From dale at themacartneyclan.com Fri Jun 1 07:14:09 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Fri, 01 Jun 2012 08:14:09 +0100 Subject: [Freeipa-users] token/swipe pass deployments with IPA In-Reply-To: <4FC7F693.9000909@redhat.com> References: <4FC7C064.6010401@themacartneyclan.com> <4FC7F693.9000909@redhat.com> Message-ID: <4FC86BC1.7050706@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/05/12 23:54, Dmitri Pal wrote: > On 05/31/2012 03:03 PM, Dale Macartney wrote: > > >> Evening all >> >> http://www.youtube.com/watch?v=uvfkj8V6ylM >> >> This video was floating around Google plus a few days ago which is >> brilliant to show off RHEV's VDI technologies. I was wondering if anyone >> has some a similar business case of vdi deployments with swipe passes or >> token, but using IPA as the backing authentication store? > > I am not quite sure what is used as an authentication source in this case. > I can ask. > I was just thinking as I seem to be doing alot lately, "can it be done with ipa?" is token support on the road map? If some are not already supported. >> >> Has anyone done something similar themselves? >> >> Dale >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPyGu/AAoJEAJsWS61tB+qPVYQAJu+O2KREizLtAiLaQS6bw7h 8vmpN8ymCYSKsn/Lh/igZq1m6pqJ0DAUZvDJT+SxFxxODIiqSjsetQLvgO8gPhQi tXOVKEvKim5ZhIOrxfWgtGoeQVfFgCbIk3ZCceEi6IMXm3rFS6yQzSyieHSaUFD+ UdyaxEHl2qsupg5r5B3TfU59rciyUYLnH2F1Z5IKt4ZVCzAGzzyn3n1g+YSnNxaD JB+0rAD9ncTuyjTR+8RoufyA6Ogk5f06mErZLSXUd1XBdIQ6j7R+lyXak2R/9dsb XKabaiwZTxDAOgHTv1YBYiMBYXZr5pk20vwvlEyV3oi3HtxUk+5M+YnqwRxxvHuT O1/bNVd4XY+zCO1uf+wnCN2WTmgn1Cpkge3cGPPKquNAnGo+50LMb/d8QoN2xlfm 6Qrz2WEZ+6X3jAAleO1ZirFVNps84jGWeCsswzkRX2YTxkom0jFQKRwUVVgr2Qoo Ak2o4TZpM7+in12YmrqQNfmZEQ2Zej4WX+eqENNMI6GMtvV9TluPPVt4g8DqCI2U naOPgSCIPe0OU1jiv61prT3mGmE1Mfeo8pp04xIRX2Hl0PrNqpg7ucB0SykzupIG R3PWX3UnOSbEW8iutK6AJjLGI2BUbO9syPLyFbCosMNTbcFjhq/kmcNprdaQoEJ5 Y5DYJS8GaIFHww8HaUHg =KVMS -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From pspacek at redhat.com Fri Jun 1 10:03:48 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 01 Jun 2012 12:03:48 +0200 Subject: [Freeipa-users] IPA 2.2 on Fedora 17 In-Reply-To: <4FC7733A.5060604@redhat.com> References: <4FC67194.5080508@redhat.com> <4FC7733A.5060604@redhat.com> Message-ID: <4FC89384.4000401@redhat.com> On 05/31/2012 03:33 PM, Chris Evich wrote: > On 05/30/2012 03:14 PM, Rob Crittenden wrote: >> The current 389-ds-base package in Fedora 17 is known to not work with >> IPA. This is any of the 1.2.11.x builds through 1.2.11.4. >> >> The only solution we have right now is to downgrade to 1.2.10.4. This is >> unfortunately not in any yum repositories. To install it you can either >> download the packages manually from >> http://koji.fedoraproject.org/koji/buildinfo?buildID=308732 or use the >> koji tool to retrieve them: >> >> # koji download-build 389-ds-base-1.2.10.4-2.fc17 >> >> Then install the right bits for your architecture. You'll want to remove >> any existing 389-ds-base bits: >> >> # rpm -e 389-ds-base 389-ds-base-libs >> >> We're working with the 389-ds team to fix this. We do not currently have >> an ETA. >> >> rob >> > And! remember to add 389-ds-base and 389-ds-base-libs to /etc/yum.conf exclude > list (temporarily). Otherwise it's easy to accidentally wreck your setup with > a casual yum update (not that I would ever casually update my systems, nope, > never). > Hello, these commands should do all magic for you: sudo yum install koji koji download-build 389-ds-base-1.2.10.4-2.fc17 sudo yum remove '389-ds-*' sudo yum install 389-ds-*.fc17.x86_64.rpm sudo yum install yum-plugin-versionlock sudo yum versionlock 389-ds-base{,-devel,-libs} Credit goes to Petr^3 Viktorin. Petr^2 Spacek From rcritten at redhat.com Fri Jun 1 14:35:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jun 2012 10:35:33 -0400 Subject: [Freeipa-users] more HBAC service groups? Message-ID: <4FC8D335.9080902@redhat.com> We have an open ticket, https://fedorahosted.org/freeipa/ticket/1712, requesting to add more HBAC services groups by default to IPA. We're looking for suggestions on groups of services to add. We currently provide just two groups, ftp and sudo. thanks rob From rcritten at redhat.com Fri Jun 1 14:46:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jun 2012 10:46:28 -0400 Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab - Fixed!! In-Reply-To: <20120531052853.GA3854@noboost.org> References: <20120528062120.GA21730@noboost.org> <1338274843.30643.6.camel@balmora.brq.redhat.com> <20120530040211.GA20108@noboost.org> <4FC64451.5070201@redhat.com> <20120531052853.GA3854@noboost.org> Message-ID: <4FC8D5C4.4050702@redhat.com> freeipa at noboost.org wrote: > On Wed, May 30, 2012 at 12:01:21PM -0400, Rob Crittenden wrote: >> freeipa at noboost.org wrote: >>> On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote: >>>> On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote: >>>>> Hi All, >>>>> >>>>> This one has me stumped! >>>>> For some reason my Centos 5.8 x64 Linux server hangs during >>>>> "ipa-client-install" >>>>> >>>>> Server: >>>>> * ipa-admintools-2.1.3-9.el6.x86_64 >>>>> * ipa-client-2.1.3-9.el6.x86_64 >>>>> * ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>> * ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>> * ipa-python-2.1.3-9.el6.x86_64 >>>>> * ipa-server-2.1.3-9.el6.x86_64 >>>>> * ipa-server-selinux-2.1.3-9.el6.x86_64 >>>>> >>>>> Client: >>>>> CentOS release 5.8 (Final) (x86_64) >>>>> * ipa-client-2.1.3-2.el5_8 >>>>> * sssd-client-1.5.1-49.el5_8.1 >>>>> >>>>> Questions: >>>>> * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I >>>>> can run a native kerberos command? >>>>> * Any tips welcome, I've tried straces and tcpdump to work this one out, >>>>> hmm.. >>>>> >>>>> >>>>> Error: >>>>> "ipa-client-install" runs fine and then hangs (without reason): >>>>> [below is the chopped version] >>>>> >>>>> ------------------------------------------------------------------- >>>>> [libdefaults] >>>>> default_realm = EXAMPLE.COM >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> EXAMPLE.COM = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .example.com = EXAMPLE.COM >>>>> example.com = EXAMPLE.COM >>>>> >>>>> >>>>> Password for admin at EXAMPLE.COM: >>>>> root : DEBUG args=kinit admin at EXAMPLE.COM >>>>> root : DEBUG stdout=Password for admin at EXAMPLE.COM: >>>>> >>>>> root : DEBUG stderr= >>>>> ------------------------------------------------------------------- >>>>> >>>>> `ps -ef` on the client side, shows that the install is getting stuck on >>>>> "ipa-getkeytab" for some reasons. >>>>> >>>>> root 15842 15814 0 15:09 pts/1 00:00:00 /usr/bin/python -E >>>>> /usr/sbin/ipa-client-install -d >>>>> >>>>> root 15852 15842 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-join -s >>>>> ipa-server.example.com -b dc=example,dc=com -d >>>>> >>>>> root 15853 15852 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-getkeytab >>>>> -s ipa-server.example.com -p >>>>> host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab >>>>> >>>>> >>>>> cya >>>>> >>>>> Craig >>>>> >>>> >>>> Hello Craig, >>>> >>>> I think that in this case, strace may be a good choice to find out where >>>> it hangs. I assume you already have the IPA server installed and you are >>>> trying to install IPA client on different machine. >>> yes that is correct >>>> >>>> If you run ipa-getkeytab with strace separately from ipa-client-install >>>> you can test where it hangs. You can use any principal existing in IPA >>>> server, including host/client.example.com at EXAMPLE.COM if the host entry >>>> exists. >>>> >>>> To authenticate with ipa-getkeytab on a machine where ipa-client-isntall >>>> was unsuccessful you can either manually configure /etc/krb5.conf to use >>>> IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD" >>>> options to authenticate via LDAP bind. >>> Heres what I did, I'm not sure which part fixed it. But everything works >>> fine now! >>> >>> Steps followed: >>> >>> 1) Found an old policy referring to this client in the kerberos >>> database, Naturally I deleted this. >>> >>> 2) Fixed up the /etc/krb5.conf on the client& ran the ipa-getkeytab >>> command (using an existing host principal). To my surprise this worked. >>> >>> # /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \ >>> # host/craigpc.example.com at EXAMPLE.COM -k /etc/krb5.keytab >>> # Keytab successfully retrieved and stored in: /etc/krb5.keytab >>> >>> 3) re-run the ipa-client-install >>> It worked first time and problem solved. >>> >>> Any thoughts on the actual issue? could it have been the old policy >>> entry? >> >> Can you provide any more information on what this policy was and >> where it was stored? > It was just a simple HBAC policy which allowed a couple of users to that > host, on all services and from any client. At this stage I don't have an ldap > dump to send you. But if I get time, I'll restore it from backup and send it over. Ok, it is surprising that an HBAC policy would get in the way. I'd be very interested to see what the root cause was. thanks rob From rcritten at redhat.com Fri Jun 1 14:49:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jun 2012 10:49:26 -0400 Subject: [Freeipa-users] Authentication Failure from Java - LoginException PREAUTH_FAILED In-Reply-To: <4FC7820D.8050805@jboss.com> References: <4FC739D4.4000907@jboss.com> <1338473830.8230.72.camel@willson.li.ssimo.org> <4FC7820D.8050805@jboss.com> Message-ID: <4FC8D676.1010107@redhat.com> Darran Lofthouse wrote: > On 05/31/2012 03:17 PM, Simo Sorce wrote: >> Darran, >> I think you may need to download "Java Cryptography Extension (JCE) >> Unlimited Strength Jurisdiction Policy Files 7" >> See here: >> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html >> >> >> Apparently AES is not fully supported unless you have the JCE which is >> not distributed by default due to restrictions on export as far as I can >> understand. > > Thank you for your reply Simo, I have actually been testing this both > with and without the unlimited strength policy - the error message is > the same in both cases, the only difference is that without the policy > in place aes128 is selected instead of aes256. > >> If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab >> man page on how to explicitly request a set of enctypes on a new keytab. >> Please remember that running ipa-getkeytab will invalidate your previous >> keys. > > Also to clarify at this stage I am supplying a username and password in > the client - I wanted to get that working first before switching it to a > keytab. You might want to check the KDC logs to see if it has any more details on the failure. rob From darran.lofthouse at jboss.com Fri Jun 1 14:56:54 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Fri, 01 Jun 2012 15:56:54 +0100 Subject: [Freeipa-users] Authentication Failure from Java - LoginException PREAUTH_FAILED In-Reply-To: <4FC8D676.1010107@redhat.com> References: <4FC739D4.4000907@jboss.com> <1338473830.8230.72.camel@willson.li.ssimo.org> <4FC7820D.8050805@jboss.com> <4FC8D676.1010107@redhat.com> Message-ID: <4FC8D836.6040704@jboss.com> On 06/01/2012 03:49 PM, Rob Crittenden wrote: > Darran Lofthouse wrote: >> On 05/31/2012 03:17 PM, Simo Sorce wrote: >>> Darran, >>> I think you may need to download "Java Cryptography Extension (JCE) >>> Unlimited Strength Jurisdiction Policy Files 7" >>> See here: >>> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html >>> >>> >>> >>> Apparently AES is not fully supported unless you have the JCE which is >>> not distributed by default due to restrictions on export as far as I can >>> understand. >> >> Thank you for your reply Simo, I have actually been testing this both >> with and without the unlimited strength policy - the error message is >> the same in both cases, the only difference is that without the policy >> in place aes128 is selected instead of aes256. >> >>> If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab >>> man page on how to explicitly request a set of enctypes on a new keytab. >>> Please remember that running ipa-getkeytab will invalidate your previous >>> keys. >> >> Also to clarify at this stage I am supplying a username and password in >> the client - I wanted to get that working first before switching it to a >> keytab. > > You might want to check the KDC logs to see if it has any more details > on the failure. Unfortunately no more detail than in the exception, I think I am at the point where I am going to manually try and re-create that field myself - there have been other reports of incorrect salt selection but that was always against older versions of Java so I think I need to start looking more closely at how the field is actually generated. > rob From pspacek at redhat.com Fri Jun 1 15:45:13 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 01 Jun 2012 17:45:13 +0200 Subject: [Freeipa-users] DNS logs - named.run In-Reply-To: References: Message-ID: <4FC8E389.3000302@redhat.com> On 05/31/2012 07:24 PM, Jimmy wrote: > This message repeats numerous times per minute: > > zone myzone.info/IN: zone serial (2012150501) unchanged. zone may fail > to transfer to slaves. > > I even went into the admin page and changed the serial manually to see > if I could get past the message but it just changed the message to > this: > > zone myzone.info/IN: zone serial (2012150502) unchanged. zone may fail > to transfer to slaves. > > Why does IPA report this? > > Thanks. Hello, can you describe your DNS topology? Where is it logged? Is it on a *slave* server? How to reproduce it? Current IPA doesn't maintain SOA serial number for updates made directly in LDAP (but nsupdate works). Zone transfers are totally broken for that reason. Fix is on the roadmap: We are discussing how to solve this problem in thread https://www.redhat.com/archives/freeipa-devel/2012-May/msg00044.html. Petr^2 Spacek From g17jimmy at gmail.com Fri Jun 1 18:17:29 2012 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 1 Jun 2012 14:17:29 -0400 Subject: [Freeipa-users] DNS logs - named.run In-Reply-To: <4FC8E389.3000302@redhat.com> References: <4FC8E389.3000302@redhat.com> Message-ID: Our DNS topology is a very simple, out of the box, FreeIPA config. Our systems are configured to run independently at completely disparate locations, so there is very little to the topology besides forward and reverse zones for the networks served at each site. There are no slaves, and this is the only zone that has this issue. This is logged in the file /var/named/data/named.run . DNS has not been modified directly through ldap, only through IPA interfaces. Thanks, Jimmy Currently I could completely rebuild the system and push out the new config to the sites, but if there is some way to fix this on a running server or get more debug info to the maillist to possibly find the fix I would greatly prefer that. On Fri, Jun 1, 2012 at 11:45 AM, Petr Spacek wrote: > On 05/31/2012 07:24 PM, Jimmy wrote: > >> This message repeats numerous times per minute: >> >> zone myzone.info/IN: zone serial (2012150501) unchanged. zone may fail >> to transfer to slaves. >> >> I even went into the admin page and changed the serial manually to see >> if I could get past the message but it just changed the message to >> this: >> >> zone myzone.info/IN: zone serial (2012150502) unchanged. zone may fail >> to transfer to slaves. >> >> Why does IPA report this? >> >> Thanks. >> > > Hello, > > can you describe your DNS topology? > Where is it logged? > Is it on a *slave* server? > How to reproduce it? > > Current IPA doesn't maintain SOA serial number for updates made directly > in LDAP (but nsupdate works). Zone transfers are totally broken for that > reason. > > Fix is on the roadmap: We are discussing how to solve this problem in > thread https://www.redhat.com/**archives/freeipa-devel/2012-** > May/msg00044.html > . > > Petr^2 Spacek > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Sat Jun 2 13:52:27 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Sat, 2 Jun 2012 06:52:27 -0700 Subject: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts Message-ID: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> Hi: I am a newbie that is trying out FreeIPA for the first time. So far I am extremely impressed with this system but I ran into a problem that I need some help with. I am trying to figure out how to HBAC to restrict a set of users to a specific set of hosts but I am not having any success. Here is the problem statement: I have 2 users: "user1" and "user2" that should only be able to access the host "foobar" on my network. There are many other possible hosts (like "wombat") that they cannot access. They can login from anywhere using "ssh". The goal is to restrict students to a specific set of machines. What I tried to do was this: 1. Create a user group called "restricted-users" which I could add users to. 2. Create a HBAC rule named "restricted-users" that a. Defines the host I want to allow them access to ("restricted-host"). b. Defines the user group that is affected by this rule ("restricted-users"). c. Defines the services they are allowed to use on that host (including login). 3. Create a user named "user1" that is enrolled in the "restricted-users" group. I then tried this experiment: 1. ssh -Y user1 at foobar a. It worked like a charm. The login worked correctly. 2. ssh -Y user1 at wombad a. It also worked like a charm but in this case it was undesired behavior. I am sure that I am missing something really obvious. Any help would be greatly appreciated. Errata: 1. OS: CentOS 6.2 2. FreeIPA: v2.1.3 (9el6) Thank you, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Sat Jun 2 18:33:07 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 02 Jun 2012 19:33:07 +0100 Subject: [Freeipa-users] IPA Service accounts (Bind accounts) Message-ID: <4FCA5C63.1030207@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Evening all What's the recommended method for using service accounts with IPA? For example, using a piece of software that needs to bind to LDAP (aka Zimbra, Moodle, Joomla, etc), having a password expiry on that specific bind user would result in the application constantly needing the password changed. I can see that you can modify the default password policy (i personally don't want to change this as this works for my requirements), and also have the ability to create additional pw policies if needed. What's the best method to create a user, however have that password for the new user that never expires? Am I thinking along the right lines of using a different pw policy for the service accounts? Thanks all Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPylxVAAoJEAJsWS61tB+qkh8P/3EJFM0jf2nV0KfIBN9kb0AI bOekObz1xhObvhWSqPczM1T+35irKoyxqlfZRAl2reGLGR1vWxqBKA1gdkTFuXM5 X8wtElzMDVOIhTWQ2YdnSd6nDgyIH964NDgSRMC2Qx8iS7naSyj7NTGuFwLD+4jm wVVK/nCgusGXCuvhbDTz++NN4/3y4VZu7nyWrRDkXKmjp07RtcqM9RPHwvEjpvPI yNs0DYJ10fHicwHJdFFmZPNMFpEk+GXrAxzsuUZ0efeAg4lpWkP/0RUZz8VNVcGA eiUeoTab23P0OvmYgquSYFrv2uVrVOAofhpLWvQZC2IOwlVrRbP3VYV9ALr7Ue4k bkrVatRaSV87tOrPUnbRvLwKZvaCsoYv1O4Yso2SMsaO9KWgPTjXMRwl3mLS9uhB /GNddGV8r0V7+DPhi+IXesGpnwSPu2PpHZuJVQyuReGRk/oK2NUaIGmcYY5yhBEc S/oVtENBmcVS3JqyfzUYlFsn1FqtLpKiS26H2Hd63gmHADcV/I8nigg/3AsO1RD7 A4A1HQkz0zXYyZyA0RQt0Gq292IJCREgDB+Dm1AXCaIh4y+2RKTXL2o8Lii7iPSt mWGTmtQKGBcyaNkTFrKPNz4xCmUJeOvDSRDPJn5QOp8yHIbtaHZR34mB12H1kNFq zBMMbbEX38OZ90X5zWj8 =dM8M -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From abokovoy at redhat.com Sat Jun 2 19:31:13 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 2 Jun 2012 22:31:13 +0300 Subject: [Freeipa-users] IPA Service accounts (Bind accounts) In-Reply-To: <4FCA5C63.1030207@themacartneyclan.com> References: <4FCA5C63.1030207@themacartneyclan.com> Message-ID: <20120602193113.GC25726@redhat.com> On Sat, 02 Jun 2012, Dale Macartney wrote: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Evening all > >What's the recommended method for using service accounts with IPA? > >For example, using a piece of software that needs to bind to LDAP (aka >Zimbra, Moodle, Joomla, etc), having a password expiry on that specific >bind user would result in the application constantly needing the >password changed. > >I can see that you can modify the default password policy (i personally >don't want to change this as this works for my requirements), and also >have the ability to create additional pw policies if needed. > >What's the best method to create a user, however have that password for >the new user that never expires? Am I thinking along the right lines of >using a different pw policy for the service accounts? A recommended way is to use system accounts. See, for example, how it is set up for sudo (section 13.4.1): http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html We have this particular case covered with following sudobind.ldif file (available in /usr/share/ipa/sudobind.ldif at IPA server): --------------- #SUDO bind user dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: sudo userPassword: $RANDOM_PASSWORD passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 --------------- As you can see, it has SimpleSecurityObject and Account object classes, and password is set to expire at the end of Unix time. You'd need to add also appropriate ACIs to limit what such account could perform against IPA's LDAP store. We use this method for passync (AD replication), sudo integration, and will use it also for cross-realm trusts with AD in FreeIPAv3, albeit a bit differently (by making a container in sysaccounts to include all 'AD agents' from IPA servers exposed via CIFS and limiting what they can do). A downside is that you don't see these system accounts through IPA UI/CLI, they are only managed manually. -- / Alexander Bokovoy From dale at themacartneyclan.com Sat Jun 2 23:01:58 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sun, 03 Jun 2012 00:01:58 +0100 Subject: [Freeipa-users] IPA Service accounts (Bind accounts) In-Reply-To: <20120602193113.GC25726@redhat.com> References: <4FCA5C63.1030207@themacartneyclan.com> <20120602193113.GC25726@redhat.com> Message-ID: <4FCA9B66.8010204@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/06/12 20:31, Alexander Bokovoy wrote: > On Sat, 02 Jun 2012, Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Evening all >> >> What's the recommended method for using service accounts with IPA? >> >> For example, using a piece of software that needs to bind to LDAP (aka >> Zimbra, Moodle, Joomla, etc), having a password expiry on that specific >> bind user would result in the application constantly needing the >> password changed. >> >> I can see that you can modify the default password policy (i personally >> don't want to change this as this works for my requirements), and also >> have the ability to create additional pw policies if needed. >> >> What's the best method to create a user, however have that password for >> the new user that never expires? Am I thinking along the right lines of >> using a different pw policy for the service accounts? > A recommended way is to use system accounts. See, for example, how it is > set up for sudo (section 13.4.1): > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > We have this particular case covered with following sudobind.ldif file > (available in /usr/share/ipa/sudobind.ldif at IPA server): > --------------- > #SUDO bind user > dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: sudo > userPassword: $RANDOM_PASSWORD > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > --------------- > > As you can see, it has SimpleSecurityObject and Account object classes, and > password is set to expire at the end of Unix time. You'd need to add > also appropriate ACIs to limit what such account could perform against > IPA's LDAP store. > > We use this method for passync (AD replication), sudo integration, > and will use it also for cross-realm trusts with AD in FreeIPAv3, > albeit a bit differently (by making a container in sysaccounts to > include all 'AD agents' from IPA servers exposed via CIFS and limiting > what they can do). > > A downside is that you don't see these system accounts through IPA UI/CLI, > they are only managed manually. > Thanks very much Alexander, this worked brilliantly. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPyptbAAoJEAJsWS61tB+qB38P/iBt+P6JNwycIIzskaxjoZUo 2cCPO5Nt/VgiKn55ffjgpgyEKpMhVnSW69tiCpTj+7vgO3swei1Je55kIUEP1hpR 0OHd4fqIUNQnDsO+gAnT1VMFPeuCKPKCoItwhv0uwgmI7FvKdHnGwcFTTASZbSLa eLnpFxvl44NgTJ8aib7tnWeqj9YE1b/DfowouxQVsY1HsIiYztDUNM23M94Are0D uJ9wLV+y4Np9CnTSuttHn2a8zmj2AZr5keMwqFc1g6j8I7z3cpqJb7UViULzxSJ4 OxpKXv8C+imDDX4dBXNQCr2Cx9uUJkA8zQUN7t0UjAkuFMD1+Ie51/3zKK/NeJly kUYHVcFBWmYBRtMbh1GIPfVxUCUj3DHcGg6HxEZOpFVBipjxareazvpgnTVg/EMa 9V85vS11aIPs7lrGlGnJi/r+oBAGfyH8jt4ZV95FV9QgY4VezmT+14s7nnFMEpiU mYxkL3NuIDXdgkmj0hTpCgkqESNw/SNDsHmgUhHNd9H3y964xk7z+fSG7gK02bIR zRhmW4YSqaHWZrgoe+w/CvcDRypXxfn2QQY/BvM6TwYxPphuwShtk70mtmp+5ci+ BV5q480bulO1ye7T2rGUTZT4n0aa7DHKmSdX3uJjG+VRyE/yy+LjmXbL+gWLC0ws egafCMvLvzuRqcsODsGX =hzMm -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From dale at themacartneyclan.com Sat Jun 2 23:56:31 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sun, 03 Jun 2012 00:56:31 +0100 Subject: [Freeipa-users] HOWTO: Zimbra Authentication and GAL lookups with FreeIPA backend Message-ID: <4FCAA82F.3090906@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all Just a quick mail to to let everyone know that I have placed a new wiki page for integrating Zimbra authentication and GAL lookups into IPA. Link is here http://freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA This was my first time using Zimbra to be honest, so this is a straight forward "get it working" integration document. I'll work on getting SSO working in the future when I have a greater understanding of the product. If anyone has access to a dev/test lab or has any experience with Zimbra who wouldn't mind giving the steps a go, I would love to get some feedback or comments. I have screenshots to go with the document as well, however they aren't uploading correctly at presents. I will upload when I can. Let me know what you think. Hoo roo for now. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPyqgnAAoJEAJsWS61tB+qgXkP/iObTQyXO50obqdXivSkmpUy NwOTvirKNL/UNZnbFZdOYtDhVfX8H91IuyEK0GkGncVgFlyQH1xFw+zKFJtzmkdC LTRRa7ZI3pvW5V5zR4ZeGRENPbxBGc/ulsIucdCrJeg/fqimtyGJ9H3uYhDnTkj2 FuVNBiCo5o+AfgpET2AImdcgNeckRJjAW9FUxEeS4RRlDRdpUr0HYOupTZ3ugQXp 2+ShXOs94BlcQ3mrzaav5vn3o0HPFUzPpmP8CMwk65Z44/6V33YB66+qZC54vAwq 9bRNoTxaOJtzvJ25xtjVkPBSTJ5ZJ7CUpkgjyhncupx51D1SXJjCqj6hFXtJIpji Ae25qefxMUBp9+QzezjRdg00ydHJAMMhED+hduOWLE3VeQqpjRyLeu/twBO9/GfR 0WBpnKi3tjSOgJT0gf6ur1paZa+o7IWzf1HsngUhAMpeM/8cfrJoCapoglpadE9L S+KK+97JJ7yNpRXUKquiiEUKVCikJzXft5xRBO+AKnnPWUR8JuYY/FULbyuA2oZy 5cUKeTnkyqKeRHbcrZEFtZzt83xdFjiyPffsYimTs5JG3M/FjCKed8pIn8hY2M0Q PtOqAYndSqyqD2UawwBeeu3b6P8CO/bAWsRoyPUNxLCHkYu3shi/Vt960Ly/8rkS msA2utaAz6JvhnfE65Yq =9yOP -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Sun Jun 3 13:10:16 2012 From: simo at redhat.com (Simo Sorce) Date: Sun, 03 Jun 2012 09:10:16 -0400 Subject: [Freeipa-users] HOWTO: Zimbra Authentication and GAL lookups with FreeIPA backend In-Reply-To: <4FCAA82F.3090906@themacartneyclan.com> References: <4FCAA82F.3090906@themacartneyclan.com> Message-ID: <1338729016.8230.212.camel@willson.li.ssimo.org> On Sun, 2012-06-03 at 00:56 +0100, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning all > > Just a quick mail to to let everyone know that I have placed a new wiki > page for integrating Zimbra authentication and GAL lookups into IPA. > > Link is here > http://freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA > > This was my first time using Zimbra to be honest, so this is a straight > forward "get it working" integration document. I'll work on getting SSO > working in the future when I have a greater understanding of the product. > > If anyone has access to a dev/test lab or has any experience with Zimbra > who wouldn't mind giving the steps a go, I would love to get some > feedback or comments. > > I have screenshots to go with the document as well, however they aren't > uploading correctly at presents. I will upload when I can. > > Let me know what you think. > > Hoo roo for now. Thanks Dale, I ixed a bug in the ldif used to create the zimbra system account user. Let me know if you need help uploading images. