4u2proxy or did the extra > enctypes show up because we upgraded Kerberos and picked up other > unrelated behavior at the same time. No, the contents of the keytab have nothing to do with day to day operations. Tickets and TGTs are stored in your ccache. > Why do we now have all these enctypes? Is it to satify forwarding/proxy > when you don't know a prori which enctype the foreign endpoint will require? Because in kerberos each principal can have multiple keys, generally one per supported (by the KDC) enctype. This is so that a client can use the strongest enctype it has crypto support for. Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Sat Feb 25 16:35:27 2012 From: jdennis at redhat.com (John Dennis) Date: Sat, 25 Feb 2012 11:35:27 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: <1330180855.18690.161.camel@willson.li.ssimo.org> References: <1330179615.18690.159.camel@willson.li.ssimo.org> <4F48F1AE.2090305@redhat.com> <1330180855.18690.161.camel@willson.li.ssimo.org> Message-ID: <4F490DCF.5020107@redhat.com> On 02/25/2012 09:40 AM, Simo Sorce wrote: >> Why do we now have all these enctypes? Is it to satify forwarding/proxy >> when you don't know a prori which enctype the foreign endpoint will require? > > Because in kerberos each principal can have multiple keys, generally one > per supported (by the KDC) enctype. This is so that a client can use the > strongest enctype it has crypto support for. Sure, that makes sense. But this is new behavior, what changed? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Sat Feb 25 22:16:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 25 Feb 2012 17:16:40 -0500 Subject: [Freeipa-users] Strange klist output In-Reply-To: <4F490DCF.5020107@redhat.com> References: <1330179615.18690.159.camel@willson.li.ssimo.org> <4F48F1AE.2090305@redhat.com> <1330180855.18690.161.camel@willson.li.ssimo.org> <4F490DCF.5020107@redhat.com> Message-ID: <4F495DC8.6070205@redhat.com> John Dennis wrote: > On 02/25/2012 09:40 AM, Simo Sorce wrote: >>> Why do we now have all these enctypes? Is it to satify forwarding/proxy >>> when you don't know a prori which enctype the foreign endpoint will >>> require? >> >> Because in kerberos each principal can have multiple keys, generally one >> per supported (by the KDC) enctype. This is so that a client can use the >> strongest enctype it has crypto support for. > > Sure, that makes sense. But this is new behavior, what changed? > Nothing, it has always worked this way. These days you'll only see 4 enctypes as DES is disabled by default. rob From dpal at redhat.com Sun Feb 26 18:35:42 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 26 Feb 2012 13:35:42 -0500 Subject: [Freeipa-users] User Level Ticket Policies from Web UI? In-Reply-To: References: Message-ID: <4F4A7B7E.6040204@redhat.com> On 02/25/2012 07:48 AM, Marco Pizzoli wrote: > Hi guys, > I see that there is not a web ui interface for setting user level > ticket policies? > Is there a particular reason for this? Just a curiousity. We do not think there is a lot of value in one off password policies. The password policies can be set per group. What is the real world use case to set them per user? Even if you have a special user that needs a special password policy it is usually not just one user but rather a group of those. Can you come up with an example where such logic has a flaw? > > Thanks > Marco > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 26 19:17:11 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 26 Feb 2012 20:17:11 +0100 Subject: [Freeipa-users] User Level Ticket Policies from Web UI? In-Reply-To: <4F4A7B7E.6040204@redhat.com> References: <4F4A7B7E.6040204@redhat.com> Message-ID: On Sun, Feb 26, 2012 at 7:35 PM, Dmitri Pal wrote: > ** > On 02/25/2012 07:48 AM, Marco Pizzoli wrote: > > Hi guys, > I see that there is not a web ui interface for setting user level ticket > policies? > Is there a particular reason for this? Just a curiousity. > > We do not think there is a lot of value in one off password policies. The > password policies can be set per group. What is the real world use case to > set them per user? Even if you have a special user that needs a special > password policy it is usually not just one user but rather a group of those. > > Can you come up with an example where such logic has a flaw? > Hi Dmitri, My question was not related to the feature per se, but about the fact that there is not a web ui to do it while it's there using the CLI. So I'm curious to know what was the reason for the different dealing. Coming to your answer, (correct me if I am wrong!) on the RHEL6-doc I don't see any note pertaining to group based password policies. So now, I ask you if this is a FreeIPA 2.2 feature I have not seen so far. Thanks again Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Feb 26 20:09:29 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 26 Feb 2012 15:09:29 -0500 Subject: [Freeipa-users] User Level Ticket Policies from Web UI? In-Reply-To: References: <4F4A7B7E.6040204@redhat.com> Message-ID: <4F4A9179.2000701@redhat.com> On 02/26/2012 02:17 PM, Marco Pizzoli wrote: > > > On Sun, Feb 26, 2012 at 7:35 PM, Dmitri Pal > wrote: > > On 02/25/2012 07:48 AM, Marco Pizzoli wrote: >> Hi guys, >> I see that there is not a web ui interface for setting user level >> ticket policies? >> Is there a particular reason for this? Just a curiousity. > We do not think there is a lot of value in one off password > policies. The password policies can be set per group. What is the > real world use case to set them per user? Even if you have a > special user that needs a special password policy it is usually > not just one user but rather a group of those. > > Can you come up with an example where such logic has a flaw? > > > Hi Dmitri, > My question was not related to the feature per se, but about the fact > that there is not a web ui to do it while it's there using the CLI. So > I'm curious to know what was the reason for the different dealing. AFAIR the only where we allow the changes to the ticket policy is in the global config both in UI and CLI. Per user you can use setattr/addattr and change it but