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Mon Jun 4 06:39:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Jun 2012 08:39:40 +0200 Subject: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts In-Reply-To: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> Message-ID: <1338791980.30320.6.camel@balmora.brq.redhat.com> On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > Hi: > > > > I am a newbie that is trying out FreeIPA for the first time. So far I > am extremely impressed with this system but I ran into a problem that > I need some help with. I am trying to figure out how to HBAC to > restrict a set of users to a specific set of hosts but I am not having > any success. > > > > Here is the problem statement: > > > > I have 2 users: ?user1? and ?user2? that should only be able to access > the host ?foobar? on my network. There are many other possible hosts > (like ?wombat?) that they cannot access. They can login from anywhere > using ?ssh?. > > > > The goal is to restrict students to a specific set of machines. > > > > What I tried to do was this: > > > > 1. Create a user group called ?restricted-users? which I could > add users to. > > 2. Create a HBAC rule named ?restricted-users? that > > a. Defines the host I want to allow them access to > (?restricted-host?). > > b. Defines the user group that is affected by this rule > (?restricted-users?). > > c. Defines the services they are allowed to use on that host > (including login). > > 3. Create a user named ?user1? that is enrolled in the > ?restricted-users? group. > > > > I then tried this experiment: > > > > 1. ssh ?Y user1 at foobar > > a. It worked like a charm. The login worked correctly. > > 2. ssh ?Y user1 at wombad > > a. It also worked like a charm but in this case it was undesired > behavior. > > > > I am sure that I am missing something really obvious. Any help would > be greatly appreciated. > > > > Errata: > > 1. OS: CentOS 6.2 > > 2. FreeIPA: v2.1.3 (9el6) > > > > Thank you, > > > > Joe > Hello Joe, did you disable default allow_all HBAC rule? # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE With this rule disabled, the policy you described should be properly enforced. When testing HBAC rules you may want to try CLI and Web UI interface to hbactest command, which can help you to test who can use what service on which machine and also which rules did match when the access was allowed. HTH, Martin From sgallagh at redhat.com Mon Jun 4 12:10:26 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 04 Jun 2012 08:10:26 -0400 Subject: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts In-Reply-To: <1338791980.30320.6.camel@balmora.brq.redhat.com> References: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> <1338791980.30320.6.camel@balmora.brq.redhat.com> Message-ID: <1338811826.2402.3.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote: > On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > > Hi: > > > > > > > > I am a newbie that is trying out FreeIPA for the first time. So far I > > am extremely impressed with this system but I ran into a problem that > > I need some help with. I am trying to figure out how to HBAC to > > restrict a set of users to a specific set of hosts but I am not having > > any success. > > > > > > > > Here is the problem statement: > > > > > > > > I have 2 users: ?user1? and ?user2? that should only be able to access > > the host ?foobar? on my network. There are many other possible hosts > > (like ?wombat?) that they cannot access. They can login from anywhere > > using ?ssh?. > > > > > > > > The goal is to restrict students to a specific set of machines. > > > > > > > > What I tried to do was this: > > > > > > > > 1. Create a user group called ?restricted-users? which I could > > add users to. > > > > 2. Create a HBAC rule named ?restricted-users? that > > > > a. Defines the host I want to allow them access to > > (?restricted-host?). > > > > b. Defines the user group that is affected by this rule > > (?restricted-users?). > > > > c. Defines the services they are allowed to use on that host > > (including login). > > > > 3. Create a user named ?user1? that is enrolled in the > > ?restricted-users? group. > > > > > > > > I then tried this experiment: > > > > > > > > 1. ssh ?Y user1 at foobar > > > > a. It worked like a charm. The login worked correctly. > > > > 2. ssh ?Y user1 at wombad > > > > a. It also worked like a charm but in this case it was undesired > > behavior. > > > > > > > > I am sure that I am missing something really obvious. Any help would > > be greatly appreciated. > > > > > > > > Errata: > > > > 1. OS: CentOS 6.2 > > > > 2. FreeIPA: v2.1.3 (9el6) > > > > > > > > Thank you, > > > > > > > > Joe > > > > Hello Joe, > > did you disable default allow_all HBAC rule? > > # ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > Host category: all > Source host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: TRUE > > With this rule disabled, the policy you described should be properly > enforced. When testing HBAC rules you may want to try CLI and Web UI > interface to hbactest command, which can help you to test who can use > what service on which machine and also which rules did match when the > access was allowed. If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jlinoff at tabula.com Mon Jun 4 12:32:16 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 4 Jun 2012 05:32:16 -0700 Subject: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts In-Reply-To: <1338791980.30320.6.camel@balmora.brq.redhat.com> References: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> <1338791980.30320.6.camel@balmora.brq.redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801005B4E@mantaray.tabula.com> Hi Mark: Thank you for your suggestion. I will try it later today. Regards, Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Sunday, June 03, 2012 11:40 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > Hi: > > > > I am a newbie that is trying out FreeIPA for the first time. So far I > am extremely impressed with this system but I ran into a problem that > I need some help with. I am trying to figure out how to HBAC to > restrict a set of users to a specific set of hosts but I am not having > any success. > > > > Here is the problem statement: > > > > I have 2 users: ?user1? and ?user2? that should only be able to access > the host ?foobar? on my network. There are many other possible hosts > (like ?wombat?) that they cannot access. They can login from anywhere > using ?ssh?. > > > > The goal is to restrict students to a specific set of machines. > > > > What I tried to do was this: > > > > 1. Create a user group called ?restricted-users? which I could > add users to. > > 2. Create a HBAC rule named ?restricted-users? that > > a. Defines the host I want to allow them access to > (?restricted-host?). > > b. Defines the user group that is affected by this rule > (?restricted-users?). > > c. Defines the services they are allowed to use on that host > (including login). > > 3. Create a user named ?user1? that is enrolled in the > ?restricted-users? group. > > > > I then tried this experiment: > > > > 1. ssh ?Y user1 at foobar > > a. It worked like a charm. The login worked correctly. > > 2. ssh ?Y user1 at wombad > > a. It also worked like a charm but in this case it was undesired > behavior. > > > > I am sure that I am missing something really obvious. Any help would > be greatly appreciated. > > > > Errata: > > 1. OS: CentOS 6.2 > > 2. FreeIPA: v2.1.3 (9el6) > > > > Thank you, > > > > Joe > Hello Joe, did you disable default allow_all HBAC rule? # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE With this rule disabled, the policy you described should be properly enforced. When testing HBAC rules you may want to try CLI and Web UI interface to hbactest command, which can help you to test who can use what service on which machine and also which rules did match when the access was allowed. HTH, Martin From jlinoff at tabula.com Mon Jun 4 13:21:04 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 4 Jun 2012 06:21:04 -0700 Subject: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts In-Reply-To: <1338811826.2402.3.camel@sgallagh520.sgallagh.bos.redhat.com> References: <8AD4194C251EC74CB897E261038F447801005B0A@mantaray.tabula.com> <1338791980.30320.6.camel@balmora.brq.redhat.com> <1338811826.2402.3.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801005B4F@mantaray.tabula.com> Thank you both. Turning off allow_all did the trick. Now everything works perfectly. This tool rocks! Thanks, Joe -----Original Message----- From: Stephen Gallagher [mailto:sgallagh at redhat.com] Sent: Monday, June 04, 2012 5:10 AM To: Martin Kosek Cc: Joe Linoff; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote: > On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > > Hi: > > > > > > > > I am a newbie that is trying out FreeIPA for the first time. So far > > I am extremely impressed with this system but I ran into a problem > > that I need some help with. I am trying to figure out how to HBAC to > > restrict a set of users to a specific set of hosts but I am not > > having any success. > > > > > > > > Here is the problem statement: > > > > > > > > I have 2 users: ?user1? and ?user2? that should only be able to > > access the host ?foobar? on my network. There are many other > > possible hosts (like ?wombat?) that they cannot access. They can > > login from anywhere using ?ssh?. > > > > > > > > The goal is to restrict students to a specific set of machines. > > > > > > > > What I tried to do was this: > > > > > > > > 1. Create a user group called ?restricted-users? which I could > > add users to. > > > > 2. Create a HBAC rule named ?restricted-users? that > > > > a. Defines the host I want to allow them access to > > (?restricted-host?). > > > > b. Defines the user group that is affected by this rule > > (?restricted-users?). > > > > c. Defines the services they are allowed to use on that host > > (including login). > > > > 3. Create a user named ?user1? that is enrolled in the > > ?restricted-users? group. > > > > > > > > I then tried this experiment: > > > > > > > > 1. ssh ?Y user1 at foobar > > > > a. It worked like a charm. The login worked correctly. > > > > 2. ssh ?Y user1 at wombad > > > > a. It also worked like a charm but in this case it was undesired > > behavior. > > > > > > > > I am sure that I am missing something really obvious. Any help would > > be greatly appreciated. > > > > > > > > Errata: > > > > 1. OS: CentOS 6.2 > > > > 2. FreeIPA: v2.1.3 (9el6) > > > > > > > > Thank you, > > > > > > > > Joe > > > > Hello Joe, > > did you disable default allow_all HBAC rule? > > # ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > Host category: all > Source host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: TRUE > > With this rule disabled, the policy you described should be properly > enforced. When testing HBAC rules you may want to try CLI and Web UI > interface to hbactest command, which can help you to test who can use > what service on which machine and also which rules did match when the > access was allowed. If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization. From rcritten at redhat.com Mon Jun 4 14:42:15 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 10:42:15 -0400 Subject: [Freeipa-users] HOWTO: Zimbra Authentication and GAL lookups with FreeIPA backend In-Reply-To: <4FCAA82F.3090906@themacartneyclan.com> References: <4FCAA82F.3090906@themacartneyclan.com> Message-ID: <4FCCC947.9010903@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning all > > Just a quick mail to to let everyone know that I have placed a new wiki > page for integrating Zimbra authentication and GAL lookups into IPA. > > Link is here > http://freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA > > This was my first time using Zimbra to be honest, so this is a straight > forward "get it working" integration document. I'll work on getting SSO > working in the future when I have a greater understanding of the product. > > If anyone has access to a dev/test lab or has any experience with Zimbra > who wouldn't mind giving the steps a go, I would love to get some > feedback or comments. > > I have screenshots to go with the document as well, however they aren't > uploading correctly at presents. I will upload when I can. > > Let me know what you think. > > Hoo roo for now. Wow, this is terrific. Thanks for taking the time to post such detailed documentation. regards rob From SKline at tnsi.com Mon Jun 4 17:28:37 2012 From: SKline at tnsi.com (Kline, Sara) Date: Mon, 4 Jun 2012 10:28:37 -0700 Subject: [Freeipa-users] SSH Keys? Message-ID: Some of my users have expressed concerns about moving to FreeIPA because they prefer to use SSH. The main reason behind that is because they can use agent forwarding and only have to sign on once. I did find information on forwardable Kerberos tickets, kinit -f. Has anyone used this in place of SSH keys, or do you have other suggestions? There are a few service accounts scripted to work with SSH keys so we may have to leave a few local accounts on the servers. I don't particularly like that idea. Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From erinn.looneytriggs at gmail.com Mon Jun 4 17:34:08 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Mon, 04 Jun 2012 09:34:08 -0800 Subject: [Freeipa-users] SSH Keys? In-Reply-To: References: Message-ID: <4FCCF190.7000402@gmail.com> On 06/04/2012 09:28 AM, Kline, Sara wrote: > Some of my users have expressed concerns about moving to FreeIPA because > they prefer to use SSH. The main reason behind that is because they can > use agent forwarding and only have to sign on once. I did find > information on forwardable Kerberos tickets, kinit ?f. Has anyone used > this in place of SSH keys, or do you have other suggestions? There are a > few service accounts scripted to work with SSH keys so we may have to > leave a few local accounts on the servers. I don?t particularly like > that idea. > > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > > Kerberos works just fine in place of SSH keys, I have been using it for years now. As well, and I am sure others can provide more details, but I believe the version 3 release of FreeIPA manages host and user SSH keys, so I imagine with that you can use either or, though I am a kerb purist. -Erinn From dale at themacartneyclan.com Mon Jun 4 17:36:49 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Mon, 04 Jun 2012 18:36:49 +0100 Subject: [Freeipa-users] SSH Keys? In-Reply-To: References: Message-ID: <4FCCF231.4060305@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/12 18:28, Kline, Sara wrote: > > Some of my users have expressed concerns about moving to FreeIPA because they prefer to use SSH. The main reason behind that is because they can use agent forwarding and only have to sign on once. I did find information on forwardable Kerberos tickets, kinit ?f. Has anyone used this in place of SSH keys, or do you have other suggestions? There are a few service accounts scripted to work with SSH keys so we may have to leave a few local accounts on the servers. I don?t particularly like that idea. > Hi Sara The big difference here is your users will see this as you taking something away from them. Yes kerberos tickets will work perfectly in this situation, I do this myself. The issue you need to be aware of is that they will expire, as they should. An SSH key is nothing more than bypassing an authentication process. I would recommend using centralized service accounts in place of more local accounts, as this way you will always be able to manage them in the future. Does this help? > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > > > ------------------------- > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network Services. > Any unauthorised review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzPItAAoJEAJsWS61tB+qtfEP/irmelW0sGNW9l2W80DX4piY E209XSH6/F6/5Duj6LpY3ISELjJdwS/eRikeG+49oivOZWbvEzZ9VSl3TE6TuI7U wnrpvMt6kdxcgeeTZ31f97nPRwYv50xO9iWU+4ymzW3tzWQt96Er1LXxO8UP++KN LQ5eUF2gxe0f5WMtKpWwJkTSZlqlCztco5red7Xadze4phUWt3y2OfzLJV3DUqig /Y44kgtrQfI+Qm8mjrNfZFTnqSALW6kgZ3Ad7hh+1SuNn7D6WyOOkedn5169fYlf UiDr28G2MM2wdWoh0l9ldqQN3acMDYFDdT0vHXeIq9ygbO1NfTBVC4iRnICCAc+O GWnmVPY2qGM6/qA7BY11YRNG5Y7PVgEjB6P/zAkMgTds9m87VLpH4QjiifT77R5h Gt/FNqnT/h9fTF2eoK9RjSdFHcPmplqCUDzfgoLrpDsscyS0RccG6O9z8QCKyeI5 wNl6NtSIb8yqGNN9wfZd3UAbGE5omaofDchMAOV7pcDnenYEju2bXXX9GU4VB09i GSloEpXRyK189B+oRgd/kmb1DlUuDDMoevHZ/161QI6TuriORyQkqtAq9dOl1Xwl H7RbwtW0iDxcYfslN3NlF+NOEXOemagQLb7uZU0ARPDbMFobJMdrVHSFTcDsa+Zg L85opgHXJxOWs0nBERcc =dvkx -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From SKline at tnsi.com Mon Jun 4 17:56:44 2012 From: SKline at tnsi.com (Kline, Sara) Date: Mon, 4 Jun 2012 10:56:44 -0700 Subject: [Freeipa-users] SSH Keys? In-Reply-To: <4FCCF231.4060305@themacartneyclan.com> References: <4FCCF231.4060305@themacartneyclan.com> Message-ID: Yes, it does. I don't see what the problem is having to authenticate to each server. It is more secure that way, I think they are just used to being able to take shortcuts. I guess if they really fuss about it we could set up forwardable tickets. I would definitely prefer to have all of the service accounts be on the server rather than local Thanks, Sara Kline From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dale Macartney Sent: Monday, June 04, 2012 10:37 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] SSH Keys? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/12 18:28, Kline, Sara wrote: > > Some of my users have expressed concerns about moving to FreeIPA because they prefer to use SSH. The main reason behind that is because they can use agent forwarding and only have to sign on once. I did find information on forwardable Kerberos tickets, kinit ?f. Has anyone used this in place of SSH keys, or do you have other suggestions? There are a few service accounts scripted to work with SSH keys so we may have to leave a few local accounts on the servers. I don?t particularly like that idea. > Hi Sara The big difference here is your users will see this as you taking something away from them. Yes kerberos tickets will work perfectly in this situation, I do this myself. The issue you need to be aware of is that they will expire, as they should. An SSH key is nothing more than bypassing an authentication process. I would recommend using centralized service accounts in place of more local accounts, as this way you will always be able to manage them in the future. Does this help? > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > > > ------------------------- > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network Services. > Any unauthorised review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzPItAAoJEAJsWS61tB+qtfEP/irmelW0sGNW9l2W80DX4piY E209XSH6/F6/5Duj6LpY3ISELjJdwS/eRikeG+49oivOZWbvEzZ9VSl3TE6TuI7U wnrpvMt6kdxcgeeTZ31f97nPRwYv50xO9iWU+4ymzW3tzWQt96Er1LXxO8UP++KN LQ5eUF2gxe0f5WMtKpWwJkTSZlqlCztco5red7Xadze4phUWt3y2OfzLJV3DUqig /Y44kgtrQfI+Qm8mjrNfZFTnqSALW6kgZ3Ad7hh+1SuNn7D6WyOOkedn5169fYlf UiDr28G2MM2wdWoh0l9ldqQN3acMDYFDdT0vHXeIq9ygbO1NfTBVC4iRnICCAc+O GWnmVPY2qGM6/qA7BY11YRNG5Y7PVgEjB6P/zAkMgTds9m87VLpH4QjiifT77R5h Gt/FNqnT/h9fTF2eoK9RjSdFHcPmplqCUDzfgoLrpDsscyS0RccG6O9z8QCKyeI5 wNl6NtSIb8yqGNN9wfZd3UAbGE5omaofDchMAOV7pcDnenYEju2bXXX9GU4VB09i GSloEpXRyK189B+oRgd/kmb1DlUuDDMoevHZ/161QI6TuriORyQkqtAq9dOl1Xwl H7RbwtW0iDxcYfslN3NlF+NOEXOemagQLb7uZU0ARPDbMFobJMdrVHSFTcDsa+Zg L85opgHXJxOWs0nBERcc =dvkx -----END PGP SIGNATURE----- ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyamanishi at sesda2.com Mon Jun 4 22:52:02 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Mon, 04 Jun 2012 18:52:02 -0400 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 104 In-Reply-To: References: Message-ID: <4FCD3C12.9020406@sesda2.com> On 05/17/2012 10:47 AM, Lucas Yamanishi wrote: >> On 05/17/2012 09:34 AM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: >>>> Hi everybody, >>>> >>>> I've added some custom schema to my directory, but it's useless to me if >>>> if I can't control read permissions on it. This is obviously a little >>>> tricky since (Free)IPA allows everybody to ready everything by default. >>>> With that, what's the best way to restrict access to user attributes? >>>> Is there anything like this in the roadmap? >>> Right now there is are no plans to support deny ACIs natively in the >>> permission plugin. That isn't set into stone, we just need some convincing. >> Then let me make the case: >> >> I know IPA is aimed mainly at authentication and authorization, but it >> provides enough base schema and tree structure to do basic asset and >> personnel management. More importantly, it's easier to setup than a >> pure 389 Directory. This makes it ideal for small to medium sized >> organizations that don't need the extra utility a separate directory >> provides. Additionaly, the well-designed webui makes it easy to >> delegate tasks to non-technical personnel. The requirements to achieve >> this end are two: add native support for a restricted set of schema >> extensions and fine-grained access controls to those attributes. >> >> For schema extensions, support could (and should) be limited only to >> additional attributes on a restricted set of existing objects. For >> example, additions to users and hosts. This would satisfy requirements >> for a majority of small to medium sized organizations, I'd think. > > Building a generic mechanism is really a lot of work. > It might be simpler to do it differently, i.e. incrementally add support > for additional attributes. > Do you have the schema that you added handy? > What is the application that uses it? Is it popular? Is it open source? > If it is it might make sense to just support these attributes our of box > if the schema is loaded. Mostly I'm talking about truly custom schema, like you would create after obtaining an enterprise OID. A few things I'm adding are hire date, emergency contact, previous employer and badge number. Human Resources stuff. Once I get it all hammered out I'll send you a copy. As far as standardized schema goes, a lot of the attributes I need are in RFCs 4519 and 4524. Things like organizationName, organizationalUnitName, organizationalStatus, personalTitle, homePostalAddress and/or postalAddress. Again, HR stuff-- and that's what I'm talking about. Your system already tracks user accounts very well. Why not extend it to track them as fully fledged people? -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From freeipa at noboost.org Tue Jun 5 03:37:05 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 5 Jun 2012 07:37:05 +0400 Subject: [Freeipa-users] su: [ID 219349 auth.debug] pam_unix_auth: user craig not found (Solaris 10 IPA client) Message-ID: <20120605033705.GB3854@noboost.org> Hi All, I'm sooo close to getting my Solaris 10 (SPARC) client to work with IPA Server: - Red Hat Enterprise Linux Server release 6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client: Solaris 10 - Sparc SunOS lyra 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V210 Issue: On ssh login, /var/log/authlog reports "user not found" ------------------------------------------------------------------------ FILE: /var/log/authlog Jun 5 12:07:11 lyra sshd[1250]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success Jun 5 12:07:11 lyra sshd[1250]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 5 12:07:11 lyra sshd[1250]: [ID 219349 auth.debug] pam_unix_auth: user craig not found Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.notice] Failed keyboard-interactive for craig from 192.168.0.103 port 48658 ssh2 ------------------------------------------------------------------------ - Additionally, I can log in via "su - craig" from a root account, but not when auth is required. -bash-3.00$ su - craig Password: su: Unknown id: craig getent even works; # getent passwd craig craig:*:343:135:Craig:/home/craig:/bin/bash Plus kerberos works, when simply running `kinit craig`. Any tips?? cya Craig From rcritten at redhat.com Tue Jun 5 03:51:47 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jun 2012 23:51:47 -0400 Subject: [Freeipa-users] su: [ID 219349 auth.debug] pam_unix_auth: user craig not found (Solaris 10 IPA client) In-Reply-To: <20120605033705.GB3854@noboost.org> References: <20120605033705.GB3854@noboost.org> Message-ID: <4FCD8253.4090701@redhat.com> freeipa at noboost.org wrote: > Hi All, > > I'm sooo close to getting my Solaris 10 (SPARC) client to work with IPA > > Server: > - Red Hat Enterprise Linux Server release 6.2 > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > Client: > Solaris 10 - Sparc > SunOS lyra 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V210 > > > Issue: > On ssh login, /var/log/authlog reports "user not found" > > ------------------------------------------------------------------------ > FILE: /var/log/authlog > Jun 5 12:07:11 lyra sshd[1250]: [ID 525286 auth.debug] PAM-KRB5 (auth): > end: Success > Jun 5 12:07:11 lyra sshd[1250]: [ID 896952 auth.debug] pam_unix_auth: > entering pam_sm_authenticate() > Jun 5 12:07:11 lyra sshd[1250]: [ID 219349 auth.debug] pam_unix_auth: > user craig not found > Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.info] > Keyboard-interactive (PAM) userauth failed[13] while authenticating: No > account present for user > Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.notice] Failed > keyboard-interactive for craig from 192.168.0.103 port 48658 ssh2 > ------------------------------------------------------------------------ > > - Additionally, I can log in via "su - craig" from a root account, but not > when auth is required. > > -bash-3.00$ su - craig > Password: > su: Unknown id: craig > > getent even works; > # getent passwd craig > craig:*:343:135:Craig:/home/craig:/bin/bash > > Plus kerberos works, when simply running `kinit craig`. > > > > Any tips?? What have you done so far to configure the machine? rob From Steven.Jones at vuw.ac.nz Tue Jun 5 03:54:29 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 03:54:29 +0000 Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Trying to setup sudo via the gui but I suspect at least one stage is missing can we have some screenshots also so I know what I'm expecting to see? ========= 5. Click the Add and Edit button to go immediately to the edit pages for the command. 6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group. 7. Click the checkbox by the groups for the command to join, and click the right arrows button, >>, to move the group to the selection box. 8. Click the Add button. ======== A command/instruction missing between 6 and 7? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Tue Jun 5 03:59:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 03:59:51 +0000 Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA38D5@STAWINCOX10MBX1.staff.vuw.ac.nz> or maybe instead of, "6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group." It should be, "6. In the Sudo Command Groups tab, click the Enrol button to add the sudo command to a command group." ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 5 June 2012 3:54 p.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. Hi, Trying to setup sudo via the gui but I suspect at least one stage is missing can we have some screenshots also so I know what I'm expecting to see? ========= 5. Click the Add and Edit button to go immediately to the edit pages for the command. 6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group. 7. Click the checkbox by the groups for the command to join, and click the right arrows button, >>, to move the group to the selection box. 8. Click the Add button. ======== A command/instruction missing between 6 and 7? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 5 04:02:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 04:02:19 +0000 Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA38E0@STAWINCOX10MBX1.staff.vuw.ac.nz> Also, 8. Click the Add button. should be, 8. Click the enrol button. ? Without screenshots I have no idea in the web ui if I am in the right place...... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 5 June 2012 3:54 p.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. Hi, Trying to setup sudo via the gui but I suspect at least one stage is missing can we have some screenshots also so I know what I'm expecting to see? ========= 5. Click the Add and Edit button to go immediately to the edit pages for the command. 6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group. 7. Click the checkbox by the groups for the command to join, and click the right arrows button, >>, to move the group to the selection box. 8. Click the Add button. ======== A command/instruction missing between 6 and 7? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From freeipa at noboost.org Tue Jun 5 06:30:28 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 5 Jun 2012 10:30:28 +0400 Subject: [Freeipa-users] su: [ID 219349 auth.debug] pam_unix_auth: user craig not found (Solaris 10 IPA client) In-Reply-To: <4FCD8253.4090701@redhat.com> References: <20120605033705.GB3854@noboost.org> <4FCD8253.4090701@redhat.com> Message-ID: <20120605063028.GC3854@noboost.org> On Mon, Jun 04, 2012 at 11:51:47PM -0400, Rob Crittenden wrote: > freeipa at noboost.org wrote: > >Hi All, > > > >I'm sooo close to getting my Solaris 10 (SPARC) client to work with IPA > > > >Server: > >- Red Hat Enterprise Linux Server release 6.2 > >ipa-admintools-2.1.3-9.el6.x86_64 > >ipa-client-2.1.3-9.el6.x86_64 > >ipa-pki-ca-theme-9.0.3-7.el6.noarch > >ipa-pki-common-theme-9.0.3-7.el6.noarch > >ipa-python-2.1.3-9.el6.x86_64 > >ipa-server-2.1.3-9.el6.x86_64 > >ipa-server-selinux-2.1.3-9.el6.x86_64 > > > > > >Client: > >Solaris 10 - Sparc > >SunOS lyra 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V210 > > > > > >Issue: > >On ssh login, /var/log/authlog reports "user not found" > > > >------------------------------------------------------------------------ > >FILE: /var/log/authlog > >Jun 5 12:07:11 lyra sshd[1250]: [ID 525286 auth.debug] PAM-KRB5 (auth): > >end: Success > >Jun 5 12:07:11 lyra sshd[1250]: [ID 896952 auth.debug] pam_unix_auth: > >entering pam_sm_authenticate() > >Jun 5 12:07:11 lyra sshd[1250]: [ID 219349 auth.debug] pam_unix_auth: > >user craig not found > >Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.info] > >Keyboard-interactive (PAM) userauth failed[13] while authenticating: No > >account present for user > >Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.notice] Failed > >keyboard-interactive for craig from 192.168.0.103 port 48658 ssh2 > >------------------------------------------------------------------------ > > > >- Additionally, I can log in via "su - craig" from a root account, but not > >when auth is required. > > > >-bash-3.00$ su - craig > >Password: > >su: Unknown id: craig > > > >getent even works; > ># getent passwd craig > >craig:*:343:135:Craig:/home/craig:/bin/bash > > > >Plus kerberos works, when simply running `kinit craig`. > > > > > > > >Any tips?? > > What have you done so far to configure the machine? > > rob I've just done my best to follow the IPA manual; ============================================================================= # cat /var/ldap/ldap_client_file # # Do not edit this file manually; your changes will be lost.Please use # ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 192.168.0.214 NS_LDAP_SEARCH_BASEDN= dc=example,dc=com NS_LDAP_AUTH= none NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= anonymous NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=accounts,dc=example,dc=com NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup ------------------------------------------------------------------ # cat /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = sysvm-ipa.example.com admin_server = sysvm-ipa.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log [appdefaults] kinit = { renewable = true forwardable= true } ------------------------------------------------------------------ bash-3.00# grep krb /etc/pam.conf login auth sufficient pam_krb5.so.1 try_first_pass debug other auth sufficient pam_krb5.so.1 debug other account required pam_krb5.so.1 debug other password sufficient pam_krb5.so.1 debug ------------------------------------------------------------------ ============================================================================= From whbos at xs4all.nl Tue Jun 5 06:43:58 2012 From: whbos at xs4all.nl (Willem Bos) Date: Tue, 5 Jun 2012 08:43:58 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM Message-ID: Hi all, Is there an API to provision user accounts to FreeIPA that I can use from an external Identity Management environment? Of course, we could just simply create an LDAP object in the 389 server but this probably won't trigger the same actions as using `ipa user-add ...` or `ipa group-add ...` from the command line. I did find the user_add class in the API documentation (http://freeipa.org/page/Python_Coding_Style). Is this the way to go? If so, is there sample code available? (please be gentle, for me programming means bash :-) Regards, Willem. From sigbjorn at nixtra.com Tue Jun 5 07:14:40 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 5 Jun 2012 09:14:40 +0200 (CEST) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4F95A1AE.8090704@redhat.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com> Message-ID: <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> On Mon, April 23, 2012 20:38, Rich Megginson wrote: > Ok. The current theory is that the memory growth is caused by the churn > of entries being added to and removed from the entry cache. It's not yet known why this growth is > seen. It could be just that the memory is getting fragmented, or there is a real yet undetected > memory leak. That's why entry cache sizing and monitoring is very important, to see > if you are churning entries in/out of the cache, and if that is correlated with the memory growth. > This memory issue is still occuring in the production environment after increasing the max entry cache size to 256MB, and it is impacting performance. See below for an output of the memory usage and the current size and hitratio of the cache on the 3 production IPA servers. How do you suggest moving forward to troubleshoot this issue? Mem: 8050880k total, 7893612k used, 157268k free, 1924k buffers Swap: 14811120k total, 3738640k used, 11072480k free, 38032k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 97 maxentrycachesize: 268435456 currententrycachesize: 14047758 currententrycachecount: 3062 Mem: 8059224k total, 7907904k used, 151320k free, 9060k buffers Swap: 14811120k total, 2507796k used, 12303324k free, 58104k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 99 maxentrycachesize: 268435456 currententrycachesize: 13963883 currententrycachecount: 3062 Mem: 8062240k total, 7932268k used, 129972k free, 864k buffers Swap: 2097144k total, 2097144k used, 0k free, 16788k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 99 maxentrycachesize: 268435456 currententrycachesize: 13809438 currententrycachecount: 3066 Rgds, Siggi From sigbjorn at nixtra.com Tue Jun 5 08:01:52 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 5 Jun 2012 10:01:52 +0200 (CEST) Subject: [Freeipa-users] su: [ID 219349 auth.debug] pam_unix_auth: user craig not found (Solaris 10 IPA client) In-Reply-To: <20120605063028.GC3854@noboost.org> References: <20120605033705.GB3854@noboost.org> <4FCD8253.4090701@redhat.com> <20120605063028.GC3854@noboost.org> Message-ID: <20624.213.225.75.97.1338883312.squirrel@www.nixtra.com> Please try to initialize the client using the default DUA profile included with IPA: $ ldapclient -v init \ -a profileName=default \ ipaserver.example.com You can also take a look at these two request I've opened to update the Solaris 10 documentation, and including a default DUA config profile including more enhanced configuration of the client. https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 If that does not help, pleaes to enable more debugging by touching file etc/pam_debug and enable debug to a file in syslog.conf. Attempt a login and please post the reults to the list. Rgds, Siggi From pvoborni at redhat.com Tue Jun 5 08:51:48 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 05 Jun 2012 10:51:48 +0200 Subject: [Freeipa-users] sudo documentation 6.3beta documentation page 279 section 13.2.1.1. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCA38B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FCDC8A4.9030902@redhat.com> On 06/05/2012 05:54 AM, Steven Jones wrote: > Hi, > > Trying to setup sudo via the gui but I suspect at least one stage is missing can we have some screenshots also so I know what I'm expecting to see? > > ========= > 5. Click the Add and Edit button to go immediately to the edit pages for the command. In screenshot in step 4 you can see the 'Add and Edit' button. It will bring you to page similar to: http://pvoborni.fedorapeople.org/ui/#sudo=sudocmd&policy=sudo&navigation=policy&sudocmd-facet=default&sudocmd-pkey=/usr/bin/more > 6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a > command group. On that page are two tabs "Settings" - that's where you are and "Sudo Command Groups". Click on the later. Then you can see the "Add button". Note that in previous versions (2.1.X) the add button was called enroll button. I think the rest is straightforward. > 7. Click the checkbox by the groups for the command to join, and click the right arrows button,>>, to > move the group to the selection box. > 8. Click the Add button. > ======== > > A command/instruction missing between 6 and 7? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Vobornik From abokovoy at redhat.com Tue Jun 5 09:11:59 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Jun 2012 12:11:59 +0300 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: References: Message-ID: <20120605091159.GG25726@redhat.com> On Tue, 05 Jun 2012, Willem Bos wrote: >Hi all, > >Is there an API to provision user accounts to FreeIPA that I can use >from an external Identity Management environment? Of course, we could >just simply create an LDAP object in the 389 server but this probably >won't trigger the same actions as using `ipa user-add ...` or `ipa >group-add ...` from the command line. by "external IdM environment" you mean one where you can't use 'ipa user-add' manually due to ipa utils not being available on that host? As IPA server exposes two interfaces, XML-RPC and JSON-based, you may use any of them directly. http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ shows how to use curl to communicate directly. This example assumes you have configured and working kerberos in curl on the machine you run it. If not, you'd need to modify the example to use password-based session which would be a bit more elaborate. -- / Alexander Bokovoy From dale at themacartneyclan.com Tue Jun 5 09:44:11 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Tue, 05 Jun 2012 10:44:11 +0100 Subject: [Freeipa-users] mail entries not populated for users Message-ID: <4FCDD4EB.3080604@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all I may be overlooking something here, but from what I can gather, the value in the ipa config of "Default e-mail domain for new users" should automatically create the mail attribute for said user upon creation? Do I need to do an additional step or something to activate the mail attribute or is it missing? Any pointers on what I'm missing to mail-enable a user in ldap? Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6 Output from ipa server as follows [root at ds01 ~]# ipa config-show Max. username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain for new users: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4 [root at ds01 ~]# [root at ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b "uid=testuser,cn=users,cn=accounts,dc=example,dc=com" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # testuser, users, accounts, example.com dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com displayName: testuser 1 cn: testuser 1 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: mepOriginEntry loginShell: /bin/bash sn: 1 gecos: testuser 1 homeDirectory: /home/testuser krbPwdPolicyReference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example, dc=com krbPrincipalName: testuser at EXAMPLE.COM givenName: testuser uid: testuser initials: t1 uidNumber: 1668600004 gidNumber: 1668600004 ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829 mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120831215158Z krbLastPwdChange: 20120602215158Z krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A krbExtraData:: AAgBAA== krbLastSuccessfulAuth: 20120602215703Z krbLoginFailedCount: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root at ds01 ~]# Thanks all Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzdTpAAoJEAJsWS61tB+qR10QAKjseNaPocrJ91JhLBzWpA6G fwMp4PzLDrKHSaKIeA/ir36ckOGWgLk0g6VQ+xzSoC+h1CJdUy0h9BfMkPXY5TTG yVJzvWnbIFJo+RsN/oR1sIBh9ME0AyS5D6iFCKpXIhXvQnW+u+T2Bd+4bzbzejVG KS99k8kBVl/Djf9oOXBN9tPe5riNfuXVp+5xLQ2TEzMlbHQj3IuUYQrKpDKAJFK6 WQftM7/kLVeZ9AxGemBXF3LYtmP42aafSPtJhq2l3v4WVrtGkKBetxds5ErsmxFk 58g/QHXc/XNwpzkT49kE+PvEK9kW+fOtJUoy441gaq2LgqYASlPkMEKGa9Hm1KfL U1PB2IxfQOi10NEsfU+iyXH87Y9cpkt3x1sTwCEqL+gcoNqFSirrhmwEtOQegN76 60Py3RBgPrlW5YFlgkKgApO9zV9g+fL7VUtlcxDAJFUZcjvp8TAY9bccosZbxRin GWKZyVzQbAYL7z6lRtp++f2Wri9Z183dyEIBCGZRkYu5+d49nlHMRld0fIlTb72H 8hLuRfqPm9f7H3gspSGxxmVkHzBALLJmizfDvcd3J8LiUGY/8YenFRf/39YVEjbC 7Aun++FKMPwpeMmxb7Qwo/SozZyjzu0VnkktYJnXNxY8QHIZgdMu/H8+mubWPdkR GseH0Hf4mKzHYURtIupg =79q/ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From whbos at xs4all.nl Tue Jun 5 10:38:20 2012 From: whbos at xs4all.nl (Willem Bos) Date: Tue, 5 Jun 2012 12:38:20 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: <20120605091159.GG25726@redhat.com> References: <20120605091159.GG25726@redhat.com> Message-ID: Hi Alexander, Thanks for your quick response. Yes, the server on which the external IM environment is hosted does not have the ipa utils available. As a matter of fact, the server might even be hosted off-site. We're just beginning to explore IM solutions for our environment and the most likely architecture is a 'meta-IM' service that provisions platform specific IM's like AD, Oracle's Internet Directory and IPA. It will probably be a requirement that the meta-IM is to provision IPA directly (instead of Meta-IM -> AD -> IPA). The JASON interface looks promising, I will certainly try the example provided. Would user_add be the suitable command to use? It's the obvious candidate, but I just want to make sure... Thanks again. Regards, Willem. On Tue, Jun 5, 2012 at 11:11 AM, Alexander Bokovoy wrote: > On Tue, 05 Jun 2012, Willem Bos wrote: > >> Hi all, >> >> Is there an API to provision user accounts to FreeIPA that I can use >> from an external Identity Management environment? Of course, we could >> just simply create an LDAP object in the 389 server but this probably >> won't trigger the same actions as using `ipa user-add ...` or `ipa >> group-add ...` from the command line. >> > by "external IdM environment" you mean one where you can't use 'ipa > user-add' manually due to ipa utils not being available on that host? > > As IPA server exposes two interfaces, XML-RPC and JSON-based, you may > use any of them directly. > > http://adam.younglogic.com/**2010/07/talking-to-freeipa-** > json-web-api-via-curl/ > shows how to use curl to communicate directly. This example > assumes you have configured and working kerberos in curl on the machine > you run it. If not, you'd need to modify the example to use > password-based session which would be a bit more elaborate. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 5 10:51:14 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Jun 2012 13:51:14 +0300 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: References: <20120605091159.GG25726@redhat.com> Message-ID: <20120605105114.GH25726@redhat.com> On Tue, 05 Jun 2012, Willem Bos wrote: >Hi Alexander, > >Thanks for your quick response. > >Yes, the server on which the external IM environment is hosted does not >have the ipa utils available. As a matter of fact, the server might even be >hosted off-site. We're just beginning to explore IM solutions for our >environment and the most likely architecture is a 'meta-IM' service that >provisions platform specific IM's like AD, Oracle's Internet Directory and >IPA. It will probably be a requirement that the meta-IM is to provision IPA >directly (instead of Meta-IM -> AD -> IPA). > >The JASON interface looks promising, I will certainly try the example >provided. Would user_add be the suitable command to use? It's the obvious >candidate, but I just want to make sure... Yes, user_add is the command. -- / Alexander Bokovoy From pviktori at redhat.com Tue Jun 5 11:14:12 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Jun 2012 13:14:12 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: <20120605105114.GH25726@redhat.com> References: <20120605091159.GG25726@redhat.com> <20120605105114.GH25726@redhat.com> Message-ID: <4FCDEA04.7060107@redhat.com> On 06/05/2012 12:51 PM, Alexander Bokovoy wrote: > On Tue, 05 Jun 2012, Willem Bos wrote: >> Hi Alexander, >> >> Thanks for your quick response. >> >> Yes, the server on which the external IM environment is hosted does not >> have the ipa utils available. As a matter of fact, the server might >> even be >> hosted off-site. We're just beginning to explore IM solutions for our >> environment and the most likely architecture is a 'meta-IM' service that >> provisions platform specific IM's like AD, Oracle's Internet Directory >> and >> IPA. It will probably be a requirement that the meta-IM is to >> provision IPA >> directly (instead of Meta-IM -> AD -> IPA). >> >> The JASON interface looks promising, I will certainly try the example >> provided. Would user_add be the suitable command to use? It's the obvious >> candidate, but I just want to make sure... > Yes, user_add is the command. > Also note that the RPC calls use LDAP attribute names, which are often different from the CLI parameters. You can use the show-mappings command to figure out the names to use: $ ipa show-mappings user-add Parameter : LDAP attribute ========= : ============== first : givenname last : sn cn : cn displayname : displayname initials : initials homedir : homedirectory gecos : gecos shell : loginshell principal : krbprincipalname email : mail random : random uid : uidnumber gidnumber : gidnumber street : street city : l state : st postalcode : postalcode phone : telephonenumber mobile : mobile pager : pager fax : facsimiletelephonenumber orgunit : ou title : title manager : manager carlicense : carlicense sshpubkey : ipasshpubkey noprivate : noprivate Be careful as there currently are no warnings if you misspell an argument (we're working on that). -- Petr? From whbos at xs4all.nl Tue Jun 5 11:59:44 2012 From: whbos at xs4all.nl (Willem Bos) Date: Tue, 5 Jun 2012 13:59:44 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: <4FCDEA04.7060107@redhat.com> References: <20120605091159.GG25726@redhat.com> <20120605105114.GH25726@redhat.com> <4FCDEA04.7060107@redhat.com> Message-ID: Thanks, you probably saved me some time/frustration ;-) On Tue, Jun 5, 2012 at 1:14 PM, Petr Viktorin wrote: > On 06/05/2012 12:51 PM, Alexander Bokovoy wrote: > >> On Tue, 05 Jun 2012, Willem Bos wrote: >> >>> Hi Alexander, >>> >>> Thanks for your quick response. >>> >>> Yes, the server on which the external IM environment is hosted does not >>> have the ipa utils available. As a matter of fact, the server might >>> even be >>> hosted off-site. We're just beginning to explore IM solutions for our >>> environment and the most likely architecture is a 'meta-IM' service that >>> provisions platform specific IM's like AD, Oracle's Internet Directory >>> and >>> IPA. It will probably be a requirement that the meta-IM is to >>> provision IPA >>> directly (instead of Meta-IM -> AD -> IPA). >>> >>> The JASON interface looks promising, I will certainly try the example >>> provided. Would user_add be the suitable command to use? It's the obvious >>> candidate, but I just want to make sure... >>> >> Yes, user_add is the command. >> >> > Also note that the RPC calls use LDAP attribute names, which are often > different from the CLI parameters. You can use the show-mappings command to > figure out the names to use: > > $ ipa show-mappings user-add > Parameter : LDAP attribute > ========= : ============== > first : givenname > last : sn > cn : cn > displayname : displayname > initials : initials > homedir : homedirectory > gecos : gecos > shell : loginshell > principal : krbprincipalname > email : mail > random : random > uid : uidnumber > gidnumber : gidnumber > street : street > city : l > state : st > postalcode : postalcode > phone : telephonenumber > mobile : mobile > pager : pager > fax : facsimiletelephonenumber > orgunit : ou > title : title > manager : manager > carlicense : carlicense > sshpubkey : ipasshpubkey > noprivate : noprivate > > > Be careful as there currently are no warnings if you misspell an argument > (we're working on that). > > -- > Petr? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 5 13:09:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 09:09:21 -0400 Subject: [Freeipa-users] mail entries not populated for users In-Reply-To: <4FCDD4EB.3080604@themacartneyclan.com> References: <4FCDD4EB.3080604@themacartneyclan.com> Message-ID: <4FCE0501.2040705@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all > > I may be overlooking something here, but from what I can gather, the > value in the ipa config of "Default e-mail domain for new users" should > automatically create the mail attribute for said user upon creation? > > Do I need to do an additional step or something to activate the mail > attribute or is it missing? > > Any pointers on what I'm missing to mail-enable a user in ldap? > > > Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6 > > Output from ipa server as follows > > [root at ds01 ~]# ipa config-show > Max. username length: 32 > Home directory base: /home > Default shell: /bin/bash > Default users group: ipausers > Default e-mail domain for new users: example.com > Search time limit: 2 > Search size limit: 100 > User search fields: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Enable migration mode: FALSE > Certificate Subject base: O=EXAMPLE.COM > Password Expiration Notification (days): 4 > [root at ds01 ~]# > > > > [root at ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b > "uid=testuser,cn=users,cn=accounts,dc=example,dc=com" > # extended LDIF > # > # LDAPv3 > # base with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # testuser, users, accounts, example.com > dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com > displayName: testuser 1 > cn: testuser 1 > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: mepOriginEntry > loginShell: /bin/bash > sn: 1 > gecos: testuser 1 > homeDirectory: /home/testuser > krbPwdPolicyReference: > cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example, > dc=com > krbPrincipalName: testuser at EXAMPLE.COM > givenName: testuser > uid: testuser > initials: t1 > uidNumber: 1668600004 > gidNumber: 1668600004 > ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829 > mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120831215158Z > krbLastPwdChange: 20120602215158Z > krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A > krbExtraData:: AAgBAA== > krbLastSuccessfulAuth: 20120602215703Z > krbLoginFailedCount: 0 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root at ds01 ~]# It looks like it isn't creating the mail attribute by default. I opened ticket https://fedorahosted.org/freeipa/ticket/2810 rob From dale at themacartneyclan.com Tue Jun 5 13:14:44 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Tue, 05 Jun 2012 14:14:44 +0100 Subject: [Freeipa-users] mail entries not populated for users In-Reply-To: <4FCE0501.2040705@redhat.com> References: <4FCDD4EB.3080604@themacartneyclan.com> <4FCE0501.2040705@redhat.com> Message-ID: <4FCE0644.9050009@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/12 14:09, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi all >> >> I may be overlooking something here, but from what I can gather, the >> value in the ipa config of "Default e-mail domain for new users" should >> automatically create the mail attribute for said user upon creation? >> >> Do I need to do an additional step or something to activate the mail >> attribute or is it missing? >> >> Any pointers on what I'm missing to mail-enable a user in ldap? >> >> >> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6 >> >> Output from ipa server as follows >> >> [root at ds01 ~]# ipa config-show >> Max. username length: 32 >> Home directory base: /home >> Default shell: /bin/bash >> Default users group: ipausers >> Default e-mail domain for new users: example.com >> Search time limit: 2 >> Search size limit: 100 >> User search fields: uid,givenname,sn,telephonenumber,ou,title >> Group search fields: cn,description >> Enable migration mode: FALSE >> Certificate Subject base: O=EXAMPLE.COM >> Password Expiration Notification (days): 4 >> [root at ds01 ~]# >> >> >> >> [root at ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b >> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com" >> # extended LDIF >> # >> # LDAPv3 >> # base with scope >> subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # testuser, users, accounts, example.com >> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com >> displayName: testuser 1 >> cn: testuser 1 >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetorgperson >> objectClass: inetuser >> objectClass: posixaccount >> objectClass: krbprincipalaux >> objectClass: krbticketpolicyaux >> objectClass: ipaobject >> objectClass: mepOriginEntry >> loginShell: /bin/bash >> sn: 1 >> gecos: testuser 1 >> homeDirectory: /home/testuser >> krbPwdPolicyReference: >> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example, >> dc=com >> krbPrincipalName: testuser at EXAMPLE.COM >> givenName: testuser >> uid: testuser >> initials: t1 >> uidNumber: 1668600004 >> gidNumber: 1668600004 >> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829 >> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com >> krbPasswordExpiration: 20120831215158Z >> krbLastPwdChange: 20120602215158Z >> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A >> krbExtraData:: AAgBAA== >> krbLastSuccessfulAuth: 20120602215703Z >> krbLoginFailedCount: 0 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root at ds01 ~]# > > It looks like it isn't creating the mail attribute by default. I opened ticket https://fedorahosted.org/freeipa/ticket/2810 > > rob Thanks for pointing out it wasn't me doing something silly ;-) On thinking deeper onto the issue, perhaps it is beneficial not to have it done by default? e.g if I have a mail server accepting mail for ldap lookups for mail entries, this would mean EVERYONE has a mailbox whereas that might not be beneficial in many situations.. In the AD side of things, a user has to be mail enabled, in order to become valid for mail purposes. In this situation, I can manually add the mail address with "ipa user-mod --email=testuser at example.com" which does what I was needing. Theres a few reasons for and against having default email access for new users... I'm just bouncing some ideas out loud at the moment. Thoughts? Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzgZCAAoJEAJsWS61tB+qMasQAJgC3lSdU5HvteVvnNLFF1wz yAlwtE00NaWhF/VOToafxQdwjHfcf5PRYgqVXi92DnVzCBkOUIGUnMvumsXTEDic +WwVgQgU+p4kEDtHfyTXdwP5g8C4fZXpwdDdexLrB3lTWcelhgZCx2dd4vUIuMRj z4JUWSin0BOjtH80N/hwL4pj7m+Bn2lzBQYlm5LBU9d5Y2YhAJwJcgAbixWHzzsg fDhCNNrxttkcLBzUVbeax1cyj16HotR9d3YdPsdwJqzonwTYHK20Hf109clujbUS nesmL8AXdapCrZtrrBw8SeTmN32/G9OhoBvND9hqPLNa10MrMxOs8Mj+8UWMQnL+ nWniUHueIYCECdYOwCkydBHkFOVXDE5HiWbTAv9nYOQ7AzI2xKfE8YtezUypmWLP NeFW/bER3eZZN54tQz6KbO2+5BjS+iBe6H39j8sKQv99FN1qpKLJOo3y5JxChzWU WsXasm41INXSeneB6plVHuCXqO70Mh0fv/TG+bGWysQm3hwporIQs7/pzp8uFnRI zfAewysabykMTDgnJdLzKzr7C1q3lyCX5WWR5OdZambY6nR853cP5bjvTnbDHE0t yfza/F2PNMuT9mehmAroKKKb8GZ6YTxOenpVvgW/c+VB5i8iM+NO/8gBa5XUqzLt vQTqo/XQcB3bqC+KP1b5 =pYR/ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 5 13:21:02 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 09:21:02 -0400 Subject: [Freeipa-users] mail entries not populated for users In-Reply-To: <4FCE0644.9050009@themacartneyclan.com> References: <4FCDD4EB.3080604@themacartneyclan.com> <4FCE0501.2040705@redhat.com> <4FCE0644.9050009@themacartneyclan.com> Message-ID: <4FCE07BE.5020202@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 05/06/12 14:09, Rob Crittenden wrote: >> Dale Macartney wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi all >>> >>> I may be overlooking something here, but from what I can gather, the >>> value in the ipa config of "Default e-mail domain for new users" should >>> automatically create the mail attribute for said user upon creation? >>> >>> Do I need to do an additional step or something to activate the mail >>> attribute or is it missing? >>> >>> Any pointers on what I'm missing to mail-enable a user in ldap? >>> >>> >>> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6 >>> >>> Output from ipa server as follows >>> >>> [root at ds01 ~]# ipa config-show >>> Max. username length: 32 >>> Home directory base: /home >>> Default shell: /bin/bash >>> Default users group: ipausers >>> Default e-mail domain for new users: example.com >>> Search time limit: 2 >>> Search size limit: 100 >>> User search fields: uid,givenname,sn,telephonenumber,ou,title >>> Group search fields: cn,description >>> Enable migration mode: FALSE >>> Certificate Subject base: O=EXAMPLE.COM >>> Password Expiration Notification (days): 4 >>> [root at ds01 ~]# >>> >>> >>> >>> [root at ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b >>> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com" >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope >>> subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # testuser, users, accounts, example.com >>> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com >>> displayName: testuser 1 >>> cn: testuser 1 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetorgperson >>> objectClass: inetuser >>> objectClass: posixaccount >>> objectClass: krbprincipalaux >>> objectClass: krbticketpolicyaux >>> objectClass: ipaobject >>> objectClass: mepOriginEntry >>> loginShell: /bin/bash >>> sn: 1 >>> gecos: testuser 1 >>> homeDirectory: /home/testuser >>> krbPwdPolicyReference: >>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example, >>> dc=com >>> krbPrincipalName: testuser at EXAMPLE.COM >>> givenName: testuser >>> uid: testuser >>> initials: t1 >>> uidNumber: 1668600004 >>> gidNumber: 1668600004 >>> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829 >>> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com >>> krbPasswordExpiration: 20120831215158Z >>> krbLastPwdChange: 20120602215158Z >>> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A >>> krbExtraData:: AAgBAA== >>> krbLastSuccessfulAuth: 20120602215703Z >>> krbLoginFailedCount: 0 >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> [root at ds01 ~]# >> >> It looks like it isn't creating the mail attribute by default. I opened > ticket https://fedorahosted.org/freeipa/ticket/2810 >> >> rob > > Thanks for pointing out it wasn't me doing something silly ;-) > > On thinking deeper onto the issue, perhaps it is beneficial not to have > it done by default? e.g if I have a mail server accepting mail for ldap > lookups for mail entries, this would mean EVERYONE has a mailbox whereas > that might not be beneficial in many situations.. > > In the AD side of things, a user has to be mail enabled, in order to > become valid for mail purposes. > > In this situation, I can manually add the mail address with "ipa > user-mod --email=testuser at example.com" which does what I was needing. > > Theres a few reasons for and against having default email access for new > users... > > I'm just bouncing some ideas out loud at the moment. Thoughts? > Our intention was to automatically populate the field if the default e-mail domain was set. If it wasn't then we'd do nothing. rob From dale at themacartneyclan.com Tue Jun 5 13:22:58 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Tue, 05 Jun 2012 14:22:58 +0100 Subject: [Freeipa-users] mail entries not populated for users In-Reply-To: <4FCE07BE.5020202@redhat.com> References: <4FCDD4EB.3080604@themacartneyclan.com> <4FCE0501.2040705@redhat.com> <4FCE0644.9050009@themacartneyclan.com> <4FCE07BE.5020202@redhat.com> Message-ID: <4FCE0832.9040209@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/12 14:21, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> On 05/06/12 14:09, Rob Crittenden wrote: >>> Dale Macartney wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hi all >>>> >>>> I may be overlooking something here, but from what I can gather, the >>>> value in the ipa config of "Default e-mail domain for new users" should >>>> automatically create the mail attribute for said user upon creation? >>>> >>>> Do I need to do an additional step or something to activate the mail >>>> attribute or is it missing? >>>> >>>> Any pointers on what I'm missing to mail-enable a user in ldap? >>>> >>>> >>>> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6 >>>> >>>> Output from ipa server as follows >>>> >>>> [root at ds01 ~]# ipa config-show >>>> Max. username length: 32 >>>> Home directory base: /home >>>> Default shell: /bin/bash >>>> Default users group: ipausers >>>> Default e-mail domain for new users: example.com >>>> Search time limit: 2 >>>> Search size limit: 100 >>>> User search fields: uid,givenname,sn,telephonenumber,ou,title >>>> Group search fields: cn,description >>>> Enable migration mode: FALSE >>>> Certificate Subject base: O=EXAMPLE.COM >>>> Password Expiration Notification (days): 4 >>>> [root at ds01 ~]# >>>> >>>> >>>> >>>> [root at ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b >>>> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com" >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope >>>> subtree >>>> # filter: (objectclass=*) >>>> # requesting: ALL >>>> # >>>> >>>> # testuser, users, accounts, example.com >>>> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com >>>> displayName: testuser 1 >>>> cn: testuser 1 >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalperson >>>> objectClass: inetorgperson >>>> objectClass: inetuser >>>> objectClass: posixaccount >>>> objectClass: krbprincipalaux >>>> objectClass: krbticketpolicyaux >>>> objectClass: ipaobject >>>> objectClass: mepOriginEntry >>>> loginShell: /bin/bash >>>> sn: 1 >>>> gecos: testuser 1 >>>> homeDirectory: /home/testuser >>>> krbPwdPolicyReference: >>>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example, >>>> dc=com >>>> krbPrincipalName: testuser at EXAMPLE.COM >>>> givenName: testuser >>>> uid: testuser >>>> initials: t1 >>>> uidNumber: 1668600004 >>>> gidNumber: 1668600004 >>>> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829 >>>> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com >>>> krbPasswordExpiration: 20120831215158Z >>>> krbLastPwdChange: 20120602215158Z >>>> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A >>>> krbExtraData:: AAgBAA== >>>> krbLastSuccessfulAuth: 20120602215703Z >>>> krbLoginFailedCount: 0 >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> [root at ds01 ~]# >>> >>> It looks like it isn't creating the mail attribute by default. I opened >> ticket https://fedorahosted.org/freeipa/ticket/2810 >>> >>> rob >> >> Thanks for pointing out it wasn't me doing something silly ;-) >> >> On thinking deeper onto the issue, perhaps it is beneficial not to have >> it done by default? e.g if I have a mail server accepting mail for ldap >> lookups for mail entries, this would mean EVERYONE has a mailbox whereas >> that might not be beneficial in many situations.. >> >> In the AD side of things, a user has to be mail enabled, in order to >> become valid for mail purposes. >> >> In this situation, I can manually add the mail address with "ipa >> user-mod --email=testuser at example.com" which does what I was needing. >> >> Theres a few reasons for and against having default email access for new >> users... >> >> I'm just bouncing some ideas out loud at the moment. Thoughts? >> > > Our intention was to automatically populate the field if the default e-mail domain was set. If it wasn't then we'd do nothing. > > rob That does make sense.. As long as the customer has a method of controlling yay or nay, thats the main thing. Thanks for clarifying. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzggwAAoJEAJsWS61tB+qVTQQAKp/qa3qpstP10GC0nzreYJg DvWXYLTRqWzy3OoyMK2nqqfLfp1x8JeJdIrQg9UWn4n200ihfHqcoefA8lX9KMMf YO1ss8gPoBSf25pmsBkLOke22wk/SdahvKWJvxUOWjGzMfCeLFyIMNPO/c2UA9wg Bzay/jgK5Hl55GDotsW1WEiPJDh2S1OaSqU8ud4/gO10zey6QhKwfp0CBqpyybLq fmbRf7UA6LFrHUMTyw1JaoA4dYN47JpdGHcOr0JqSgFjB0ODpMqD51YJW3kLCRUc O5Q/pUg/YbTVYqsC67u5P2sMsNsFoUJQz4LrsNEODwczmrjVrqMITISCRUfKkWto sdlzONJ/zCJsWa6hArr4l7WbqI6H4RyfRMaJLEuQjBOpE7NQgRLQIRWj9oc4iNor xM32HOttgrSDX+xvp4x5uVVfsFKIT8Rn09K0YTpzdX9XFuitN25tC0psRvu19y8X 3g7lmFamiQbuJN5ERQ8RbuVL4Cx8bK5ensEQSgJtWxkGBDMPx3H9oLBil/bAWqR1 au8zxRkval/MNaewc7xMvETldFtdyk2smv9gV76LauuGXFMnBDDVAsN5po0rX05S bCyNbIvVM2+MQUawCVf5aDpzs6gsE3WB4QyTA8YlFixavgfY31pLWku8x3PVQKfZ lOYFB+tYU+8DlWp2/7Dz =fhQv -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jun 5 15:55:35 2012 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Jun 2012 11:55:35 -0400 (EDT) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> Message-ID: <0e242428-9224-4331-9d4e-8e1c4b1fb778@zmail16.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > On Mon, April 23, 2012 20:38, Rich Megginson wrote: > > > Ok. The current theory is that the memory growth is caused by the > > churn > > of entries being added to and removed from the entry cache. It's > > not yet known why this growth is > > seen. It could be just that the memory is getting fragmented, or > > there is a real yet undetected > > memory leak. That's why entry cache sizing and monitoring is very > > important, to see > > if you are churning entries in/out of the cache, and if that is > > correlated with the memory growth. > > > > > This memory issue is still occuring in the production environment > after increasing the max entry > cache size to 256MB, and it is impacting performance. See below for > an output of the memory usage > and the current size and hitratio of the cache on the 3 production > IPA servers. > > How do you suggest moving forward to troubleshoot this issue? Are you seeing https://fedorahosted.org/389/ticket/386 ? > > > > > > Mem: 8050880k total, 7893612k used, 157268k free, 1924k > buffers > Swap: 14811120k total, 3738640k used, 11072480k free, 38032k > cached > > dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > entrycachehitratio: 97 > maxentrycachesize: 268435456 > currententrycachesize: 14047758 > currententrycachecount: 3062 > > > > Mem: 8059224k total, 7907904k used, 151320k free, 9060k > buffers > Swap: 14811120k total, 2507796k used, 12303324k free, 58104k > cached > > dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > entrycachehitratio: 99 > maxentrycachesize: 268435456 > currententrycachesize: 13963883 > currententrycachecount: 3062 > > > > Mem: 8062240k total, 7932268k used, 129972k free, 864k > buffers > Swap: 2097144k total, 2097144k used, 0k free, 16788k > cached > > dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > entrycachehitratio: 99 > maxentrycachesize: 268435456 > currententrycachesize: 13809438 > currententrycachecount: 3066 > > > Rgds, > Siggi > > > From ptader at linuxscope.com Tue Jun 5 18:18:37 2012 From: ptader at linuxscope.com (Paul Tader) Date: Tue, 05 Jun 2012 13:18:37 -0500 Subject: [Freeipa-users] FreeIPA webserver cert expired. Message-ID: <4FCE4D7D.4090700@linuxscope.com> A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'd rather run the commands one at a time, but my question is am I on the right track? Will this work? Other suggestions? I know I'll probably have to reset the date on the server back a couple days and get a new ticket to make this work. --- From: http://adam.younglogic.com/2011/08/httpd-cert/ ---- CSR=`mktemp` PRINCIPAL=HTTP/`hostname` CERT=`mktemp` certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -g 1024 -a > $CSR ipa cert-request $CSR --principal=$PRINCIPAL ipa service-show $PRINCIPAL --out $CERT certutil -A -d /etc/httpd/alias/ -n "Server-Cert" -t "u,u,u" -a -f /etc/httpd/alias/pwdfile.txt -i $CERT --- $ sudo -l sudo: ldap_start_tls_s(): Connect error sudo: no valid sudoers sources found, quitting --- [root at srv01 ~]# ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYREALM subject: CN=srv01.company.net,O=MYREALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYREALM.NET subject: CN=srv01.company.net,O=MYREALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYREALM.NET subject: CN=srv01.company.net,O=MYREALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes --- [root at srv01 ~]# tail -1 /var/log/httpd/error_log [Tue Jun 05 13:11:06 2012] [error] SSL Library Error: -12269 The server has rejected your certificate as expired From JR.Aquino at citrix.com Tue Jun 5 19:28:21 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 5 Jun 2012 19:28:21 +0000 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <4FCE4D7D.4090700@linuxscope.com> References: <4FCE4D7D.4090700@linuxscope.com> Message-ID: <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: > A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? From rcritten at redhat.com Tue Jun 5 19:33:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jun 2012 15:33:23 -0400 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> Message-ID: <4FCE5F03.3000901@redhat.com> JR Aquino wrote: > On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: > >> A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: > > I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob From dpal at redhat.com Tue Jun 5 19:45:03 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 15:45:03 -0400 Subject: [Freeipa-users] HOWTO: Zimbra Authentication and GAL lookups with FreeIPA backend In-Reply-To: <4FCAA82F.3090906@themacartneyclan.com> References: <4FCAA82F.3090906@themacartneyclan.com> Message-ID: <4FCE61BF.4090408@redhat.com> On 06/02/2012 07:56 PM, Dale Macartney wrote: > > Morning all > > Just a quick mail to to let everyone know that I have placed a new wiki > page for integrating Zimbra authentication and GAL lookups into IPA. > > Link is here > http://freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA > > This was my first time using Zimbra to be honest, so this is a straight > forward "get it working" integration document. I'll work on getting SSO > working in the future when I have a greater understanding of the product. > > If anyone has access to a dev/test lab or has any experience with Zimbra > who wouldn't mind giving the steps a go, I would love to get some > feedback or comments. > > I have screenshots to go with the document as well, however they aren't > uploading correctly at presents. I will upload when I can. > > Let me know what you think. > > Hoo roo for now. > > Dale > > Really awesome! _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Jun 5 19:58:46 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 05 Jun 2012 21:58:46 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <0e242428-9224-4331-9d4e-8e1c4b1fb778@zmail16.collab.prod.int.phx2.redhat.com> References: <0e242428-9224-4331-9d4e-8e1c4b1fb778@zmail16.collab.prod.int.phx2.redhat.com> Message-ID: <4FCE64F6.5040804@nixtra.com> On 06/05/2012 05:55 PM, Richard Megginson wrote: > ----- Original Message ----- >> On Mon, April 23, 2012 20:38, Rich Megginson wrote: >> >>> Ok. The current theory is that the memory growth is caused by the >>> churn >>> of entries being added to and removed from the entry cache. It's >>> not yet known why this growth is >>> seen. It could be just that the memory is getting fragmented, or >>> there is a real yet undetected >>> memory leak. That's why entry cache sizing and monitoring is very >>> important, to see >>> if you are churning entries in/out of the cache, and if that is >>> correlated with the memory growth. >>> >> >> This memory issue is still occuring in the production environment >> after increasing the max entry >> cache size to 256MB, and it is impacting performance. See below for >> an output of the memory usage >> and the current size and hitratio of the cache on the 3 production >> IPA servers. >> >> How do you suggest moving forward to troubleshoot this issue? > > Are you seeing https://fedorahosted.org/389/ticket/386 ? > > I don't think so. The cache numbers described in this ticket is much higher than my cache numbers. I've set the maxentrycachesize to 256MB, and each IPA server has 8GB of memory. There should not have been a consumption of more than 1,8GB with the 7 * cachememsize as described in the ticket. Beside I don't know where the heavy modify levels would come from. About 100 new users we're moved to IPA last week, all having their passwords changed, the accounts themselves already existed. But is that considered a heavy LDAP modify level? There seem to be a memory leak somewhere. How would you recommend moving forward? Regards, Siggi From dpal at redhat.com Tue Jun 5 19:58:55 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 15:58:55 -0400 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 104 In-Reply-To: <4FCD3C12.9020406@sesda2.com> References: <4FCD3C12.9020406@sesda2.com> Message-ID: <4FCE64FF.2070605@redhat.com> On 06/04/2012 06:52 PM, Lucas Yamanishi wrote: > On 05/17/2012 10:47 AM, Lucas Yamanishi wrote: >>> On 05/17/2012 09:34 AM, Rob Crittenden wrote: >>>> Lucas Yamanishi wrote: >>>>> Hi everybody, >>>>> >>>>> I've added some custom schema to my directory, but it's useless to me if >>>>> if I can't control read permissions on it. This is obviously a little >>>>> tricky since (Free)IPA allows everybody to ready everything by default. >>>>> With that, what's the best way to restrict access to user attributes? >>>>> Is there anything like this in the roadmap? >>>> Right now there is are no plans to support deny ACIs natively in the >>>> permission plugin. That isn't set into stone, we just need some convincing. >>> Then let me make the case: >>> >>> I know IPA is aimed mainly at authentication and authorization, but it >>> provides enough base schema and tree structure to do basic asset and >>> personnel management. More importantly, it's easier to setup than a >>> pure 389 Directory. This makes it ideal for small to medium sized >>> organizations that don't need the extra utility a separate directory >>> provides. Additionaly, the well-designed webui makes it easy to >>> delegate tasks to non-technical personnel. The requirements to achieve >>> this end are two: add native support for a restricted set of schema >>> extensions and fine-grained access controls to those attributes. >>> >>> For schema extensions, support could (and should) be limited only to >>> additional attributes on a restricted set of existing objects. For >>> example, additions to users and hosts. This would satisfy requirements >>> for a majority of small to medium sized organizations, I'd think. >> Building a generic mechanism is really a lot of work. >> It might be simpler to do it differently, i.e. incrementally add support >> for additional attributes. >> Do you have the schema that you added handy? >> What is the application that uses it? Is it popular? Is it open source? >> If it is it might make sense to just support these attributes our of box >> if the schema is loaded. > Mostly I'm talking about truly custom schema, like you would create > after obtaining an enterprise OID. A few things I'm adding are hire > date, emergency contact, previous employer and badge number. Human > Resources stuff. Once I get it all hammered out I'll send you a copy. > > As far as standardized schema goes, a lot of the attributes I need are > in RFCs 4519 and 4524. Things like organizationName, > organizationalUnitName, organizationalStatus, personalTitle, > homePostalAddress and/or postalAddress. Again, HR stuff-- and that's > what I'm talking about. Your system already tracks user accounts very > well. Why not extend it to track them as fully fledged people? > Have you looked at the extensibility guide (attached)? I has an overview of what it would take to extend the schema and plugins. It is definitely doable but doing it in a generic way would be a huge effort. It might be easier to gradually build the support of most common extensions for most common cases. Alexander, this is the version from December. Is there any newer version? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-extensibility.pdf Type: application/pdf Size: 355019 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jun 5 20:04:16 2012 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Jun 2012 16:04:16 -0400 (EDT) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE64F6.5040804@nixtra.com> Message-ID: ----- Original Message ----- > On 06/05/2012 05:55 PM, Richard Megginson wrote: > > ----- Original Message ----- > >> On Mon, April 23, 2012 20:38, Rich Megginson wrote: > >> > >>> Ok. The current theory is that the memory growth is caused by > >>> the > >>> churn > >>> of entries being added to and removed from the entry cache. It's > >>> not yet known why this growth is > >>> seen. It could be just that the memory is getting fragmented, or > >>> there is a real yet undetected > >>> memory leak. That's why entry cache sizing and monitoring is very > >>> important, to see > >>> if you are churning entries in/out of the cache, and if that is > >>> correlated with the memory growth. > >>> > >> > >> This memory issue is still occuring in the production environment > >> after increasing the max entry > >> cache size to 256MB, and it is impacting performance. See below > >> for > >> an output of the memory usage > >> and the current size and hitratio of the cache on the 3 production > >> IPA servers. > >> > >> How do you suggest moving forward to troubleshoot this issue? > > > > Are you seeing https://fedorahosted.org/389/ticket/386 ? > > > > > > I don't think so. The cache numbers described in this ticket is much > higher than my cache numbers. > > I've set the maxentrycachesize to 256MB, and each IPA server has 8GB > of > memory. There should not have been a consumption of more than 1,8GB > with > the 7 * cachememsize as described in the ticket. > > Beside I don't know where the heavy modify levels would come from. > About > 100 new users we're moved to IPA last week, all having their > passwords > changed, the accounts themselves already existed. But is that > considered > a heavy LDAP modify level? I don't think it matters whether or not the modify level is heavy. If there is a memory leak, a heavy modify level will make it more apparent more quickly. > > There seem to be a memory leak somewhere. How would you recommend > moving > forward? If you think this leak is a completely different issue than ticket 386, please open another ticket. > > > Regards, > Siggi > > > From Steven.Jones at vuw.ac.nz Tue Jun 5 20:42:15 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 20:42:15 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... :/ In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... but I seem to be faced with a rebuild from scratch....