we do not expose everythign one can do via setattr/addattr in the UI. > > Coming to your answer, (correct me if I am wrong!) on the RHEL6-doc I > don't see any note pertaining to group based password policies. Section 11.2.2// > So now, I ask you if this is a FreeIPA 2.2 feature I have not seen so far. > > Thanks again > Marco > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco.pizzoli at gmail.com Sun Feb 26 21:21:44 2012 From: marco.pizzoli at gmail.com (Marco Pizzoli) Date: Sun, 26 Feb 2012 22:21:44 +0100 Subject: [Freeipa-users] User Level Ticket Policies from Web UI? In-Reply-To: <4F4A9179.2000701@redhat.com> References: <4F4A7B7E.6040204@redhat.com> <4F4A9179.2000701@redhat.com> Message-ID: On Sun, Feb 26, 2012 at 9:09 PM, Dmitri Pal wrote: > ** > On 02/26/2012 02:17 PM, Marco Pizzoli wrote: > > > > On Sun, Feb 26, 2012 at 7:35 PM, Dmitri Pal wrote: > >> On 02/25/2012 07:48 AM, Marco Pizzoli wrote: >> >> Hi guys, >> I see that there is not a web ui interface for setting user level ticket >> policies? >> Is there a particular reason for this? Just a curiousity. >> >> We do not think there is a lot of value in one off password policies. >> The password policies can be set per group. What is the real world use case >> to set them per user? Even if you have a special user that needs a special >> password policy it is usually not just one user but rather a group of those. >> >> Can you come up with an example where such logic has a flaw? >> > > Hi Dmitri, > My question was not related to the feature per se, but about the fact that > there is not a web ui to do it while it's there using the CLI. So I'm > curious to know what was the reason for the different dealing. > > > AFAIR the only where we allow the changes to the ticket policy is in the > global config both in UI and CLI. Per user you can use setattr/addattr and > change it but we do not expose everythign one can do via setattr/addattr in > the UI. > Apologize for not having written the reference before: I'm talking about 12.2.2 of the RHEL6-doc. > Coming to your answer, (correct me if I am wrong!) on the RHEL6-doc I > don't see any note pertaining to group based password policies. > > > Section 11.2.2** > Yes, my fault. Thanks again So now, I ask you if this is a FreeIPA 2.2 feature I have not seen so far. Thanks again Marco _______________________________________________ Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Feb 27 20:29:51 2012 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 27 Feb 2012 15:29:51 -0500 Subject: [Freeipa-users] Windows Clients In-Reply-To: References: <4F300CBA.1010400@redhat.com> Message-ID: Nope, I kept forgetting to re-post it. Here are the steps I used: On FreeIPA: i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i. ksetup /setdomain [REALM NAME] ii. ksetup /addkdc [REALM NAME] [kdc DNS name] iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. ksetup /setcomputerpassword [PASSWORD] v. ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called ?Network Security: Configure encryption types allowed for Kerberos? unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. On Fri, Feb 24, 2012 at 8:33 AM, Nigel Sollars wrote: > Hello, > > Ive been away for a little while, did I miss any posting of this > information?. > > Thanks > Nigel Sollars > > > On Thu, Feb 9, 2012 at 9:51 AM, Jimmy wrote: > >> Yes, I'll find that and post it. I've been traveling for work the past >> few weeks and haven't had it with me. >> >> >> On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars wrote: >> >>> Hi, >>> >>> Could you point me to the document please :). >>> >>> Thanks in advance. >>> >>> >>> On Mon, Feb 6, 2012 at 1:34 PM, Jimmy wrote: >>> >>>> I am not making the windows systems part of an AD. I only need to >>>> replicate users from an AD group to FreeIPA and I've had issues making that >>>> work. I was working on that with a couple guys here on the list a couple >>>> weeks ago but have been traveling so it's been hard to make time to work on >>>> that. >>>> >>>> I submitted the doc to configure Win7 a while back but will look for it >>>> and re-submit. >>>> >>>> Jimmy >>>> >>>> On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal wrote: >>>> >>>>> ** >>>>> On 02/06/2012 11:31 AM, Jimmy wrote: >>>>> >>>>> I don't think you have to put it anywhere, the ipa.getkeytab mainly >>>>> sets the workstation password in freeipa. I keep the client keytabs in /etc >>>>> (krb5.keytab.[clientname].) >>>>> >>>>> I have many Win7 and WinXP workstations authenticating but I'm still >>>>> working on getting user/password sync working. >>>>> >>>>> Jimmy >>>>> >>>>> >>>>> Jimmy, >>>>> >>>>> Are you using Windows systems directly with IPA or you make them a >>>>> part of the AD domain and use winsync to sync data from AD to IPA? >>>>> If you managed to setup Win7 directly with IPA please share how you >>>>> have done this. >>>>> >>>>> Thanks >>>>> Dmitri >>>>> >>>>> >>>>> >>>>> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> Quick question, >>>>>> >>>>>> I want to setup a Windows system to use my realm, ive followed the >>>>>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >>>>>> not mention where I place this keytab. I thought I would check before >>>>>> running any of the ksetup commands. >>>>>> >>>>>> Also just for reference has anyone gotten Windows 7 / server 2008 >>>>>> authenticated? ( I guess that should also include server 2003 ). >>>>>> >>>>>> Thanks in advance >>>>>> >>>>>> Nigel Sollars >>>>>> >>>>>> >>>>>> -- >>>>>> ?Science is a differential equation. Religion is a boundary >>>>>> condition.? >>>>>> >>>>>> Alan Turing >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IPA project, >>>>> Red Hat Inc. >>>>> >>>>> >>>>> ------------------------------- >>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> >>> -- >>> ?Science is a differential equation. Religion is a boundary condition.? >>> >>> Alan Turing >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Tue Feb 28 02:06:55 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 27 Feb 2012 21:06:55 -0500 Subject: [Freeipa-users] CA replica installation failure Message-ID: Hi, I'm having another problem with replica installation - just the CA this time It looks like there's a problem with SELinux and the pki-ca service: After configuration, the server can be operated by the command: /bin/systemctl restart pki-cad at pki-ca.service 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9447. Port already defined otherwise. [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details." 2012-02-27 20:33:45,729 DEBUG duration: 6 seconds 2012-02-27 20:33:45,730 DEBUG [3/11]: configuring certificate server instance [clip] 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 ####################################################################### CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph tokenpwd:XXXXXXXX ############################################# Attempting to connect to: fileserver3.example.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ####################################################################### 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:235) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) /var/log/messages contains the following: Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) Connection reset by peer Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid context: system_u:system_r:pki_ca_script_t:s0: Invalid argument Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1 Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service entered failed state. This is a fresh install of Fedora 16. There are no updates to apply. Any ideas? One more thing. Is there a way to remove and reinstall just the CA? Or do I have to completely remove and re-install the entire IPA replica? i.e. Is there something like ipa-ca-install --uninstall I couldn't see the option anywhere. Thanks, Dan From bCook at redhat.com Tue Feb 28 05:25:28 2012 From: bCook at redhat.com (Brian Cook) Date: Mon, 27 Feb 2012 21:25:28 -0800 Subject: [Freeipa-users] devel repo Message-ID: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> Hi, I've added the devel repo at http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ to my F16 install. When listing the pkgs in the repo I only get i686 arch for freeipa-server. I can see the x86_64 pkg in the repo if I browse it. Is this the right repo to use for testing patches that were recently committed, and is the repo metadata up to date? Thanks, Brian --- Brian Cook Solutions Architect Red Hat, Inc. 407-212-7079 bcook at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Feb 28 05:46:51 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 28 Feb 2012 00:46:51 -0500 Subject: [Freeipa-users] devel repo In-Reply-To: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> References: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> Message-ID: <4F4C6A4B.80705@redhat.com> On 02/28/2012 12:25 AM, Brian Cook wrote: > Hi, > > I've added the devel repo at > http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ > > to my F16 install. When listing the pkgs in the repo I only get i686 > arch for freeipa-server. I can see the x86_64 pkg in the repo if I > browse it. Is this the right repo to use for testing patches that were > recently committed, and is the repo metadata up to date? Did you install this? The Fedora repo config file can be downloaded here: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo If so you should be getting x86_64 packages if your system is configured for it. Yes, it the right place to find up to the minute builds with recent fixes and enhancements (and possibly some instability). New builds occur as soon as they are committed to the source code repository. Each the repo is updated an email is sent to the ipa-and-samba-team-automation list, you can subscribe if you wish. Archives of the automation list can be found here: http://post-office.corp.redhat.com/archives/ipa-and-samba-team-automation -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From bCook at redhat.com Tue Feb 28 05:54:09 2012 From: bCook at redhat.com (Brian Cook) Date: Mon, 27 Feb 2012 21:54:09 -0800 Subject: [Freeipa-users] devel repo In-Reply-To: <4F4C6A4B.80705@redhat.com> References: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> <4F4C6A4B.80705@redhat.com> Message-ID: <5A8BF9CA-77B7-430C-8001-43CDA45B0F9C@redhat.com> Yes, that is the repo file I put in yum.repos.d. The devel repo is enabled, the other two disabled. Even though I see the x86_64 version of freeipa-server from the F16 'updates' repository, I only see i686 version in the devel repo. I'll keep staring at it, maybe it will come to me. -Brian On Feb 27, 2012, at 9:46 PM, John Dennis wrote: > On 02/28/2012 12:25 AM, Brian Cook wrote: >> Hi, >> >> I've added the devel repo at >> http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ >> >> to my F16 install. When listing the pkgs in the repo I only get i686 >> arch for freeipa-server. I can see the x86_64 pkg in the repo if I >> browse it. Is this the right repo to use for testing patches that were >> recently committed, and is the repo metadata up to date? > > Did you install this? > > The Fedora repo config file can be downloaded here: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > If so you should be getting x86_64 packages if your system is configured for it. > > Yes, it the right place to find up to the minute builds with recent fixes and enhancements (and possibly some instability). New builds occur as soon as they are committed to the source code repository. > > Each the repo is updated an email is sent to the ipa-and-samba-team-automation list, you can subscribe if you wish. > > Archives of the automation list can be found here: > http://post-office.corp.redhat.com/archives/ipa-and-samba-team-automation > > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bcook at redhat.com Tue Feb 28 06:05:17 2012 From: bcook at redhat.com (Brian Cook) Date: Mon, 27 Feb 2012 22:05:17 -0800 Subject: [Freeipa-users] devel repo In-Reply-To: <5A8BF9CA-77B7-430C-8001-43CDA45B0F9C@redhat.com> References: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> <4F4C6A4B.80705@redhat.com> <5A8BF9CA-77B7-430C-8001-43CDA45B0F9C@redhat.com> Message-ID: <7B5FFB0E-62AD-476B-B360-CC72C5AB2C17@redhat.com> example [root at ipasvr yum.repos.d]# yum list freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages freeipa-server.i686 2.1.4-1.20120209T0216Zgit11c25a4.fc16 ipa-devel freeipa-server.x86_64 2.1.4-5.fc16 updates [root at ipasvr yum.repos.d]# --- Brian Cook On Feb 27, 2012, at 9:54 PM, Brian Cook wrote: > Yes, that is the repo file I put in yum.repos.d. The devel repo is enabled, the other two disabled. Even though I see the x86_64 version of freeipa-server from the F16 'updates' repository, I only see i686 version in the devel repo. I'll keep staring at it, maybe it will come to me. > > -Brian > > > > On Feb 27, 2012, at 9:46 PM, John Dennis wrote: > >> On 02/28/2012 12:25 AM, Brian Cook wrote: >>> Hi, >>> >>> I've added the devel repo at >>> http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ >>> >>> to my F16 install. When listing the pkgs in the repo I only get i686 >>> arch for freeipa-server. I can see the x86_64 pkg in the repo if I >>> browse it. Is this the right repo to use for testing patches that were >>> recently committed, and is the repo metadata up to date? >> >> Did you install this? >> >> The Fedora repo config file can be downloaded here: >> http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo >> >> If so you should be getting x86_64 packages if your system is configured for it. >> >> Yes, it the right place to find up to the minute builds with recent fixes and enhancements (and possibly some instability). New builds occur as soon as they are committed to the source code repository. >> >> Each the repo is updated an email is sent to the ipa-and-samba-team-automation list, you can subscribe if you wish. >> >> Archives of the automation list can be found here: >> http://post-office.corp.redhat.com/archives/ipa-and-samba-team-automation >> >> >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Tue Feb 28 12:16:18 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 28 Feb 2012 07:16:18 -0500 Subject: [Freeipa-users] devel repo In-Reply-To: <7B5FFB0E-62AD-476B-B360-CC72C5AB2C17@redhat.com> References: <15037887-038B-4756-BD49-2487EF7D0032@redhat.com> <4F4C6A4B.80705@redhat.com> <5A8BF9CA-77B7-430C-8001-43CDA45B0F9C@redhat.com> <7B5FFB0E-62AD-476B-B360-CC72C5AB2C17@redhat.com> Message-ID: <1330431378.2601.65.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-02-27 at 22:05 -0800, Brian Cook wrote: > example > > > [root at ipasvr yum.repos.d]# yum list freeipa-server > Loaded plugins: langpacks, presto, refresh-packagekit > Available Packages > freeipa-server.i686 > 2.1.4-1.20120209T0216Zgit11c25a4.fc16 ipa-devel > freeipa-server.x86_64 2.1.4-5.fc16 > updates > [root at ipasvr yum.repos.d]# This is happening because the upstream repo has the same version in the sources as what's in Fedora (this is why I always bump the version number for SSSD to the next release as soon as I build a tarball). Then the ipa-devel repo would be guaranteed to match as "newer" than what is in the standard repositories. In other words, the FreeIPA git sources should be producing 2.1.5-0.20120209T0216Zgit11c25a4.fc16 instead of 2.1.4-1 (which is less than 2.1.4-5.fc16 as yum reckons things). In the meantime, you should be able to work around this by doing 'yum install freeipa-server-2.1.4-1.20120209T0216Zgit11c25a4.fc16.x86_64' (I think). Of course, if the version number has changed since you originally sent this, do the yum search again. Note that you have to expressly say .x86_64 when specifying the package to install. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From kelvin at kindsight.net Wed Feb 29 16:24:25 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Wed, 29 Feb 2012 11:24:25 -0500 Subject: [Freeipa-users] IPA, samba, and secondary groups Message-ID: Hi all, I am running into an issue where users cannot access a samba volume if their only access is via a secondary group. For example, if testuser's primary group is ipausers, and secondary groups include testgroup, and the samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser cannot read or write to the samba mount. If the testuser is change so that its primary group is testgroup, then testuser can access the volume. In this case, samba is running on a separate CentOS 5 server, configured to access IPA via LDAP. It is a requirement that I support userid/password-based access to the samba server, as I cannot roll all my users onto kerberos right away. Doe anyone have any insight as to what is going on and how it can be fixed? Thanks, Kelvin From sgallagh at redhat.com Wed Feb 29 18:40:59 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Feb 2012 13:40:59 -0500 Subject: [Freeipa-users] IPA, samba, and secondary groups In-Reply-To: References: Message-ID: <1330540859.28274.31.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: > Hi all, > > I am running into an issue where users cannot access a samba volume if > their only access is via a secondary group. For example, if testuser's > primary group is ipausers, and secondary groups include testgroup, and the > samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > cannot read or write to the samba mount. If the testuser is change so that > its primary group is testgroup, then testuser can access the volume. > > In this case, samba is running on a separate CentOS 5 server, configured to > access IPA via LDAP. It is a requirement that I support > userid/password-based access to the samba server, as I cannot roll all my > users onto kerberos right away. > > Doe anyone have any insight as to what is going on and how it can be fixed? First step would be to make sure that the system is properly looking up the user's secondary groups. Try 'id testuser' and see if 'testgroup' is listed in the output. If it's not, I'll bet you have either a configuration issue or a bug in SSSD somewhere. Also, what version of SSSD are you running? FreeIPA pretty much needs 1.5.x or later nowadays for full feature support. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From kelvin at kindsight.net Wed Feb 29 18:49:27 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Wed, 29 Feb 2012 13:49:27 -0500 Subject: [Freeipa-users] IPA, samba, and secondary groups In-Reply-To: <1330540859.28274.31.