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Tuesday, 5 June 2012 7:14 p.m. To: Rich Megginson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage On Mon, April 23, 2012 20:38, Rich Megginson wrote: > Ok. The current theory is that the memory growth is caused by the churn > of entries being added to and removed from the entry cache. It's not yet known why this growth is > seen. It could be just that the memory is getting fragmented, or there is a real yet undetected > memory leak. That's why entry cache sizing and monitoring is very important, to see > if you are churning entries in/out of the cache, and if that is correlated with the memory growth. > This memory issue is still occuring in the production environment after increasing the max entry cache size to 256MB, and it is impacting performance. See below for an output of the memory usage and the current size and hitratio of the cache on the 3 production IPA servers. How do you suggest moving forward to troubleshoot this issue? Mem: 8050880k total, 7893612k used, 157268k free, 1924k buffers Swap: 14811120k total, 3738640k used, 11072480k free, 38032k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 97 maxentrycachesize: 268435456 currententrycachesize: 14047758 currententrycachecount: 3062 Mem: 8059224k total, 7907904k used, 151320k free, 9060k buffers Swap: 14811120k total, 2507796k used, 12303324k free, 58104k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 99 maxentrycachesize: 268435456 currententrycachesize: 13963883 currententrycachecount: 3062 Mem: 8062240k total, 7932268k used, 129972k free, 864k buffers Swap: 2097144k total, 2097144k used, 0k free, 16788k cached dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config entrycachehitratio: 99 maxentrycachesize: 268435456 currententrycachesize: 13809438 currententrycachecount: 3066 Rgds, Siggi _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From abokovoy at redhat.com Tue Jun 5 20:48:06 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Jun 2012 23:48:06 +0300 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 104 In-Reply-To: <4FCE64FF.2070605@redhat.com> References: <4FCD3C12.9020406@sesda2.com> <4FCE64FF.2070605@redhat.com> Message-ID: <20120605204806.GJ25726@redhat.com> On Tue, 05 Jun 2012, Dmitri Pal wrote: >On 06/04/2012 06:52 PM, Lucas Yamanishi wrote: >> On 05/17/2012 10:47 AM, Lucas Yamanishi wrote: >>>> On 05/17/2012 09:34 AM, Rob Crittenden wrote: >>>>> Lucas Yamanishi wrote: >>>>>> Hi everybody, >>>>>> >>>>>> I've added some custom schema to my directory, but it's useless to me if >>>>>> if I can't control read permissions on it. This is obviously a little >>>>>> tricky since (Free)IPA allows everybody to ready everything by default. >>>>>> With that, what's the best way to restrict access to user attributes? >>>>>> Is there anything like this in the roadmap? >>>>> Right now there is are no plans to support deny ACIs natively in the >>>>> permission plugin. That isn't set into stone, we just need some convincing. >>>> Then let me make the case: >>>> >>>> I know IPA is aimed mainly at authentication and authorization, but it >>>> provides enough base schema and tree structure to do basic asset and >>>> personnel management. More importantly, it's easier to setup than a >>>> pure 389 Directory. This makes it ideal for small to medium sized >>>> organizations that don't need the extra utility a separate directory >>>> provides. Additionaly, the well-designed webui makes it easy to >>>> delegate tasks to non-technical personnel. The requirements to achieve >>>> this end are two: add native support for a restricted set of schema >>>> extensions and fine-grained access controls to those attributes. >>>> >>>> For schema extensions, support could (and should) be limited only to >>>> additional attributes on a restricted set of existing objects. For >>>> example, additions to users and hosts. This would satisfy requirements >>>> for a majority of small to medium sized organizations, I'd think. >>> Building a generic mechanism is really a lot of work. >>> It might be simpler to do it differently, i.e. incrementally add support >>> for additional attributes. >>> Do you have the schema that you added handy? >>> What is the application that uses it? Is it popular? Is it open source? >>> If it is it might make sense to just support these attributes our of box >>> if the schema is loaded. >> Mostly I'm talking about truly custom schema, like you would create >> after obtaining an enterprise OID. A few things I'm adding are hire >> date, emergency contact, previous employer and badge number. Human >> Resources stuff. Once I get it all hammered out I'll send you a copy. >> >> As far as standardized schema goes, a lot of the attributes I need are >> in RFCs 4519 and 4524. Things like organizationName, >> organizationalUnitName, organizationalStatus, personalTitle, >> homePostalAddress and/or postalAddress. Again, HR stuff-- and that's >> what I'm talking about. Your system already tracks user accounts very >> well. Why not extend it to track them as fully fledged people? >> > >Have you looked at the extensibility guide (attached)? >I has an overview of what it would take to extend the schema and plugins. >It is definitely doable but doing it in a generic way would be a huge >effort. It might be easier to gradually build the support of most common >extensions for most common cases. > >Alexander, this is the version from December. Is there any newer version? There is no newer version. I was planning to go over and add more content in the schema extension area once we get 3.0beta1 out. -- / Alexander Bokovoy From sigbjorn at nixtra.com Tue Jun 5 20:54:23 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 05 Jun 2012 22:54:23 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FCE71FF.9050803@nixtra.com> On 06/05/2012 10:42 PM, Steven Jones wrote: > Hi > > This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... > > :/ > > In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? > > I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... > > but I seem to be faced with a rebuild from scratch....... Did you do the "max entry cache size" tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi From JR.Aquino at citrix.com Tue Jun 5 21:44:32 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 5 Jun 2012 21:44:32 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE71FF.9050803@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> Message-ID: <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: > On 06/05/2012 10:42 PM, Steven Jones wrote: >> Hi >> >> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >> >> :/ >> >> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >> >> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >> >> but I seem to be faced with a rebuild from scratch....... > > > Did you do the "max entry cache size" tuning? If you did, what did you set it to? > > Did you do any other tuning from the 389-ds tuning guide? > > > > Rgds, > Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? From Steven.Jones at vuw.ac.nz Tue Jun 5 21:51:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 21:51:41 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE71FF.9050803@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz> I have <10 users and <10 servers....I cant see any tuning is necessary as yet.... However I did up the cache and that made no difference.... original [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# ======= grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 ======= modded ======= So to sum up, please change nsslapd-cachememsize parameter in /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: 10485760 to nsslapd-cachememsize: 18900000 ======= Presently my cache size has shrunk from 6.3meg to 616k.... [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# Though on the replica its a different size (but then I have a split brain issue.... [root at vuwunicoipam002 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam002 ~]# regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, 6 June 2012 8:54 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage On 06/05/2012 10:42 PM, Steven Jones wrote: > Hi > > This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... > > :/ > > In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? > > I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... > > but I seem to be faced with a rebuild from scratch....... Did you do the "max entry cache size" tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 5 21:54:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 21:54:16 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com>, <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA3EE5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am just trying to figure out sudo now, however I cant understand how...I find the documentation confusing/inadequate.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><----------- Are either of you currently utilizing sudo? _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Tue Jun 5 22:12:49 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 06 Jun 2012 00:12:49 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> Message-ID: <4FCE8461.5070208@nixtra.com> On 06/05/2012 11:44 PM, JR Aquino wrote: > On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: > >> On 06/05/2012 10:42 PM, Steven Jones wrote: >>> Hi >>> >>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>> >>> :/ >>> >>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>> >>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>> >>> but I seem to be faced with a rebuild from scratch....... >> >> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >> >> Did you do any other tuning from the 389-ds tuning guide? >> >> >> >> Rgds, >> Siggi > When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... > > This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) > > Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... > > After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. > > It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... > > Perhaps Nalin Or Rich can speak to some of that. > > The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. > > https://bugzilla.redhat.com/show_bug.cgi?id=771493 > > Are either of you currently utilizing sudo? > I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi From sigbjorn at nixtra.com Tue Jun 5 22:17:39 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 06 Jun 2012 00:17:39 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FCE8583.7060906@nixtra.com> You still have to restart IPA after 36 hours with that few users/machines? My issues started occuring more frequently after more users / hosts we're migrated. How much memory do you have in your IPA servers? Rgds, Siggi On 06/05/2012 11:51 PM, Steven Jones wrote: > I have<10 users and<10 servers....I cant see any tuning is necessary as yet.... > > However I did up the cache and that made no difference.... > > original > > [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# > > ======= > grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 > ======= > > modded > ======= > So to sum up, please change nsslapd-cachememsize parameter in /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: 10485760 to nsslapd-cachememsize: 18900000 > ======= > > Presently my cache size has shrunk from 6.3meg to 616k.... > > [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# > > Though on the replica its a different size (but then I have a split brain issue.... > > [root at vuwunicoipam002 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 > -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 > [root at vuwunicoipam002 ~]# > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Wednesday, 6 June 2012 8:54 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 389-ds memory usage > > On 06/05/2012 10:42 PM, Steven Jones wrote: >> Hi >> >> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >> >> :/ >> >> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >> >> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >> >> but I seem to be faced with a rebuild from scratch....... > > Did you do the "max entry cache size" tuning? If you did, what did you set it to? > > Did you do any other tuning from the 389-ds tuning guide? > > > > Rgds, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 5 22:23:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 22:23:30 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE8583.7060906@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend.... I also have a frequent failure to start IPA when I do a "service ipa restart" that means I cant cron an over-night restart And the KDC on the master IPA server seems to die for no reason.... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, 6 June 2012 10:17 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage You still have to restart IPA after 36 hours with that few users/machines? My issues started occuring more frequently after more users / hosts we're migrated. How much memory do you have in your IPA servers? Rgds, Siggi On 06/05/2012 11:51 PM, Steven Jones wrote: > I have<10 users and<10 servers....I cant see any tuning is necessary as yet.... > > However I did up the cache and that made no difference.... > > original > > [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# > > ======= > grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 > ======= > > modded > ======= > So to sum up, please change nsslapd-cachememsize parameter in /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: 10485760 to nsslapd-cachememsize: 18900000 > ======= > > Presently my cache size has shrunk from 6.3meg to 616k.... > > [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# > > Though on the replica its a different size (but then I have a split brain issue.... > > [root at vuwunicoipam002 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 > -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 > [root at vuwunicoipam002 ~]# > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Wednesday, 6 June 2012 8:54 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 389-ds memory usage > > On 06/05/2012 10:42 PM, Steven Jones wrote: >> Hi >> >> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >> >> :/ >> >> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >> >> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >> >> but I seem to be faced with a rebuild from scratch....... > > Did you do the "max entry cache size" tuning? If you did, what did you set it to? > > Did you do any other tuning from the 389-ds tuning guide? > > > > Rgds, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Tue Jun 5 22:26:13 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 5 Jun 2012 22:26:13 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE8461.5070208@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> Message-ID: <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: > On 06/05/2012 11:44 PM, JR Aquino wrote: >> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >> >>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>> Hi >>>> >>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>>> >>>> :/ >>>> >>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>>> >>>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>>> >>>> but I seem to be faced with a rebuild from scratch....... >>> >>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>> >>> Did you do any other tuning from the 389-ds tuning guide? >>> >>> >>> >>> Rgds, >>> Siggi >> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... >> >> This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) >> >> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >> >> After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. >> >> It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... >> >> Perhaps Nalin Or Rich can speak to some of that. >> >> The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >> >> Are either of you currently utilizing sudo? >> > I read your bug report a while back, and made sure that slapi-nis was disabled. > > I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? > > I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? > > I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? > > Rich/Nalin, > Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? > > > Regards, > Siggi > Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 From sigbjorn at nixtra.com Tue Jun 5 22:31:19 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 06 Jun 2012 00:31:19 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FCE88B7.5050201@nixtra.com> Could the Kerberos issue have anything to do with the sssd_be process crashing at the exact time you are restarting IPA? I have seen the same issue, twice, but it got sorted after running "ipactl restart" a second time. Never really figured out what happened, except I noticed sssd_be crashing at the exact time I restarted IPA the first time. Rgds, Siggi On 06/06/2012 12:23 AM, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend.... > > I also have a frequent failure to start IPA when I do a "service ipa restart" that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason.... > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Wednesday, 6 June 2012 10:17 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 389-ds memory usage > > You still have to restart IPA after 36 hours with that few users/machines? > > My issues started occuring more frequently after more users / hosts > we're migrated. How much memory do you have in your IPA servers? > > > Rgds, > Siggi > > > On 06/05/2012 11:51 PM, Steven Jones wrote: >> I have<10 users and<10 servers....I cant see any tuning is necessary as yet.... >> >> However I did up the cache and that made no difference.... >> >> original >> >> [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# >> >> ======= >> grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 >> ======= >> >> modded >> ======= >> So to sum up, please change nsslapd-cachememsize parameter in /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: 10485760 to nsslapd-cachememsize: 18900000 >> ======= >> >> Presently my cache size has shrunk from 6.3meg to 616k.... >> >> [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# >> >> Though on the replica its a different size (but then I have a split brain issue.... >> >> [root at vuwunicoipam002 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >> -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >> [root at vuwunicoipam002 ~]# >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Wednesday, 6 June 2012 8:54 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 389-ds memory usage >> >> On 06/05/2012 10:42 PM, Steven Jones wrote: >>> Hi >>> >>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>> >>> :/ >>> >>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>> >>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>> >>> but I seem to be faced with a rebuild from scratch....... >> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >> >> Did you do any other tuning from the 389-ds tuning guide? >> >> >> >> Rgds, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Jun 5 22:38:27 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 18:38:27 -0400 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE88B7.5050201@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE88B7.5050201@nixtra.com> Message-ID: <4FCE8A63.70602@redhat.com> On 06/05/2012 06:31 PM, Sigbjorn Lie wrote: > Could the Kerberos issue have anything to do with the sssd_be process > crashing at the exact time you are restarting IPA? > > I have seen the same issue, twice, but it got sorted after running > "ipactl restart" a second time. Never really figured out what > happened, except I noticed sssd_be crashing at the exact time I > restarted IPA the first time. > > We would be glad to resolve the issues if we had sufficient information to troubleshoot. If you have a good set of logs and config files and hopefully a reproducer please do not hesitate to log a bug or ticket. We are sorry that you are experiencing difficulties with IPA and hope that you will continue working with us to make the project work better. Thanks Dmitri > > Rgds, > Siggi > > > On 06/06/2012 12:23 AM, Steven Jones wrote: >> I started with 2gb but went to 4 gb to try and last overnight and the >> weekend...might have to go to 8gb to last the weekend.... >> >> I also have a frequent failure to start IPA when I do a "service ipa >> restart" that means I cant cron an over-night restart >> >> And the KDC on the master IPA server seems to die for no reason.... >> >> :( >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Wednesday, 6 June 2012 10:17 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 389-ds memory usage >> >> You still have to restart IPA after 36 hours with that few >> users/machines? >> >> My issues started occuring more frequently after more users / hosts >> we're migrated. How much memory do you have in your IPA servers? >> >> >> Rgds, >> Siggi >> >> >> On 06/05/2012 11:51 PM, Steven Jones wrote: >>> I have<10 users and<10 servers....I cant see any tuning is necessary >>> as yet.... >>> >>> However I did up the cache and that made no difference.... >>> >>> original >>> >>> [root at vuwunicoipam001 ~]# ls -lh >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> [root at vuwunicoipam001 ~]# >>> >>> ======= >>> grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif >>> nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 >>> nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 >>> nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 >>> ======= >>> >>> modded >>> ======= >>> So to sum up, please change nsslapd-cachememsize parameter in >>> /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: >>> 10485760 to nsslapd-cachememsize: 18900000 >>> ======= >>> >>> Presently my cache size has shrunk from 6.3meg to 616k.... >>> >>> [root at vuwunicoipam001 ~]# ls -lh >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> [root at vuwunicoipam001 ~]# >>> >>> Though on the replica its a different size (but then I have a split >>> brain issue.... >>> >>> [root at vuwunicoipam002 ~]# ls -lh >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >>> [root at vuwunicoipam002 ~]# >>> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com >>> [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie >>> [sigbjorn at nixtra.com] >>> Sent: Wednesday, 6 June 2012 8:54 a.m. >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] 389-ds memory usage >>> >>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>> Hi >>>> >>>> This has bug has pretty much destroyed my IPA deployment.......I >>>> had a pretty bad memory leak had to reboot every 36 hours...made >>>> worse by trying later 6.3? rpms didnt fix the leak and it went >>>> split brain........2 months and no fix....boy did that open up a >>>> can of worms..... >>>> >>>> :/ >>>> >>>> In my case I cant see how its churn as I have so few entries (<50) >>>> and Im adding no more items at present....unless a part of ipa is >>>> "replicating and diffing" in the background to check consistency? >>>> >>>> I also have only one way replication now at most, master to >>>> replica and no memory leak shows in Munin at present......... >>>> >>>> but I seem to be faced with a rebuild from scratch....... >>> Did you do the "max entry cache size" tuning? If you did, what did >>> you set it to? >>> >>> Did you do any other tuning from the 389-ds tuning guide? >>> >>> >>> >>> Rgds, >>> Siggi >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Jun 5 22:42:35 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 06 Jun 2012 00:42:35 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> Message-ID: <4FCE8B5B.5060504@nixtra.com> On 06/06/2012 12:26 AM, JR Aquino wrote: > On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: > >> On 06/05/2012 11:44 PM, JR Aquino wrote: >>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>> >>>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>>> Hi >>>>> >>>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>>>> >>>>> :/ >>>>> >>>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>>>> >>>>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>>>> >>>>> but I seem to be faced with a rebuild from scratch....... >>>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>>> >>>> Did you do any other tuning from the 389-ds tuning guide? >>>> >>>> >>>> >>>> Rgds, >>>> Siggi >>> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... >>> >>> This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) >>> >>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >>> >>> After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. >>> >>> It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... >>> >>> Perhaps Nalin Or Rich can speak to some of that. >>> >>> The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>> >>> Are either of you currently utilizing sudo? >>> >> I read your bug report a while back, and made sure that slapi-nis was disabled. >> >> I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? >> >> I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? >> >> I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? >> >> Rich/Nalin, >> Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? >> >> >> Regards, >> Siggi >> > Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... > > I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 > > My measurements... ;) > > dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: monitor > database: ldbm database > readonly: 0 > entrycachehits: 904077 > entrycachetries: 923802 > entrycachehitratio: 97 > currententrycachesize: 79607895 > maxentrycachesize: 104857600 > currententrycachecount: 10301 > maxentrycachecount: -1 > dncachehits: 3 > dncachetries: 10302 > dncachehitratio: 0 > currentdncachesize: 1861653 > maxdncachesize: 10485760 > currentdncachecount: 10301 > maxdncachecount: -1 > > Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Rgds, Siggi From sigbjorn at nixtra.com Tue Jun 5 22:47:37 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 06 Jun 2012 00:47:37 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE8A63.70602@redhat.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE88B7.5050201@nixtra.com> <4FCE8A63.70602@redhat.com> Message-ID: <4FCE8C89.10302@nixtra.com> On 06/06/2012 12:38 AM, Dmitri Pal wrote: > On 06/05/2012 06:31 PM, Sigbjorn Lie wrote: >> Could the Kerberos issue have anything to do with the sssd_be process >> crashing at the exact time you are restarting IPA? >> >> I have seen the same issue, twice, but it got sorted after running >> "ipactl restart" a second time. Never really figured out what >> happened, except I noticed sssd_be crashing at the exact time I >> restarted IPA the first time. >> >> > We would be glad to resolve the issues if we had sufficient information > to troubleshoot. > If you have a good set of logs and config files and hopefully a > reproducer please do not hesitate to log a bug or ticket. > We are sorry that you are experiencing difficulties with IPA and hope > that you will continue working with us to make the project work better. > > Thanks > Dmitri > Thanks Dmitri. I do open bug requests when I find re-producible issues, however I was not sure where to start with the KDC issue as I've not been able to find a way to consistently re-produce it. :) Rgds, Siggi From dpal at redhat.com Tue Jun 5 22:50:22 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 18:50:22 -0400 Subject: [Freeipa-users] token/swipe pass deployments with IPA In-Reply-To: <4FC86BC1.7050706@themacartneyclan.com> References: <4FC7C064.6010401@themacartneyclan.com> <4FC7F693.9000909@redhat.com> <4FC86BC1.7050706@themacartneyclan.com> Message-ID: <4FCE8D2E.6010706@redhat.com> On 06/01/2012 03:14 AM, Dale Macartney wrote: > > > > On 31/05/12 23:54, Dmitri Pal wrote: > > On 05/31/2012 03:03 PM, Dale > Macartney wrote: > > > > > > >> Evening all > > >> > > >> http://www.youtube.com/watch?v=uvfkj8V6ylM > > >> > > >> This video was floating around Google plus a few days ago > which is > > >> brilliant to show off RHEV's VDI technologies. I was > wondering if anyone > > >> has some a similar business case of vdi deployments with > swipe passes or > > >> token, but using IPA as the backing authentication store? > > > > > I am not quite sure what is used as an authentication source > in this case. > > > I can ask. > > > I was just thinking as I seem to be doing alot lately, "can it be done > with ipa?" > > is token support on the road map? If some are not already supported. > Define token? You mean smart cards or 2FA using tokens like SecurID? All on the roadmap. > >> > > >> Has anyone done something similar themselves? > > >> > > >> Dale > > >> > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > -- > > > Thank you, > > > Dmitri Pal > > > > > Sr. Engineering Manager IPA project, > > > Red Hat Inc. > > > > > > > ------------------------------- > > > Looking to carve out IT costs? > > > www.redhat.com/carveoutcosts/ > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jun 5 22:51:47 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jun 2012 18:51:47 -0400 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE8C89.10302@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE88B7.5050201@nixtra.com> <4FCE8A63.70602@redhat.com> <4FCE8C89.10302@nixtra.com> Message-ID: <4FCE8D83.9010205@redhat.com> On 06/05/2012 06:47 PM, Sigbjorn Lie wrote: > On 06/06/2012 12:38 AM, Dmitri Pal wrote: >> On 06/05/2012 06:31 PM, Sigbjorn Lie wrote: >>> Could the Kerberos issue have anything to do with the sssd_be process >>> crashing at the exact time you are restarting IPA? >>> >>> I have seen the same issue, twice, but it got sorted after running >>> "ipactl restart" a second time. Never really figured out what >>> happened, except I noticed sssd_be crashing at the exact time I >>> restarted IPA the first time. >>> >>> >> We would be glad to resolve the issues if we had sufficient information >> to troubleshoot. >> If you have a good set of logs and config files and hopefully a >> reproducer please do not hesitate to log a bug or ticket. >> We are sorry that you are experiencing difficulties with IPA and hope >> that you will continue working with us to make the project work better. >> >> Thanks >> Dmitri >> > Thanks Dmitri. I do open bug requests when I find re-producible > issues, however I was not sure where to start with the KDC issue as > I've not been able to find a way to consistently re-produce it. :) I know. But trust me I might be even more frustrated than you are :-) > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Jun 5 22:52:53 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 5 Jun 2012 22:52:53 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE88B7.5050201@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FCE88B7.5050201@nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCA3F71@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im not aware that the KDC dying is related to a restart...it just died on us over the weekend for no reason I can determine and I couldnt login to my desktop....but it is possible as I dont know when it died......eg in the mrning I did a, ============ [root at vuwunicoipam001 ~]# service ipa restart Restarting Directory Service debugging enabled, suppressing output. Restarting KDC Service Stopping Kerberos 5 KDC: [FAILED] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Shutting down ipa_kpasswd: [ OK ] Starting ipa_kpasswd: [ OK ] Restarting DNS Service Stopping named: [ OK ] Starting named: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] [root at vuwunicoipam001 ~]# sosreport ============ so KDC wsnt running.....and my client didnt go talk to ipam002 (the replica)....I thought sssd should/would do that.... I usually find that 2 or 3 attempts is enough to get ipa going again as it doesnt always die while starting....but enough times to make cron impractical/risky. What I am doing right now is building a second replica which I will use as a backup mechanism.......and I will do a cron restart as Im doing a ldif export....to give me a bare metal recovery option........so I will run a, service ipa stop /var/lib/dirsrv/scripts-example.com/db2ldif -n userRoot -a /tmp/output.ldif service ipa restart every night....