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: > On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: >> Hi all, >> >> I am running into an issue where users cannot access a samba volume if >> their only access is via a secondary group. For example, if testuser's >> primary group is ipausers, and secondary groups include testgroup, and the >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser >> cannot read or write to the samba mount. If the testuser is change so that >> its primary group is testgroup, then testuser can access the volume. >> >> In this case, samba is running on a separate CentOS 5 server, configured to >> access IPA via LDAP. It is a requirement that I support >> userid/password-based access to the samba server, as I cannot roll all my >> users onto kerberos right away. >> >> Doe anyone have any insight as to what is going on and how it can be fixed? > > > First step would be to make sure that the system is properly looking up > the user's secondary groups. > > Try 'id testuser' and see if 'testgroup' is listed in the output. If > it's not, I'll bet you have either a configuration issue or a bug in > SSSD somewhere. > > Also, what version of SSSD are you running? FreeIPA pretty much needs > 1.5.x or later nowadays for full feature support. 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. SSSD RPM is sssd-1.5.1-37.el5 I'm no samba expert so it's quite possible I may have botched setup in that arena. From sgallagh at redhat.com Wed Feb 29 19:13:04 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Feb 2012 14:13:04 -0500 Subject: [Freeipa-users] IPA, samba, and secondary groups In-Reply-To: References: Message-ID: <1330542784.28274.34.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote: > > > On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: > > > On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: > >> Hi all, > >> > >> I am running into an issue where users cannot access a samba volume if > >> their only access is via a secondary group. For example, if testuser's > >> primary group is ipausers, and secondary groups include testgroup, and the > >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > >> cannot read or write to the samba mount. If the testuser is change so that > >> its primary group is testgroup, then testuser can access the volume. > >> > >> In this case, samba is running on a separate CentOS 5 server, configured to > >> access IPA via LDAP. It is a requirement that I support > >> userid/password-based access to the samba server, as I cannot roll all my > >> users onto kerberos right away. > >> > >> Doe anyone have any insight as to what is going on and how it can be fixed? > > > > > > First step would be to make sure that the system is properly looking up > > the user's secondary groups. > > > > Try 'id testuser' and see if 'testgroup' is listed in the output. If > > it's not, I'll bet you have either a configuration issue or a bug in > > SSSD somewhere. > > > > Also, what version of SSSD are you running? FreeIPA pretty much needs > > 1.5.x or later nowadays for full feature support. > > 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. > > SSSD RPM is sssd-1.5.1-37.el5 > > I'm no samba expert so it's quite possible I may have botched setup in that > arena. One more question: was the user added to "testgroup" after logging in? Does logging out and logging back in resolve the problem? In Linux, users are only assigned their groups at login time. They don't ever change memberships until a new session. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From kelvin at kindsight.net Wed Feb 29 19:20:39 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Wed, 29 Feb 2012 14:20:39 -0500 Subject: [Freeipa-users] IPA, samba, and secondary groups In-Reply-To: <1330542784.28274.34.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On 12-02-29 2:13 PM, "Stephen Gallagher" wrote: > On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote: >> >> >> On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: >> >>> On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: >>>> Hi all, >>>> >>>> I am running into an issue where users cannot access a samba volume if >>>> their only access is via a secondary group. For example, if testuser's >>>> primary group is ipausers, and secondary groups include testgroup, and the >>>> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser >>>> cannot read or write to the samba mount. If the testuser is change so that >>>> its primary group is testgroup, then testuser can access the volume. >>>> >>>> In this case, samba is running on a separate CentOS 5 server, configured to >>>> access IPA via LDAP. It is a requirement that I support >>>> userid/password-based access to the samba server, as I cannot roll all my >>>> users onto kerberos right away. >>>> >>>> Doe anyone have any insight as to what is going on and how it can be fixed? >>> >>> >>> First step would be to make sure that the system is properly looking up >>> the user's secondary groups. >>> >>> Try 'id testuser' and see if 'testgroup' is listed in the output. If >>> it's not, I'll bet you have either a configuration issue or a bug in >>> SSSD somewhere. >>> >>> Also, what version of SSSD are you running? FreeIPA pretty much needs >>> 1.5.x or later nowadays for full feature support. >> >> 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. >> >> SSSD RPM is sssd-1.5.1-37.el5 >> >> I'm no samba expert so it's quite possible I may have botched setup in that >> arena. > > > One more question: was the user added to "testgroup" after logging in? > Does logging out and logging back in resolve the problem? In Linux, > users are only assigned their groups at login time. They don't ever > change memberships until a new session. Unfortunately, it does not resolve the problem. I have even gone to the extent of ensuring that testuser was logged out, and then shutting down sssd, clearing its cache, and restarting it. Should I expect that secondary groups would work in this samba/ipa configuration? From danieljamesscott at gmail.com Wed Feb 29 18:44:14 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 29 Feb 2012 13:44:14 -0500 Subject: [Freeipa-users] CA replica installation failure In-Reply-To: References: Message-ID: Anyone have any suggestions for how I can fix this? Dan On Mon, Feb 27, 2012 at 21:06, Dan Scott wrote: > Hi, > > I'm having another problem with replica installation - just the CA this time > > It looks like there's a problem with SELinux and the pki-ca service: > > After configuration, the server can be operated by the command: > > ? ?/bin/systemctl restart pki-cad at pki-ca.service > > > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux > context pki_ca_port_t for 9180. ?Port already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9701. ?Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9443. ?Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9444. ?Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9446. ?Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9445. ?Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9447. ?Port > already defined otherwise. > [error] FAILED run_command("/bin/systemctl restart > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system > logs and 'systemctl status' for details." > > 2012-02-27 20:33:45,729 DEBUG ? duration: 6 seconds > 2012-02-27 20:33:45,730 DEBUG ? [3/11]: configuring certificate server instance > [clip] > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 > ####################################################################### > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph > tokenpwd:XXXXXXXX > ############################################# > Attempting to connect to: fileserver3.example.com:9445 > Exception in LoginPanel(): java.lang.NullPointerException > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > > ####################################################################### > > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > ? ? ? ?at java.net.PlainSocketImpl.socketConnect(Native Method) > ? ? ? ?at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > ? ? ? ?at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > ? ? ? ?at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > ? ? ? ?at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > ? ? ? ?at java.net.Socket.connect(Socket.java:546) > ? ? ? ?at java.net.Socket.connect(Socket.java:495) > ? ? ? ?at java.net.Socket.(Socket.java:392) > ? ? ? ?at java.net.Socket.(Socket.java:235) > ? ? ? ?at HTTPClient.sslConnect(HTTPClient.java:326) > ? ? ? ?at ConfigureCA.LoginPanel(ConfigureCA.java:244) > ? ? ? ?at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > ? ? ? ?at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > ? ? ? ?at ConfigureCA.LoginPanel(ConfigureCA.java:245) > ? ? ? ?at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > ? ? ? ?at ConfigureCA.main(ConfigureCA.java:1672) > > /var/log/messages contains the following: > > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) > Connection reset by peer > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument > Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control > process exited, code=exited status=1 > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service > entered failed state. > > This is a fresh install of Fedora 16. There are no updates to apply. > > Any ideas? > > One more thing. Is there a way to remove and reinstall just the CA? Or > do I have to completely remove and re-install the entire IPA replica? > i.e. Is there something like ipa-ca-install --uninstall I couldn't see > the option anywhere. > > Thanks, > > Dan From alee at redhat.com Wed Feb 29 21:03:42 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 29 Feb 2012 16:03:42 -0500 Subject: [Freeipa-users] CA replica installation failure In-Reply-To: References: Message-ID: <1330549422.4141.3.camel@aleeredhat.laptop> Thats a pretty strange error. The ports there are supposed to be reserved for pki_ca_port_t. Can you do the following for each of the ports? semanage port -l |grep 9443 Its probably best to completely remove the replica. You could try use dogtag specific commands to uninstall and install the ca - but then the rest of the ipa install scripts would be confused. Ade On Wed, 2012-02-29 at 13:44 -0500, Dan Scott wrote: > Anyone have any suggestions for how I can fix this? > > Dan > > On Mon, Feb 27, 2012 at 21:06, Dan Scott wrote: > > Hi, > > > > I'm having another problem with replica installation - just the CA this time > > > > It looks like there's a problem with SELinux and the pki-ca service: > > > > After configuration, the server can be operated by the command: > > > > /bin/systemctl restart pki-cad at pki-ca.service > > > > > > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux > > context pki_ca_port_t for 9180. Port already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9701. Port > > already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9443. Port > > already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9444. Port > > already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9446. Port > > already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9445. Port > > already defined otherwise. > > [error] Failed setting selinux context pki_ca_port_t for 9447. Port > > already defined otherwise. > > [error] FAILED run_command("/bin/systemctl restart > > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system > > logs and 'systemctl status' for details." > > > > 2012-02-27 20:33:45,729 DEBUG duration: 6 seconds > > 2012-02-27 20:33:45,730 DEBUG [3/11]: configuring certificate server instance > > [clip] > > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 > > ####################################################################### > > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph > > tokenpwd:XXXXXXXX > > ############################################# > > Attempting to connect to: fileserver3.example.com:9445 > > Exception in LoginPanel(): java.lang.NullPointerException > > ERROR: ConfigureCA: LoginPanel() failure > > ERROR: unable to create CA > > > > ####################################################################### > > > > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send > > Request:java.net.ConnectException: Connection refused > > java.net.ConnectException: Connection refused > > at java.net.PlainSocketImpl.socketConnect(Native Method) > > at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > > at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > > at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > > at java.net.Socket.connect(Socket.java:546) > > at java.net.Socket.connect(Socket.java:495) > > at java.net.Socket.