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, 6 June 2012 10:31 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage Could the Kerberos issue have anything to do with the sssd_be process crashing at the exact time you are restarting IPA? I have seen the same issue, twice, but it got sorted after running "ipactl restart" a second time. Never really figured out what happened, except I noticed sssd_be crashing at the exact time I restarted IPA the first time. Rgds, Siggi On 06/06/2012 12:23 AM, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend.... > > I also have a frequent failure to start IPA when I do a "service ipa restart" that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason.... > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Wednesday, 6 June 2012 10:17 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 389-ds memory usage > > You still have to restart IPA after 36 hours with that few users/machines? > > My issues started occuring more frequently after more users / hosts > we're migrated. How much memory do you have in your IPA servers? > > > Rgds, > Siggi > > > On 06/05/2012 11:51 PM, Steven Jones wrote: >> I have<10 users and<10 servers....I cant see any tuning is necessary as yet.... >> >> However I did up the cache and that made no difference.... >> >> original >> >> [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 6.3M May 8 11:34 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# >> >> ======= >> grep cache /etc/dirsrv/slapd-ODS-VUW-AC-NZ/dse.ldif nsslapd-dbcachesize: 10000000 nsslapd-import-cache-autosize: -1 nsslapd-import-cachesize: 20000000 nsslapd-cachesize: -1 nsslapd-cachememsize: 10485760 nsslapd-dncachememsize: 10485760 >> ======= >> >> modded >> ======= >> So to sum up, please change nsslapd-cachememsize parameter in /etc/dirsrv/slapd-/dse.ldif from; nsslapd-cachememsize: 10485760 to nsslapd-cachememsize: 18900000 >> ======= >> >> Presently my cache size has shrunk from 6.3meg to 616k.... >> >> [root at vuwunicoipam001 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 -rw-------. 1 dirsrv dirsrv 616K Jun 6 09:42 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 [root at vuwunicoipam001 ~]# >> >> Though on the replica its a different size (but then I have a split brain issue.... >> >> [root at vuwunicoipam002 ~]# ls -lh /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >> -rw-------. 1 dirsrv dirsrv 752K Jun 6 09:51 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/db/userRoot/id2entry.db4 >> [root at vuwunicoipam002 ~]# >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Wednesday, 6 June 2012 8:54 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 389-ds memory usage >> >> On 06/05/2012 10:42 PM, Steven Jones wrote: >>> Hi >>> >>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>> >>> :/ >>> >>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>> >>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>> >>> but I seem to be faced with a rebuild from scratch....... >> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >> >> Did you do any other tuning from the 389-ds tuning guide? >> >> >> >> Rgds, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Tue Jun 5 22:54:40 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 5 Jun 2012 22:54:40 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4FCE8B5B.5060504@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> <4FCE8B5B.5060504@nixtra.com> Message-ID: On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: > On 06/06/2012 12:26 AM, JR Aquino wrote: >> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: >> >>> On 06/05/2012 11:44 PM, JR Aquino wrote: >>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>>> >>>>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>>>> Hi >>>>>> >>>>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain........2 months and no fix....boy did that open up a can of worms..... >>>>>> >>>>>> :/ >>>>>> >>>>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no more items at present....unless a part of ipa is "replicating and diffing" in the background to check consistency? >>>>>> >>>>>> I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present......... >>>>>> >>>>>> but I seem to be faced with a rebuild from scratch....... >>>>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>>>> >>>>> Did you do any other tuning from the 389-ds tuning guide? >>>>> >>>>> >>>>> >>>>> Rgds, >>>>> Siggi >>>> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... >>>> >>>> This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) >>>> >>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >>>> >>>> After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. >>>> >>>> It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... >>>> >>>> Perhaps Nalin Or Rich can speak to some of that. >>>> >>>> The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>>> >>>> Are either of you currently utilizing sudo? >>>> >>> I read your bug report a while back, and made sure that slapi-nis was disabled. >>> >>> I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? >>> >>> I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? >>> >>> I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? >>> >>> Rich/Nalin, >>> Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? >>> >>> >>> Regards, >>> Siggi >>> >> Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... >> >> I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 >> >> My measurements... ;) >> >> dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: monitor >> database: ldbm database >> readonly: 0 >> entrycachehits: 904077 >> entrycachetries: 923802 >> entrycachehitratio: 97 >> currententrycachesize: 79607895 >> maxentrycachesize: 104857600 >> currententrycachecount: 10301 >> maxentrycachecount: -1 >> dncachehits: 3 >> dncachetries: 10302 >> dncachehitratio: 0 >> currentdncachesize: 1861653 >> maxdncachesize: 10485760 >> currentdncachecount: 10301 >> maxdncachecount: -1 >> >> > Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) > > I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. > Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing the memory creep... This makes me question the other factors. Nagios checking everything (probably every 5 mins?) might be a good source of activity... Though I wonder how best to visualize what is taking up the memory... Have you turned on auditing at all? One of the things I was able to deduce from rampant activity was based on what I was seeing modified via the audit log. Reoccurring patterns coming in big waves... things like that. From sigbjorn at nixtra.com Wed Jun 6 07:30:00 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 6 Jun 2012 09:30:00 +0200 (CEST) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> <4FCE8B5B.5060504@nixtra.com> Message-ID: <19696.213.225.75.97.1338967800.squirrel@www.nixtra.com> On Wed, June 6, 2012 00:54, JR Aquino wrote: > On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: > > >> On 06/06/2012 12:26 AM, JR Aquino wrote: >> >>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: >>> >>> >>>> On 06/05/2012 11:44 PM, JR Aquino wrote: >>>> >>>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>>>> >>>>> >>>>>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> >>>>>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad >>>>>>> memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt >>>>>>> fix the leak and it went split brain........2 months and no fix....boy did that open >>>>>>> up a can of worms..... >>>>>>> >>>>>>> :/ >>>>>>> >>>>>>> >>>>>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no >>>>>>> more items at present....unless a part of ipa is "replicating and diffing" in the >>>>>>> background to check consistency? >>>>>>> >>>>>>> I also have only one way replication now at most, master to replica and no memory >>>>>>> leak shows in Munin at present......... >>>>>>> >>>>>>> but I seem to be faced with a rebuild from scratch....... >>>>>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>>>>> >>>>>> >>>>>> Did you do any other tuning from the 389-ds tuning guide? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Rgds, >>>>>> Siggi >>>>>> >>>>> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues >>>>> were: managed entries firing off any time an object was updated (every time someone >>>>> successfully authenticates, kerberos updates the user object, which in turn would touch >>>>> the mepmanaged entry for the user's private group) Similar things happened when >>>>> hostgroups were modified... >>>>> >>>>> This was further complicated by inefficiencies in the way that slapi-nis was processing >>>>> the compat pieces for the sudo rules and the netgroups (which are automatically create >>>>> from every hostgroup) >>>>> >>>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >>>>> >>>>> >>>>> After getting those issues resolved, I tuned the max entry cache size. But it took all >>>>> the fixes to finally resolve the memory creep problem. >>>>> >>>>> It is not at all clear to me whether or not the bug fixes for my problem have made it up >>>>> into Redhat / CentOS though... The slapi-nis versions definitely don't line up between >>>>> fedora and redhat/centos... >>>>> >>>>> Perhaps Nalin Or Rich can speak to some of that. >>>>> >>>>> >>>>> The bug itself was easiest to replicate with _big_ changes like deleting a group that had >>>>> a great number of members for example, but the symptoms were similar for me were similar >>>>> for day to date operation resulting in consumption that never freed. >>>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>>>> >>>>> >>>>> Are either of you currently utilizing sudo? >>>>> >>>>> >>>> I read your bug report a while back, and made sure that slapi-nis was disabled. >>>> >>>> >>>> I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits >>>> at 97-99% ? >>>> >>>> I understand you have a farily large deployment, what cache size are you using? Are you >>>> using Fedora or Red Hat / CentOS as your production environment? >>>> >>>> I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I >>>> should be aware of with sudo integration? >>>> >>>> Rich/Nalin, >>>> Was there a bug in managed entries that's been fixed in the current 389-ds versions >>>> available in Red Hat / CentOS 6? >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>> Ya it is true that I do have a large environment, but some of the hurdles that I had to jump >>> appeared to be ones that weren't related so much to the number of hosts I had, but rather >>> their amount of activity. I.e. automated single-sign on scripts, people authenticating, >>> general binds taking place all over... >>> >>> I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 >>> >>> >>> My measurements... ;) >>> >>> >>> dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: monitor >>> database: ldbm database >>> readonly: 0 >>> entrycachehits: 904077 >>> entrycachetries: 923802 >>> entrycachehitratio: 97 >>> currententrycachesize: 79607895 >>> maxentrycachesize: 104857600 >>> currententrycachecount: 10301 >>> maxentrycachecount: -1 >>> dncachehits: 3 >>> dncachetries: 10302 >>> dncachehitratio: 0 >>> currentdncachesize: 1861653 >>> maxdncachesize: 10485760 >>> currentdncachecount: 10301 >>> maxdncachecount: -1 >>> >>> >>> >> Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections >> to the hosts, as well as normal users. Can't really disable that. :) >> >> I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit >> as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds >> related to when entries in cache is being removed to make room for new cache entries. I was >> hoping for that issue would go away with a large cache size. >> > > Right, I was advised over the same. Though it sounds like your not hitting your limit and are > still seeing the memory creep... > > This makes me question the other factors. Nagios checking everything (probably every 5 mins?) > might be a good source of activity... Though I wonder how best to visualize what is taking up the > memory... > > Have you turned on auditing at all? One of the things I was able to deduce from rampant activity > was based on what I was seeing modified via the audit log. Reoccurring patterns coming in big > waves... things like that. I have not turned on any expclicit auditing, but I do use SELinux on the IPA servers, and have the /var/log/audit/audit.log from all the SELinux activity. Is that what you're referring to? Yes. most of the Nagios checks is being done every 5 minutes. I agree, I'm not sure how to proceed in troubleshooting and finding the memory leak. Rgds, Siggi From dale at themacartneyclan.com Wed Jun 6 08:50:58 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 06 Jun 2012 09:50:58 +0100 Subject: [Freeipa-users] token/swipe pass deployments with IPA In-Reply-To: <4FCE8D2E.6010706@redhat.com> References: <4FC7C064.6010401@themacartneyclan.com> <4FC7F693.9000909@redhat.com> <4FC86BC1.7050706@themacartneyclan.com> <4FCE8D2E.6010706@redhat.com> Message-ID: <4FCF19F2.5030502@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/12 23:50, Dmitri Pal wrote: > On 06/01/2012 03:14 AM, Dale Macartney wrote: > > >> >> >> On 31/05/12 23:54, Dmitri Pal wrote: >> > On 05/31/2012 03:03 PM, Dale >> Macartney wrote: >> >> > > >> >> >> Evening all >> >> >> >> >> >> http://www.youtube.com/watch?v=uvfkj8V6ylM >> >> >> >> >> >> This video was floating around Google plus a few days ago >> which is >> >> >> brilliant to show off RHEV's VDI technologies. I was >> wondering if anyone >> >> >> has some a similar business case of vdi deployments with >> swipe passes or >> >> >> token, but using IPA as the backing authentication store? >> >> >> >> > I am not quite sure what is used as an authentication source >> in this case. >> >> > I can ask. >> >> >> I was just thinking as I seem to be doing alot lately, "can it be done with ipa?" >> >> is token support on the road map? If some are not already supported. >> > > Define token? > You mean smart cards or 2FA using tokens like SecurID? > All on the roadmap. > I was thniking anything along the lines of a physical medium which an end user can use to authenticate themselves with. This can be single auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, RSA keyfobs, Citrix CAG tokens etc. If its on the road map thats fine. I'll keep an eager eye open for the integration in the future ;-) >> >> >> >> >> Has anyone done something similar themselves? >> >> >> >> >> >> Dale >> >> >> >> >> >> >> > _______________________________________________ >> >> > Freeipa-users mailing list >> >> > Freeipa-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> > -- >> >> > Thank you, >> >> > Dmitri Pal >> >> >> >> > Sr. Engineering Manager IPA project, >> >> > Red Hat Inc. >> >> >> >> >> >> > ------------------------------- >> >> > Looking to carve out IT costs? >> >> > www.redhat.com/carveoutcosts/ >> >> >> >> >> >> >> >> >> >> >> >> > _______________________________________________ >> >> > Freeipa-users mailing list >> >> > Freeipa-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzxnqAAoJEAJsWS61tB+qMdcQAMXTuOy8hljyIMS/U1vIZKHT WgkRGrm3gspyVcJQqWLIFcOBp/EL0NzVEBJ1CjwmkDA5IYL2Ezzj24YMnqjOYQqV rrj94K8beXmvAC+HTJ73P/AC24L3fd0ZzhCcojKdtlbSKeKH0DTsHlCLKUX3uL3L c0YjfY+J+6aIYdtMB78DOGGWhgCXmJM/BGvVcTbmWYH3HulYVDypjYKe/9c8Usqn QU6Cm7zFoIC1jlZuvWorC4c0kpmR0bSmP6lVFjWjAYw/BETpjxOYKxAtZKZHZiAu D0MviZSiZHCtH0RuU4sm/+BqBa2XjERbSsTKS89kAvTT4CB4KvX5i1SoEMMyu1j8 pqPCaIiBhLmpKLuMAdqMg61/mRSqMFUAKvRpdhStFRN2uzYLLnt6he6WxC1zta5e 9VS3yj+rjG46Xy/uwcv+IJdV/6bW3OOoIiUZxboc+6NcHtRQZKDxKfKVxQWO8fbb +9wrOEcDe1s1efCl5mJ83xot5YMa15plmkqdnGxOhDkCrqehXVJ42xRygi3dE6o2 7wHeWk8soduty18wLioPLwNs9sbE699fAQa+wYG3sBsolhGyqh7HO1mz4ypLuv4P EaQV3T5xa/Xxswfx1HZCtKysdSLolirzapPOXXnQNvFzdthuBpKMljFye9Yl/Kk3 H1VzUGfUgp42D807MN47 =e3T0 -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From whbos at xs4all.nl Wed Jun 6 12:34:12 2012 From: whbos at xs4all.nl (Willem Bos) Date: Wed, 6 Jun 2012 14:34:12 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: <20120605105114.GH25726@redhat.com> References: <20120605091159.GG25726@redhat.com> <20120605105114.GH25726@redhat.com> Message-ID: Hi Alexander, I did some experimenting with the example at http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and am now able to create a user using the following as input to curl (-d @user_add.json) : { "method":"user_add", "params":[ [], { "uid":"test", "givenname":"test", "sn":"test", "userpassword":"test" } ] } I'm left with two questions : - Is it possible to use a hashed password (as stored in the 'meta-IM') as a value for userpassword? And if so, will this propagate to the created Kerberos principal? - After creation, I'm forced to change the password when running `kinit test`. Is it possible to reset prevent the forced password change? As a test, I tried to set the '-needchange' attribute using kadmin but that returned "... Insufficient access while modifying..." I grepped the mailing list archives / API.txt / source code / etc. for clues but without success... Regards, Willem. On Tue, Jun 5, 2012 at 12:51 PM, Alexander Bokovoy wrote: > On Tue, 05 Jun 2012, Willem Bos wrote: > >> Hi Alexander, >> >> Thanks for your quick response. >> >> Yes, the server on which the external IM environment is hosted does not >> have the ipa utils available. As a matter of fact, the server might even >> be >> hosted off-site. We're just beginning to explore IM solutions for our >> environment and the most likely architecture is a 'meta-IM' service that >> provisions platform specific IM's like AD, Oracle's Internet Directory and >> IPA. It will probably be a requirement that the meta-IM is to provision >> IPA >> directly (instead of Meta-IM -> AD -> IPA). >> >> The JASON interface looks promising, I will certainly try the example >> provided. Would user_add be the suitable command to use? It's the obvious >> candidate, but I just want to make sure... >> > Yes, user_add is the command. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 6 12:39:40 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 06 Jun 2012 08:39:40 -0400 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com> , <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1338986380.8230.285.camel@willson.li.ssimo.org> On Tue, 2012-06-05 at 22:23 +0000, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend.... > > I also have a frequent failure to start IPA when I do a "service ipa restart" that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason.... Please install abrtd and provide back info in a bug next time it 'dies', If the KDC is failing in your specific case we want to know asap so we can fix it. We haven't experienced any KDC failure in ages here. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 6 12:46:17 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 06 Jun 2012 08:46:17 -0400 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: References: <20120605091159.GG25726@redhat.com> <20120605105114.GH25726@redhat.com> Message-ID: <1338986777.8230.288.camel@willson.li.ssimo.org> On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > Hi Alexander, > > > I did some experimenting with the example at > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ and am now able to create a user using the following as input to curl (-d @user_add.json) : > > > { > "method":"user_add", > "params":[ > [], > { > "uid":"test", > "givenname":"test", > "sn":"test", > "userpassword":"test" > } > ] > } > > > I'm left with two questions : > - Is it possible to use a hashed password (as stored in the 'meta-IM') > as a value for userpassword? And if so, will this propagate to the > created Kerberos principal? Nope, we need the clear text in order to generate the krb5 keys. > - After creation, I'm forced to change the password when running > `kinit test`. Is it possible to reset prevent the forced password > change? Yes, see: http://www.freeipa.org/page/PasswordSynchronization > As a test, I tried to set the '-needchange' attribute using kadmin but > that returned "... Insufficient access while modifying..." This is not controlled by kadmin. > > I grepped the mailing list archives / API.txt / source code / etc. for > clues but without success... See above, it is really easy to create an agent with the right permissions. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Wed Jun 6 13:15:27 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 6 Jun 2012 13:15:27 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <19696.213.225.75.97.1338967800.squirrel@www.nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> <4FCE8B5B.5060504@nixtra.com> , <19696.213.225.75.97.1338967800.squirrel@www.nixtra.com> Message-ID: On Jun 6, 2012, at 12:30 AM, "Sigbjorn Lie" wrote: > On Wed, June 6, 2012 00:54, JR Aquino wrote: >> On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: >> >> >>> On 06/06/2012 12:26 AM, JR Aquino wrote: >>> >>>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: >>>> >>>> >>>>> On 06/05/2012 11:44 PM, JR Aquino wrote: >>>>> >>>>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>>>>> >>>>>> >>>>>>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> >>>>>>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad >>>>>>>> memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt >>>>>>>> fix the leak and it went split brain........2 months and no fix....boy did that open >>>>>>>> up a can of worms..... >>>>>>>> >>>>>>>> :/ >>>>>>>> >>>>>>>> >>>>>>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding no >>>>>>>> more items at present....unless a part of ipa is "replicating and diffing" in the >>>>>>>> background to check consistency? >>>>>>>> >>>>>>>> I also have only one way replication now at most, master to replica and no memory >>>>>>>> leak shows in Munin at present......... >>>>>>>> >>>>>>>> but I seem to be faced with a rebuild from scratch....... >>>>>>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>>>>>> >>>>>>> >>>>>>> Did you do any other tuning from the 389-ds tuning guide? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Rgds, >>>>>>> Siggi >>>>>>> >>>>>> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues >>>>>> were: managed entries firing off any time an object was updated (every time someone >>>>>> successfully authenticates, kerberos updates the user object, which in turn would touch >>>>>> the mepmanaged entry for the user's private group) Similar things happened when >>>>>> hostgroups were modified... >>>>>> >>>>>> This was further complicated by inefficiencies in the way that slapi-nis was processing >>>>>> the compat pieces for the sudo rules and the netgroups (which are automatically create >>>>>> from every hostgroup) >>>>>> >>>>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >>>>>> >>>>>> >>>>>> After getting those issues resolved, I tuned the max entry cache size. But it took all >>>>>> the fixes to finally resolve the memory creep problem. >>>>>> >>>>>> It is not at all clear to me whether or not the bug fixes for my problem have made it up >>>>>> into Redhat / CentOS though... The slapi-nis versions definitely don't line up between >>>>>> fedora and redhat/centos... >>>>>> >>>>>> Perhaps Nalin Or Rich can speak to some of that. >>>>>> >>>>>> >>>>>> The bug itself was easiest to replicate with _big_ changes like deleting a group that had >>>>>> a great number of members for example, but the symptoms were similar for me were similar >>>>>> for day to date operation resulting in consumption that never freed. >>>>>> >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>>>>> >>>>>> >>>>>> Are either of you currently utilizing sudo? >>>>>> >>>>>> >>>>> I read your bug report a while back, and made sure that slapi-nis was disabled. >>>>> >>>>> >>>>> I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits >>>>> at 97-99% ? >>>>> >>>>> I understand you have a farily large deployment, what cache size are you using? Are you >>>>> using Fedora or Red Hat / CentOS as your production environment? >>>>> >>>>> I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I >>>>> should be aware of with sudo integration? >>>>> >>>>> Rich/Nalin, >>>>> Was there a bug in managed entries that's been fixed in the current 389-ds versions >>>>> available in Red Hat / CentOS 6? >>>>> >>>>> >>>>> Regards, >>>>> Siggi >>>>> >>>>> >>>> Ya it is true that I do have a large environment, but some of the hurdles that I had to jump >>>> appeared to be ones that weren't related so much to the number of hosts I had, but rather >>>> their amount of activity. I.e. automated single-sign on scripts, people authenticating, >>>> general binds taking place all over... >>>> >>>> I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 >>>> >>>> >>>> My measurements... ;) >>>> >>>> >>>> dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> cn: monitor >>>> database: ldbm database >>>> readonly: 0 >>>> entrycachehits: 904077 >>>> entrycachetries: 923802 >>>> entrycachehitratio: 97 >>>> currententrycachesize: 79607895 >>>> maxentrycachesize: 104857600 >>>> currententrycachecount: 10301 >>>> maxentrycachecount: -1 >>>> dncachehits: 3 >>>> dncachetries: 10302 >>>> dncachehitratio: 0 >>>> currentdncachesize: 1861653 >>>> maxdncachesize: 10485760 >>>> currentdncachecount: 10301 >>>> maxdncachecount: -1 >>>> >>>> >>>> >>> Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections >>> to the hosts, as well as normal users. Can't really disable that. :) >>> >>> I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit >>> as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds >>> related to when entries in cache is being removed to make room for new cache entries. I was >>> hoping for that issue would go away with a large cache size. >>> >> >> Right, I was advised over the same. Though it sounds like your not hitting your limit and are >> still seeing the memory creep... >> >> This makes me question the other factors. Nagios checking everything (probably every 5 mins?) >> might be a good source of activity... Though I wonder how best to visualize what is taking up the >> memory... >> >> Have you turned on auditing at all? One of the things I was able to deduce from rampant activity >> was based on what I was seeing modified via the audit log. Reoccurring patterns coming in big >> waves... things like that. > > > I have not turned on any expclicit auditing, but I do use SELinux on the IPA servers, and have the > /var/log/audit/audit.log from all the SELinux activity. Is that what you're referring to? > > Yes. most of the Nagios checks is being done every 5 minutes. > > I agree, I'm not sure how to proceed in troubleshooting and finding the memory leak. > > > Rgds, > Siggi > > Sorry no, I mean the 389 sssd audit log. You can enable audit logging on 389 such that you can see every object that is modified, and the content that changed (expect for sensitive stuff like passwords) I'm trying to find the doc for enabling it via ldapmodify, all I can find so far is how to use the 389 GUI which isn't a part of the ipa install. From sigbjorn at nixtra.com Wed Jun 6 13:47:09 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 6 Jun 2012 15:47:09 +0200 (CEST) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com>, <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FCE71FF.9050803@nixtra.com> <36D5E297-392D-4E2F-B77A-1B044FEF08B5@citrixonline.com> <4FCE8461.5070208@nixtra.com> <0E9EC89F-B2F4-4585-89DE-B3288E827F22@citrixonline.com> <4FCE8B5B.5060504@nixtra.com> , <19696.213.225.75.97.1338967800.squirrel@www.nixtra.com> Message-ID: <26130.213.225.75.97.1338990429.squirrel@www.nixtra.com> On Wed, June 6, 2012 15:15, JR Aquino wrote: > On Jun 6, 2012, at 12:30 AM, "Sigbjorn Lie" wrote: > > >> On Wed, June 6, 2012 00:54, JR Aquino wrote: >> >>> On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: >>> >>> >>> >>>> On 06/06/2012 12:26 AM, JR Aquino wrote: >>>> >>>> >>>>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: >>>>> >>>>> >>>>> >>>>>> On 06/05/2012 11:44 PM, JR Aquino wrote: >>>>>> >>>>>> >>>>>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On 06/05/2012 10:42 PM, Steven Jones wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> This has bug has pretty much destroyed my IPA deployment.......I had a pretty bad >>>>>>>>> memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms >>>>>>>>> didnt fix the leak and it went split brain........2 months and no fix....boy did >>>>>>>>> that open up a can of worms..... >>>>>>>>> >>>>>>>>> :/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> In my case I cant see how its churn as I have so few entries (<50) and Im adding >>>>>>>>> no more items at present....unless a part of ipa is "replicating and diffing" in >>>>>>>>> the background to check consistency? >>>>>>>>> >>>>>>>>> I also have only one way replication now at most, master to replica and no >>>>>>>>> memory leak shows in Munin at present......... >>>>>>>>> >>>>>>>>> but I seem to be faced with a rebuild from scratch....... >>>>>>>> Did you do the "max entry cache size" tuning? If you did, what did you set it to? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Did you do any other tuning from the 389-ds tuning guide? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Rgds, >>>>>>>> Siggi >>>>>>>> >>>>>>>> >>>>>>> When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues >>>>>>> were: managed entries firing off any time an object was updated (every time someone >>>>>>> successfully authenticates, kerberos updates the user object, which in turn would >>>>>>> touch the mepmanaged entry for the user's private group) Similar things happened when >>>>>>> hostgroups were modified... >>>>>>> >>>>>>> This was further complicated by inefficiencies in the way that slapi-nis was >>>>>>> processing the compat pieces for the sudo rules and the netgroups (which are >>>>>>> automatically create from every hostgroup) >>>>>>> >>>>>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... >>>>>>> >>>>>>> >>>>>>> >>>>>>> After getting those issues resolved, I tuned the max entry cache size. But it took >>>>>>> all the fixes to finally resolve the memory creep problem. >>>>>>> >>>>>>> It is not at all clear to me whether or not the bug fixes for my problem have made it >>>>>>> up into Redhat / CentOS though... The slapi-nis versions definitely don't line up >>>>>>> between fedora and redhat/centos... >>>>>>> >>>>>>> Perhaps Nalin Or Rich can speak to some of that. >>>>>>> >>>>>>> >>>>>>> >>>>>>> The bug itself was easiest to replicate with _big_ changes like deleting a group that >>>>>>> had a great number of members for example, but the symptoms were similar for me were >>>>>>> similar for day to date operation resulting in consumption that never freed. >>>>>>> >>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=771493 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Are either of you currently utilizing sudo? >>>>>>> >>>>>>> >>>>>>> >>>>>> I read your bug report a while back, and made sure that slapi-nis was disabled. >>>>>> >>>>>> >>>>>> >>>>>> I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio >>>>>> sits at 97-99% ? >>>>>> >>>>>> I understand you have a farily large deployment, what cache size are you using? Are you >>>>>> using Fedora or Red Hat / CentOS as your production environment? >>>>>> >>>>>> I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues >>>>>> I >>>>>> should be aware of with sudo integration? >>>>>> >>>>>> Rich/Nalin, >>>>>> Was there a bug in managed entries that's been fixed in the current 389-ds versions >>>>>> available in Red Hat / CentOS 6? >>>>>> >>>>>> >>>>>> Regards, >>>>>> Siggi >>>>>> >>>>>> >>>>>> >>>>> Ya it is true that I do have a large environment, but some of the hurdles that I had to >>>>> jump appeared to be ones that weren't related so much to the number of hosts I had, but >>>>> rather their amount of activity. I.e. automated single-sign on scripts, people >>>>> authenticating, general binds taking place all over... >>>>> >>>>> I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 >>>>> >>>>> >>>>> >>>>> My measurements... ;) >>>>> >>>>> >>>>> >>>>> dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> cn: monitor >>>>> database: ldbm database >>>>> readonly: 0 >>>>> entrycachehits: 904077 >>>>> entrycachetries: 923802 >>>>> entrycachehitratio: 97 >>>>> currententrycachesize: 79607895 >>>>> maxentrycachesize: 104857600 >>>>> currententrycachecount: 10301 >>>>> maxentrycachecount: -1 >>>>> dncachehits: 3 >>>>> dncachetries: 10302 >>>>> dncachehitratio: 0 >>>>> currentdncachesize: 1861653 >>>>> maxdncachesize: 10485760 >>>>> currentdncachecount: 10301 >>>>> maxdncachecount: -1 >>>>> >>>>> >>>>> >>>>> >>>> Ok, we have a fair amount of logons happening too with Nagios running lots of ssh >>>> connections to the hosts, as well as normal users. Can't really disable that. :) >>>> >>>> I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a >>>> bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds >>>> related to when entries in cache is being removed to make room for new cache entries. I >>>> was hoping for that issue would go away with a large cache size. >>>> >>> >>> Right, I was advised over the same. Though it sounds like your not hitting your limit and >>> are still seeing the memory creep... >>> >>> This makes me question the other factors. Nagios checking everything (probably every 5 >>> mins?) might be a good source of activity... Though I wonder how best to visualize what is >>> taking up the memory... >>> >>> Have you turned on auditing at all? One of the things I was able to deduce from rampant >>> activity was based on what I was seeing modified via the audit log. Reoccurring patterns >>> coming in big waves... things like that. >> >> >> I have not turned on any expclicit auditing, but I do use SELinux on the IPA servers, and have >> the /var/log/audit/audit.log from all the SELinux activity. Is that what you're referring to? >> >> >> Yes. most of the Nagios checks is being done every 5 minutes. >> >> >> I agree, I'm not sure how to proceed in troubleshooting and finding the memory leak. >> >> >> >> Rgds, >> Siggi >> >> >> > > Sorry no, I mean the 389 sssd audit log. You can enable audit logging on 389 such that you can > see every object that is modified, and the content that changed (expect for sensitive stuff like > passwords) > > I'm trying to find the doc for enabling it via ldapmodify, all I can find so far is how to use > the 389 GUI which isn't a part of the ipa install. Ok, thanks. Sound like something that will slow down 389-ds quite a bit and generate a lot of log output. Is it advisable to enable this on a production system? Rgds, Siggi From jlinoff at tabula.com Wed Jun 6 13:59:30 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 6 Jun 2012 06:59:30 -0700 Subject: [Freeipa-users] Administration question: root user Message-ID: <8AD4194C251EC74CB897E261038F447801005C7B@mantaray.tabula.com> Hi Folks: I am a newbie so I apologize in advance if this is a silly set of questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy with it but I have a couple of questions about root access. When I setup my systems, I configured root manually on each of them. Does it make sense to define the root user in FreeIPA? Is it desirable from a security and administration perspective? If it does make sense, is it as simple as adding the "root" user in "ipa user-add"? Thank you, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Wed Jun 6 14:14:48 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 06 Jun 2012 10:14:48 -0400 Subject: [Freeipa-users] Administration question: root user In-Reply-To: <8AD4194C251EC74CB897E261038F447801005C7B@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801005C7B@mantaray.tabula.com> Message-ID: <1338992088.2523.26.camel@sgallagh520.sgallagh.bos.redhat.com> On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: > Hi Folks: > > > > I am a newbie so I apologize in advance if this is a silly set of > questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy > with it but I have a couple of questions about root access. When I > setup my systems, I configured root manually on each of them. > > > > Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. > > > > Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. > > > > If it does make sense, is it as simple as adding the ?root? user in > ?ipa user-add?? Please don't :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jlinoff at tabula.com Wed Jun 6 14:17:40 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 6 Jun 2012 07:17:40 -0700 Subject: [Freeipa-users] Administration question: root user In-Reply-To: <1338992088.2523.26.camel@sgallagh520.sgallagh.bos.redhat.com> References: <8AD4194C251EC74CB897E261038F447801005C7B@mantaray.tabula.com> <1338992088.2523.26.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801005C7E@mantaray.tabula.com> Thank you. I really appreciate your help and for taking the time to answer so quickly. I will NOT manage root through FreeIPA. Regards, Joe -----Original Message----- From: Stephen Gallagher [mailto:sgallagh at redhat.com] Sent: Wednesday, June 06, 2012 7:15 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Administration question: root user On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: > Hi Folks: > > > > I am a newbie so I apologize in advance if this is a silly set of > questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy > with it but I have a couple of questions about root access. When I > setup my systems, I configured root manually on each of them. > > > > Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. > > > > Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. > > > > If it does make sense, is it as simple as adding the ?root? user in > ?ipa user-add?? Please don't :) From whbos at xs4all.nl Wed Jun 6 16:33:26 2012 From: whbos at xs4all.nl (Willem Bos) Date: Wed, 6 Jun 2012 18:33:26 +0200 Subject: [Freeipa-users] Provision user accounts & groups from external IM In-Reply-To: <1338986777.8230.288.camel@willson.li.ssimo.org> References: <20120605091159.GG25726@redhat.com> <20120605105114.GH25726@redhat.com> <1338986777.8230.288.camel@willson.li.ssimo.org> Message-ID: Hi Simo, I totally missed http://www.freeipa.org/page/PasswordSynchronization (and chapter 8.5.3 of the IPA guide :-) Thanks for pointing it out! Regards, Willem. On Wed, Jun 6, 2012 at 2:46 PM, Simo Sorce wrote: > On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: > > Hi Alexander, > > > > > > I did some experimenting with the example at > > > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and am now able to create a user using the following as input to curl (-d > @user_add.json) : > > > > > > { > > "method":"user_add", > > "params":[ > > [], > > { > > "uid":"test", > > "givenname":"test", > > "sn":"test", > > "userpassword":"test" > > } > > ] > > } > > > > > > I'm left with two questions : > > - Is it possible to use a hashed password (as stored in the 'meta-IM') > > as a value for userpassword? And if so, will this propagate to the > > created Kerberos principal? > > Nope, we need the clear text in order to generate the krb5 keys. > > > - After creation, I'm forced to change the password when running > > `kinit test`. Is it possible to reset prevent the forced password > > change? > > Yes, see: http://www.freeipa.org/page/PasswordSynchronization > > > As a test, I tried to set the '-needchange' attribute using kadmin but > > that returned "... Insufficient access while modifying..." > > This is not controlled by kadmin. > > > > I grepped the mailing list archives / API.txt / source code / etc. for > > clues but without success... > > See above, it is really easy to create an agent with the right > permissions. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Wed Jun 6 17:59:29 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 6 Jun 2012 10:59:29 -0700 Subject: [Freeipa-users] Setting up sudo clients Message-ID: <8AD4194C251EC74CB897E261038F447801005C9F@mantaray.tabula.com> Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command "/bin/pwd" is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # ================================================================ # Update /etc/nsswitch.conf # ================================================================ cat >/etc/nsswitch.conf </tmp/x cp /tmp/x /etc/sssd/sssd.conf rm -f /tmp/x service sssd restart # ================================================================ # Create the /etc/nslcd.conf file # ================================================================ ls /etc/nslcd.conf cat >/etc/nslcd.conf < From dpal at redhat.com Wed Jun 6 19:23:24 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 06 Jun 2012 15:23:24 -0400 Subject: [Freeipa-users] Setting up sudo clients In-Reply-To: <8AD4194C251EC74CB897E261038F447801005C9F@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801005C9F@mantaray.tabula.com> Message-ID: <4FCFAE2C.9050402@redhat.com> On 06/06/2012 01:59 PM, Joe Linoff wrote: > > Hi Folks: > > > > I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS > 6.2 but it I am running into a problem that I do not know how to > debug. I used the instructions provided here: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html. > > > > > The server installation went fine and I even did a sudo client > installation on the server which worked well. Unfortunately, when I > did the same client setup on another host in the network I got the > message: not in sudoers files when I tried to execute a command. > > > > Here is the output from /var/log/secure on the client. I didn't see > anything strange on the server. The user name is bigbob. > > > > Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user > (bigbob) > > Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls > > Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user > (bigbob) > > Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd > > > Looks like sudo utility is not going over the ldap and tries to find user in the local file. Can you bind to the ldap server? Is firewall port open? > The command "/bin/pwd" is in the sudo commands and in the sudo command > group. > > > > Any help would be greatly appreciated. > > > > Here are the setup steps that I performed on the client. The domain is > foo.example.com. > > > > # CITATION: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > > > > # ================================================================ > > # Update /etc/nsswitch.conf > > # ================================================================ > > cat>/etc/nsswitch.conf < > > > # ================================================================ > > # FreeIPA sudo support > > # ================================================================ > > sudoers: files ldap > > sudoers_debug: 1 > > EOF > > > > # ================================================================ > > # Insert this just after the ipa_server line and restart sssd: > > # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com > > # ================================================================ > > cat/etc/sssd/sssd.conf | \ > > awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base = > cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x > > cp/tmp/x/etc/sssd/sssd.conf > > rm-f /tmp/x > > service sssd restart > > > > # ================================================================ > > # Create the /etc/nslcd.conf file > > # ================================================================ > > ls/etc/nslcd.conf > > cat>/etc/nslcd.conf < > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com > > bindpw pwd/sudo > > > > ssl start_tls > > tls_cacertfile /etc/ipa/ca.crt > > tls_checkpeer yes > > > > bind_timelimit 5 > > timelimit 15 > > > > uri ldap://cuthbert.foo.example.com > > sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com > > EOF > > > > # ================================================================ > > # Set the NIS domain name (even though NIS is not used) > > # ================================================================ > > nisdomainname foo.example.com > > > > Thank you, > > > > Joe > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jun 6 19:26:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 06 Jun 2012 15:26:15 -0400 Subject: [Freeipa-users] token/swipe pass deployments with IPA In-Reply-To: <4FCF19F2.5030502@themacartneyclan.com> References: <4FC7C064.6010401@themacartneyclan.com> <4FC7F693.9000909@redhat.com> <4FC86BC1.7050706@themacartneyclan.com> <4FCE8D2E.6010706@redhat.com> <4FCF19F2.5030502@themacartneyclan.com> Message-ID: <4FCFAED7.407@redhat.com> On 06/06/2012 04:50 AM, Dale Macartney wrote: > I was thniking anything along the lines of a physical medium which an > end user can use to authenticate themselves with. This can be single > auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, > RSA keyfobs, Citrix CAG tokens etc. > > If its on the road map thats fine. I'll keep an eager eye open for the > integration in the future ;-) It is. Via AuthHub but any help to make it more usable will be appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 6 21:08:12 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 6 Jun 2012 21:08:12 +0000 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <1338986380.8230.285.camel@willson.li.ssimo.org> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> <4F95A1AE.8090704@redhat.com> , <21333.213.225.75.97.1338880480.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3E33@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FCE71FF.9050803@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3EAF@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FCE8583.7060906@nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CCA3F37@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1338986380.8230.285.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCB71D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Should be installed....will take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 7 June 2012 12:39 a.m. To: Steven Jones Cc: Sigbjorn Lie; freeipa-users at redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage On Tue, 2012-06-05 at 22:23 +0000, Steven Jones wrote: > I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend.... > > I also have a frequent failure to start IPA when I do a "service ipa restart" that means I cant cron an over-night restart > > And the KDC on the master IPA server seems to die for no reason.... Please install abrtd and provide back info in a bug next time it 'dies', If the KDC is failing in your specific case we want to know asap so we can fix it. We haven't experienced any KDC failure in ages here. Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Thu Jun 7 15:27:07 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 07 Jun 2012 17:27:07 +0200 Subject: [Freeipa-users] DNS logs - named.run In-Reply-To: References: <4FC8E389.3000302@redhat.com> Message-ID: <4FD0C84B.7060304@redhat.com> On 06/01/2012 08:17 PM, Jimmy wrote: > Our DNS topology is a very simple, out of the box, FreeIPA config. Our systems > are configured to run independently at completely disparate locations, so > there is very little to the topology besides forward and reverse zones for the > networks served at each site. There are no slaves, and this is the only zone > that has this issue. This is logged in the file /var/named/data/named.run . > DNS has not been modified directly through ldap, only through IPA interfaces. > > Thanks, > Jimmy > > Currently I could completely rebuild the system and push out the new config to > the sites, but if there is some way to fix this on a running server or get > more debug info to the maillist to possibly find the fix I would greatly > prefer that. I found the bug in bind-dyndb-ldap. This error message is logged only for zones without idnsUpdatePolicy attribute, right? There is a ticket for that problem. https://fedorahosted.org/bind-dyndb-ldap/ticket/79 Workaround: Define idnsUpdatePolicy attribute (e.g. "grant E.EXAMPLE krb5-self * A;") and set idnsAllowDynUpdate to FALSE. Dynamic updates will remain disabled and error message will not be logged. Thanks for reporting the bug. Petr^2 Spacek > > On Fri, Jun 1, 2012 at 11:45 AM, Petr Spacek > wrote: > > On 05/31/2012 07:24 PM, Jimmy wrote: > > This message repeats numerous times per minute: > > zone myzone.info/IN : zone serial (2012150501 > ) unchanged. zone may fail > to transfer to slaves. > > I even went into the admin page and changed the serial manually to see > if I could get past the message but it just changed the message to > this: > > zone myzone.info/IN : zone serial (2012150502 > ) unchanged. zone may fail > to transfer to slaves. > > Why does IPA report this? > > Thanks. > > > Hello, > > can you describe your DNS topology? > Where is it logged? > Is it on a *slave* server? > How to reproduce it? > > Current IPA doesn't maintain SOA serial number for updates made directly > in LDAP (but nsupdate works). Zone transfers are totally broken for that > reason. > > Fix is on the roadmap: We are discussing how to solve this problem in > thread > https://www.redhat.com/__archives/freeipa-devel/2012-__May/msg00044.html > . > > Petr^2 Spacek > > _________________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/__mailman/listinfo/freeipa-users > > > From Steven.Jones at vuw.ac.nz Thu Jun 7 20:47:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jun 2012 20:47:48 +0000 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... Screenshot attached... I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... ideas please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot-3.png Type: image/png Size: 528966 bytes Desc: Screenshot-3.png URL: From ian at crystal.harvard.edu Thu Jun 7 21:03:11 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 7 Jun 2012 17:03:11 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients Message-ID: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> Hello, I've read that the schema compatibility plugin should provide a vanilla RFC 2307 view of groups with memberUid attributes. I need this for our OS X clients, which don't seem capable of understanding the RFC 2307bis format of member DNs. So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's loaded via `ipa-compat-manage status`. I restarted the directory server. However, I don't get memberUid attributes. I've seen some docs that say "cn=compat" should be added to the default base, but that returns nothing: ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders No such object (32) Matched DN: dc=sbgrid,dc=org When I search the default base, things look unchanged (obviously, no memberUid here): ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,dc=sbgrid,dc=org cn=builders | grep member member: uid=ian,cn=users,cn=accounts,dc=sbgrid,dc=org I seem to remember when I first setup the FreeIPA server, there *was* a cn=compat tree... did disabling it at some point cause it to stop working? Best, Ian From Steven.Jones at vuw.ac.nz Thu Jun 7 21:10:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jun 2012 21:10:16 +0000 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC0A4C@STAWINCOX10MBX1.staff.vuw.ac.nz> This is the uninstall log. ============= [root at vuwunicoipam005 log]# tail ipaserver-uninstall.log File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 191, in start self.service.start(instance_name, capture_output=capture_output) File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 44, in start ipautil.run(["/sbin/service", self.service_name, "start", instance_name], capture_output=capture_output) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 273, in run raise CalledProcessError(p.returncode, args) [root at vuwunicoipam005 log]# ============ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 8 June 2012 8:47 a.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] running ipa-server-install --uninstall hangs Hi, I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... Screenshot attached... I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... ideas please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Jun 7 21:13:49 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jun 2012 21:13:49 +0000 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz> NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., ========== [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc cn: vuwunicoipam002.ods.vuw.ac.nz dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d dnahostname: vuwunicoipam002.ods.vuw.ac.nz nSRecord: vuwunicoipam002.ods.vuw.ac.nz. pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# ========== I expected a zero return? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 8 June 2012 8:47 a.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] running ipa-server-install --uninstall hangs Hi, I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... Screenshot attached... I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... ideas please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From nalin at redhat.com Thu Jun 7 21:27:37 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 7 Jun 2012 17:27:37 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> Message-ID: <20120607212737.GD8859@redhat.com> On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote: > Hello, > > I've read that the schema compatibility plugin should provide a vanilla RFC 2307 view of groups with memberUid attributes. I need this for our OS X clients, which don't seem capable of understanding the RFC 2307bis format of member DNs. > > So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's loaded via `ipa-compat-manage status`. I restarted the directory server. > > However, I don't get memberUid attributes. I've seen some docs that say "cn=compat" should be added to the default base, but that returns nothing: > > ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders > No such object (32) > Matched DN: dc=sbgrid,dc=org Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base. We don't put a "cn=accounts" container under cn=compat by default. HTH, Nalin From ian at crystal.harvard.edu Thu Jun 7 21:34:58 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 7 Jun 2012 17:34:58 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <20120607212737.GD8859@redhat.com> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> Message-ID: <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> On Jun 7, 2012, at 5:27 PM, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote: >> Hello, >> >> I've read that the schema compatibility plugin should provide a vanilla RFC 2307 view of groups with memberUid attributes. I need this for our OS X clients, which don't seem capable of understanding the RFC 2307bis format of member DNs. >> >> So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's loaded via `ipa-compat-manage status`. I restarted the directory server. >> >> However, I don't get memberUid attributes. I've seen some docs that say "cn=compat" should be added to the default base, but that returns nothing: >> >> ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders >> No such object (32) >> Matched DN: dc=sbgrid,dc=org > > Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base. We > don't put a "cn=accounts" container under cn=compat by default. Hi Nalin - thanks for the tip; unfortunately, there doesn't appear to be anything in cn=compat: # ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=compat,dc=sbgrid,dc=org No such object (32) Matched DN: dc=sbgrid,dc=org # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org No such object (32) Matched DN: dc=sbgrid,dc=org Best regards, Ian From nalin at redhat.com Thu Jun 7 21:44:16 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 7 Jun 2012 17:44:16 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> Message-ID: <20120607214416.GE8859@redhat.com> On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote: > # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org > No such object (32) > Matched DN: dc=sbgrid,dc=org This result suggests that the plugin isn't running. Can you double-check by searching (as either the directory administrator or the IPA administrator) to verify that the plugin is enabled and configured to serve up group information? The search looks like: kinit admin ldapsearch -h sbgrid-directory -Y GSSAPI \ -b "cn=Schema Compatibility,cn=plugins,cn=config" \ nsslapd-pluginEnabled The results should look like this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: off dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config If you drill down and read the whole cn=groups configuration entry, it should look like this: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: memberUid=%deref_r("member","uid") cn: groups objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org HTH, Nalin From nalin at redhat.com Thu Jun 7 21:46:24 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 7 Jun 2012 17:46:24 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <20120607214416.GE8859@redhat.com> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> Message-ID: <20120607214624.GF8859@redhat.com> On Thu, Jun 07, 2012 at 05:44:16PM -0400, Nalin Dahyabhai wrote: > The results should look like this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: off Yeah, that second line should be "nsslapd-pluginEnabled: on". *facepalm* Nalin From ian at crystal.harvard.edu Thu Jun 7 21:56:14 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 7 Jun 2012 17:56:14 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <20120607214416.GE8859@redhat.com> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> Message-ID: On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: > ldapsearch -h sbgrid-directory -Y GSSAPI \ > -b "cn=Schema Compatibility,cn=plugins,cn=config" \ > nsslapd-pluginEnabled > > The results should look like this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: off > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config Hmm, I only get this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: on dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 Thanks again, Ian From rcritten at redhat.com Thu Jun 7 22:01:38 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 18:01:38 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> Message-ID: <4FD124C2.30406@redhat.com> Ian Levesque wrote: > > On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: > >> ldapsearch -h sbgrid-directory -Y GSSAPI \ >> -b "cn=Schema Compatibility,cn=plugins,cn=config" \ >> nsslapd-pluginEnabled >> >> The results should look like this: >> >> dn: cn=Schema Compatibility,cn=plugins,cn=config >> nsslapd-pluginEnabled: off >> >> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >> >> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >> >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> >> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > > > > Hmm, I only get this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: on > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 > > Thanks again, > Ian What does ipa-compat-manage status say? rob From rcritten at redhat.com Thu Jun 7 22:04:22 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 18:04:22 -0400 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD12566.2030302@redhat.com> It is hanging because the dirsrv instance isn't starting. Check for AVCs, /var/log/messages, dmesg, /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being reported. Steven Jones wrote: > NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., > > ========== > [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif > defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz > dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc > cn: vuwunicoipam002.ods.vuw.ac.nz > dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc > dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od > dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d > dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc > dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d > dnahostname: vuwunicoipam002.ods.vuw.ac.nz > nSRecord: vuwunicoipam002.ods.vuw.ac.nz. > pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. The server wasn't uninstalled, right? Why wouldn't these still be there. rob > [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# > ========== > > I expected a zero return? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 8 June 2012 8:47 a.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] running ipa-server-install --uninstall hangs > > Hi, > > I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... > > Screenshot attached... > > I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... > > ideas please? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jun 7 22:19:06 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jun 2012 22:19:06 +0000 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <4FD12566.2030302@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD12566.2030302@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC0AB0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im must not be getting it, If I am un-installing and the dirsrv has been stopped as part of that process? why does it need to restart? if Im uninstalling? If I run a host del shouldnt that remove all residual info for the ex-replica in the db? Alternatively how do I clean up so I can get the replica to rejoin the domain? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 8 June 2012 10:04 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs It is hanging because the dirsrv instance isn't starting. Check for AVCs, /var/log/messages, dmesg, /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being reported. Steven Jones wrote: > NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., > > ========== > [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif > defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz > dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc > cn: vuwunicoipam002.ods.vuw.ac.nz > dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc > dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od > dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d > dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc > dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d > dnahostname: vuwunicoipam002.ods.vuw.ac.nz > nSRecord: vuwunicoipam002.ods.vuw.ac.nz. > pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. The server wasn't uninstalled, right? Why wouldn't these still be there. rob > [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# > ========== > > I expected a zero return? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 8 June 2012 8:47 a.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] running ipa-server-install --uninstall hangs > > Hi, > > I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... > > Screenshot attached... > > I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... > > ideas please? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ian at crystal.harvard.edu Thu Jun 7 22:24:13 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 7 Jun 2012 18:24:13 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <4FD124C2.30406@redhat.com> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> <4FD124C2.30406@redhat.com> Message-ID: <6E0CA23D-4D84-4B2E-AE6F-4DE3C349EAC4@crystal.harvard.edu> On Jun 7, 2012, at 6:01 PM, Rob Crittenden wrote: > What does ipa-compat-manage status say? Plugin Enabled ~irl From nalin at redhat.com Thu Jun 7 22:46:48 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 7 Jun 2012 18:46:48 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> Message-ID: <20120607224648.GH8859@redhat.com> On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote: > On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: > > > ldapsearch -h sbgrid-directory -Y GSSAPI \ > > -b "cn=Schema Compatibility,cn=plugins,cn=config" \ > > nsslapd-pluginEnabled > > > > The results should look like this: > > > > dn: cn=Schema Compatibility,cn=plugins,cn=config > > nsslapd-pluginEnabled: off > > > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > > Hmm, I only get this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: on > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 I don't have an explanation for how it got that way, but you're missing some entries, and that probably explains why you don't see compat data for groups. I'm attaching the LDIF for these entries from my test server, with the suffix changed from the one I'm using to yours. The 'cn=users', 'cn=groups', and 'cn=ng' entries should be accepted without issue by 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you already have one. Normally that'd be the right thing, but if your 'cn=sudoers' entry looks different from the one in the LDIF file, you may want to change it as well by using 'ldapmodify'. HTH, Nalin -------------- next part -------------- dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: memberUid=%deref_r("member","uid") cn: groups objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=nisNetgroup schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\ ",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHo st\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\ \\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\ \\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\ ",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\ \\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r (\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\ ")","-"),%{nisDomainName:-}) schema-compat-check-access: yes cn: ng objectClass: top objectClass: extensibleObject schema-compat-search-filter: (objectclass=ipaNisNetgroup) schema-compat-container-rdn: cn=ng schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=ng, cn=alt, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=sudoRole schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex ternalUser}") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ "uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex ternalHost}") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr y))\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref(\"memberAllowCmd\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", "sudoCmd") schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") ") schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o bjectclass=posixGroup)","cn") cn: sudoers objectClass: top objectClass: extensibleObject schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE ))(!(ipaEnabledFlag=FALSE))) schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=sudorules, cn=sudo, dc=sbgrid,dc=org schema-compat-container-group: ou=SUDOers, dc=sbgrid,dc=org dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} cn: users objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixAccount schema-compat-container-rdn: cn=users schema-compat-entry-rdn: uid=%{uid} schema-compat-search-base: cn=users, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org From Steven.Jones at vuw.ac.nz Thu Jun 7 23:13:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jun 2012 23:13:09 +0000 Subject: [Freeipa-users] ipa server is not version 2 error Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC0AE9@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am getting this while trying to join a new client to a IPA domain. um? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-not-v2-error-01.jpeg Type: image/jpeg Size: 14425 bytes Desc: ipa-not-v2-error-01.jpeg URL: From ian at crystal.harvard.edu Thu Jun 7 23:34:35 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Thu, 7 Jun 2012 19:34:35 -0400 Subject: [Freeipa-users] Serving RFC2307 to OS X clients In-Reply-To: <20120607224648.GH8859@redhat.com> References: <9CABE934-32BB-4567-B341-BA734ECEF4D4@crystal.harvard.edu> <20120607212737.GD8859@redhat.com> <2B9ADC16-3616-4E9E-BA8C-739BB09083D5@crystal.harvard.edu> <20120607214416.GE8859@redhat.com> <20120607224648.GH8859@redhat.com> Message-ID: <4D79D473-506E-4C9D-98E5-9A75F7428E28@crystal.harvard.edu> On Jun 7, 2012, at 6:46 PM, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote: >> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: >> >>> ldapsearch -h sbgrid-directory -Y GSSAPI \ >>> -b "cn=Schema Compatibility,cn=plugins,cn=config" \ >>> nsslapd-pluginEnabled >>> >>> The results should look like this: >>> >>> dn: cn=Schema Compatibility,cn=plugins,cn=config >>> nsslapd-pluginEnabled: off >>> >>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> >> Hmm, I only get this: >> >> dn: cn=Schema Compatibility,cn=plugins,cn=config >> nsslapd-pluginEnabled: on >> >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> >> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 > > I don't have an explanation for how it got that way, but you're missing > some entries, and that probably explains why you don't see compat data > for groups. > > I'm attaching the LDIF for these entries from my test server, with the > suffix changed from the one I'm using to yours. The 'cn=users', > 'cn=groups', and 'cn=ng' entries should be accepted without issue by > 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you > already have one. > > Normally that'd be the right thing, but if your 'cn=sudoers' entry looks > different from the one in the LDIF file, you may want to change it as > well by using 'ldapmodify'. Hi Nalin, Well, that fixed it. I'd love to know what caused this but am grateful indeed for your help. Cheers, Ian From tomoyo at cam34.endjunk.com Fri Jun 8 01:22:59 2012 From: tomoyo at cam34.endjunk.com (Cam McK) Date: Fri, 8 Jun 2012 11:22:59 +1000 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves Message-ID: Hello Thanks for an awesome product! I have two questions that I can't seem to find answers for... 1). How long is the delay between changing a HBAC rule and it coming into affect on the host machine? Currently this information only seems to be updated on the host after an 'service sssd reload/restart' also are the HBAC access rules are stored within LDAP Directory? 2). We would also like to use FreeIPA in a trusted network but then have perhaps a read-only slave sitting in DMZ with the possibility of not containing the KDC or LDAP password stores on it, is this possible? (Basically authentication being done by a different PAM module, but pam_sss.so still allowing HBAC via the PAM 'account' directive.) Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping down the required LDAP info? Many Thanks Campbell -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Fri Jun 8 01:37:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 8 Jun 2012 01:37:07 +0000 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC2BD1@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, 1) HBAC update, Ive never seen a delay.....so seems to be a few seconds.....so Im not sure why you ned to restart sssd. 2) I also I think have asked on that.....not sure what you are aiming to achieve/mean....with having no kdc / ldap stores. I'd like a read only slave capability for out in the dmz...and possibly only export certain groups from the read/write out to the slave....but maybe Im being overly paranoid....but I think AD2008r2? can do that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Cam McK [tomoyo at cam34.endjunk.com] Sent: Friday, 8 June 2012 1:22 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves Hello Thanks for an awesome product! I have two questions that I can't seem to find answers for... 1). How long is the delay between changing a HBAC rule and it coming into affect on the host machine? Currently this information only seems to be updated on the host after an 'service sssd reload/restart' also are the HBAC access rules are stored within LDAP Directory? 2). We would also like to use FreeIPA in a trusted network but then have perhaps a read-only slave sitting in DMZ with the possibility of not containing the KDC or LDAP password stores on it, is this possible? (Basically authentication being done by a different PAM module, but pam_sss.so still allowing HBAC via the PAM 'account' directive.) Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping down the required LDAP info? Many Thanks Campbell -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 8 03:02:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 23:02:42 -0400 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC0AB0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD12566.2030302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCC0AB0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD16B52.1090401@redhat.com> Steven Jones wrote: > Hi, > > Im must not be getting it, > > If I am un-installing and the dirsrv has been stopped as part of that process? why does it need to restart? if Im uninstalling? Because it needs to stop all the IPA services. The list of services is stored in LDAP. > If I run a host del shouldnt that remove all residual info for the ex-replica in the db? No. It does not remove DNS records or replication agreements. > Alternatively how do I clean up so I can get the replica to rejoin the domain? Your best bet is to figure out why the dirsrv instance won't start. Trying to remove and restore everything manually can be a lot of work. Figuring out why dirsrv won't start is likely the path of least resistence. rob > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 8 June 2012 10:04 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs > > It is hanging because the dirsrv instance isn't starting. Check for > AVCs, /var/log/messages, dmesg, > /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being > reported. > > Steven Jones wrote: >> NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., >> >> ========== >> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif >> defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz >> dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc >> cn: vuwunicoipam002.ods.vuw.ac.nz >> dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >> dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od >> dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d >> dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >> dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d >> dnahostname: vuwunicoipam002.ods.vuw.ac.nz >> nSRecord: vuwunicoipam002.ods.vuw.ac.nz. >> pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. > > The server wasn't uninstalled, right? Why wouldn't these still be there. > > rob > >> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# >> ========== >> >> I expected a zero return? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Friday, 8 June 2012 8:47 a.m. >> Cc: freeipa-users at redhat.com >> Subject: [Freeipa-users] running ipa-server-install --uninstall hangs >> >> Hi, >> >> I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... >> >> Screenshot attached... >> >> I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... >> >> ideas please? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Fri Jun 8 03:06:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jun 2012 23:06:58 -0400 Subject: [Freeipa-users] ipa server is not version 2 error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC0AE9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0AE9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD16C52.4020405@redhat.com> Steven Jones wrote: > Hi, > > I am getting this while trying to join a new client to a IPA domain. Look in the client install log, there should be more detail there. Basically we were given a server to try, we tried it and either we couldn't reach it at all or we weren't able to read the version information from it. Or we couldn't fetch the CA cert from the web server. The log should say which. rob > > um? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Fri Jun 8 03:46:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 8 Jun 2012 03:46:48 +0000 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <4FD16B52.1090401@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD12566.2030302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCC0AB0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD16B52.1090401@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCC3C40@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The replica server no long exists, I bare metal kick-started it...so I need to get it to rejoin the domain which it wont. Given all the other issues Im wondering if a totally clean start isnt a plan now... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 8 June 2012 3:02 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs Steven Jones wrote: > Hi, > > Im must not be getting it, > > If I am un-installing and the dirsrv has been stopped as part of that process? why does it need to restart? if Im uninstalling? Because it needs to stop all the IPA services. The list of services is stored in LDAP. > If I run a host del shouldnt that remove all residual info for the ex-replica in the db? No. It does not remove DNS records or replication agreements. > Alternatively how do I clean up so I can get the replica to rejoin the domain? Your best bet is to figure out why the dirsrv instance won't start. Trying to remove and restore everything manually can be a lot of work. Figuring out why dirsrv won't start is likely the path of least resistence. rob > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 8 June 2012 10:04 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs > > It is hanging because the dirsrv instance isn't starting. Check for > AVCs, /var/log/messages, dmesg, > /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being > reported. > > Steven Jones wrote: >> NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., >> >> ========== >> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif >> defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz >> dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc >> cn: vuwunicoipam002.ods.vuw.ac.nz >> dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >> dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od >> dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d >> dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >> dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d >> dnahostname: vuwunicoipam002.ods.vuw.ac.nz >> nSRecord: vuwunicoipam002.ods.vuw.ac.nz. >> pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. > > The server wasn't uninstalled, right? Why wouldn't these still be there. > > rob > >> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# >> ========== >> >> I expected a zero return? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Friday, 8 June 2012 8:47 a.m. >> Cc: freeipa-users at redhat.com >> Subject: [Freeipa-users] running ipa-server-install --uninstall hangs >> >> Hi, >> >> I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... >> >> Screenshot attached... >> >> I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... >> >> ideas please? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Fri Jun 8 05:53:33 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 8 Jun 2012 07:53:33 +0200 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves In-Reply-To: References: Message-ID: <20120608055333.GA22352@hendrix.redhat.com> On Fri, Jun 08, 2012 at 11:22:59AM +1000, Cam McK wrote: > Hello > > Thanks for an awesome product! I have two questions that I can't seem to > find answers for... > > 1). How long is the delay between changing a HBAC rule and it coming into > affect on the host machine? > Currently this information only seems to be updated on the host after an > 'service sssd reload/restart' also are the HBAC access rules are stored > within LDAP Directory? That shouldn't be the case, in fact, the HBAC rules should be refreshed on each login. Maybe there's a misconfiguration on the client that makes it go online and then the rules are evaluated from the cache. Can you raise the debug level in the domain section of sssd.conf, restart sssd and check for hbac-related debug messages in /var/log/sssd/sssd_$domain.log ? From natxo.asenjo at gmail.com Fri Jun 8 08:16:24 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 8 Jun 2012 10:16:24 +0200 Subject: [Freeipa-users] howto: mediawiki + IPA Message-ID: hi, This is work in progress but maybe useful for someone. http://test.asenjo.nl/index.php/Mediawiki_ipa (feel free to use it for the freeipa.org wiki, I consider it public domain). -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ohamada at redhat.com Fri Jun 8 10:37:29 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Fri, 08 Jun 2012 12:37:29 +0200 Subject: [Freeipa-users] howto: mediawiki + IPA In-Reply-To: References: Message-ID: <4FD1D5E9.3010708@redhat.com> On 06/08/2012 10:16 AM, Natxo Asenjo wrote: > hi