(Socket.java:392) > > at java.net.Socket.(Socket.java:235) > > at HTTPClient.sslConnect(HTTPClient.java:326) > > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > > at ConfigureCA.main(ConfigureCA.java:1672) > > java.lang.NullPointerException > > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > > at ConfigureCA.main(ConfigureCA.java:1672) > > > > /var/log/messages contains the following: > > > > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) > > Connection reset by peer > > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid > > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument > > Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control > > process exited, code=exited status=1 > > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service > > entered failed state. > > > > This is a fresh install of Fedora 16. There are no updates to apply. > > > > Any ideas? > > > > One more thing. Is there a way to remove and reinstall just the CA? Or > > do I have to completely remove and re-install the entire IPA replica? > > i.e. Is there something like ipa-ca-install --uninstall I couldn't see > > the option anywhere. > > > > Thanks, > > > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Wed Feb 29 21:18:56 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 29 Feb 2012 16:18:56 -0500 Subject: [Freeipa-users] CA replica installation failure In-Reply-To: <1330549422.4141.3.camel@aleeredhat.laptop> References: <1330549422.4141.3.camel@aleeredhat.laptop> Message-ID: On Wed, Feb 29, 2012 at 16:03, Ade Lee wrote: > Thats a pretty strange error. ?The ports there are supposed to be > reserved for pki_ca_port_t. > > Can you do the following for each of the ports? > semanage port -l |grep 9443 [root at fileserver3 ~]# semanage port -l |grep 9443 pki_ca_port_t tcp 9180, 9701, 9443-9447 944[456] don't match, but they're in the range, so they should be OK, right? Is it really an error? Or is it just indicating that the port has already been set. Thanks, Dan > Its probably best to completely remove the replica. You could try use > dogtag specific commands to uninstall and install the ca - but then the > rest of the ipa install scripts would be confused. > > Ade > > On Wed, 2012-02-29 at 13:44 -0500, Dan Scott wrote: >> Anyone have any suggestions for how I can fix this? >> >> Dan >> >> On Mon, Feb 27, 2012 at 21:06, Dan Scott wrote: >> > Hi, >> > >> > I'm having another problem with replica installation - just the CA this time >> > >> > It looks like there's a problem with SELinux and the pki-ca service: >> > >> > After configuration, the server can be operated by the command: >> > >> > ? ?/bin/systemctl restart pki-cad at pki-ca.service >> > >> > >> > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux >> > context pki_ca_port_t for 9180. ?Port already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9701. ?Port >> > already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9443. ?Port >> > already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9444. ?Port >> > already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9446. ?Port >> > already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9445. ?Port >> > already defined otherwise. >> > [error] Failed setting selinux context pki_ca_port_t for 9447. ?Port >> > already defined otherwise. >> > [error] FAILED run_command("/bin/systemctl restart >> > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system >> > logs and 'systemctl status' for details." >> > >> > 2012-02-27 20:33:45,729 DEBUG ? duration: 6 seconds >> > 2012-02-27 20:33:45,730 DEBUG ? [3/11]: configuring certificate server instance >> > [clip] >> > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 >> > ####################################################################### >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph >> > tokenpwd:XXXXXXXX >> > ############################################# >> > Attempting to connect to: fileserver3.example.com:9445 >> > Exception in LoginPanel(): java.lang.NullPointerException >> > ERROR: ConfigureCA: LoginPanel() failure >> > ERROR: unable to create CA >> > >> > ####################################################################### >> > >> > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send >> > Request:java.net.ConnectException: Connection refused >> > java.net.ConnectException: Connection refused >> > ? ? ? ?at java.net.PlainSocketImpl.socketConnect(Native Method) >> > ? ? ? ?at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) >> > ? ? ? ?at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) >> > ? ? ? ?at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) >> > ? ? ? ?at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) >> > ? ? ? ?at java.net.Socket.connect(Socket.java:546) >> > ? ? ? ?at java.net.Socket.connect(Socket.java:495) >> > ? ? ? ?at java.net.Socket.(Socket.java:392) >> > ? ? ? ?at java.net.Socket.(Socket.java:235) >> > ? ? ? ?at HTTPClient.sslConnect(HTTPClient.java:326) >> > ? ? ? ?at ConfigureCA.LoginPanel(ConfigureCA.java:244) >> > ? ? ? ?at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > ? ? ? ?at ConfigureCA.main(ConfigureCA.java:1672) >> > java.lang.NullPointerException >> > ? ? ? ?at ConfigureCA.LoginPanel(ConfigureCA.java:245) >> > ? ? ? ?at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > ? ? ? ?at ConfigureCA.main(ConfigureCA.java:1672) >> > >> > /var/log/messages contains the following: >> > >> > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) >> > Connection reset by peer >> > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid >> > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument >> > Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control >> > process exited, code=exited status=1 >> > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service >> > entered failed state. >> > >> > This is a fresh install of Fedora 16. There are no updates to apply. >> > >> > Any ideas? >> > >> > One more thing. Is there a way to remove and reinstall just the CA? Or >> > do I have to completely remove and re-install the entire IPA replica? >> > i.e. Is there something like ipa-ca-install --uninstall I couldn't see >> > the option anywhere. >> > >> > Thanks, >> > >> > Dan >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From alee at redhat.com Wed Feb 29 21:28:40 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 29 Feb 2012 16:28:40 -0500 Subject: [Freeipa-users] CA replica installation failure In-Reply-To: References: <1330549422.4141.3.camel@aleeredhat.laptop> Message-ID: <1330550920.4141.6.camel@aleeredhat.laptop> Its a little strange that its showing up as an error -- it shouldn't if they are already set and they are of the right context. That said, its not really an error - and should not be a problem unless its preventing the installation from completing successfully. Try doing the installation with selinux in permissive mode and see if it makes a difference. Ade On Wed, 2012-02-29 at 16:18 -0500, Dan Scott wrote: > On Wed, Feb 29, 2012 at 16:03, Ade Lee wrote: > > Thats a pretty strange error. The ports there are supposed to be > > reserved for pki_ca_port_t. > > > > Can you do the following for each of the ports? > > semanage port -l |grep 9443 > > [root at fileserver3 ~]# semanage port -l |grep 9443 > pki_ca_port_t tcp 9180, 9701, 9443-9447 > > 944[456] don't match, but they're in the range, so they should be OK, right? > > Is it really an error? Or is it just indicating that the port has > already been set. > > Thanks, > > Dan > > > Its probably best to completely remove the replica. You could try use > > dogtag specific commands to uninstall and install the ca - but then the > > rest of the ipa install scripts would be confused. > > > > Ade > > > > On Wed, 2012-02-29 at 13:44 -0500, Dan Scott wrote: > >> Anyone have any suggestions for how I can fix this? > >> > >> Dan > >> > >> On Mon, Feb 27, 2012 at 21:06, Dan Scott wrote: > >> > Hi, > >> > > >> > I'm having another problem with replica installation - just the CA this time > >> > > >> > It looks like there's a problem with SELinux and the pki-ca service: > >> > > >> > After configuration, the server can be operated by the command: > >> > > >> > /bin/systemctl restart pki-cad at pki-ca.service > >> > > >> > > >> > 2012-02-27 20:33:45,729 DEBUG stderr=[error] Failed setting selinux > >> > context pki_ca_port_t for 9180. Port already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9701. Port > >> > already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9443. Port > >> > already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9444. Port > >> > already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9446. Port > >> > already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9445. Port > >> > already defined otherwise. > >> > [error] Failed setting selinux context pki_ca_port_t for 9447. Port > >> > already defined otherwise. > >> > [error] FAILED run_command("/bin/systemctl restart > >> > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system > >> > logs and 'systemctl status' for details." > >> > > >> > 2012-02-27 20:33:45,729 DEBUG duration: 6 seconds > >> > 2012-02-27 20:33:45,730 DEBUG [3/11]: configuring certificate server instance > >> > [clip] > >> > 2012-02-27 20:33:46,159 DEBUG stdout=libpath=/usr/lib64 > >> > ####################################################################### > >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-cDdVph > >> > tokenpwd:XXXXXXXX > >> > ############################################# > >> > Attempting to connect to: fileserver3.example.com:9445 > >> > Exception in LoginPanel(): java.lang.NullPointerException > >> > ERROR: ConfigureCA: LoginPanel() failure > >> > ERROR: unable to create CA > >> > > >> > ####################################################################### > >> > > >> > 2012-02-27 20:33:46,159 DEBUG stderr=Exception: Unable to Send > >> > Request:java.net.ConnectException: Connection refused > >> > java.net.ConnectException: Connection refused > >> > at java.net.PlainSocketImpl.socketConnect(Native Method) > >> > at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > >> > at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > >> > at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > >> > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > >> > at java.net.Socket.connect(Socket.java:546) > >> > at java.net.Socket.connect(Socket.java:495) > >> > at java.net.Socket.(Socket.java:392) > >> > at java.net.Socket.(Socket.java:235) > >> > at HTTPClient.sslConnect(HTTPClient.java:326) > >> > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >> > at ConfigureCA.main(ConfigureCA.java:1672) > >> > java.lang.NullPointerException > >> > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >> > at ConfigureCA.main(ConfigureCA.java:1672) > >> > > >> > /var/log/messages contains the following: > >> > > >> > Feb 27 20:40:45 localhost kpasswd[2198]: Error receiving request (104) > >> > Connection reset by peer > >> > Feb 27 20:57:26 localhost pkicontrol[2778]: /usr/bin/runcon: invalid > >> > context: system_u:system_r:pki_ca_script_t:s0: Invalid argument > >> > Feb 27 20:57:26 localhost systemd[1]: pki-cad at pki-ca.service: control > >> > process exited, code=exited status=1 > >> > Feb 27 20:57:26 localhost systemd[1]: Unit pki-cad at pki-ca.service > >> > entered failed state. > >> > > >> > This is a fresh install of Fedora 16. There are no updates to apply. > >> > > >> > Any ideas? > >> > > >> > One more thing. Is there a way to remove and reinstall just the CA? Or > >> > do I have to completely remove and re-install the entire IPA replica? > >> > i.e. Is there something like ipa-ca-install --uninstall I couldn't see > >> > the option anywhere. > >> > > >> > Thanks, > >> > > >> > Dan > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > >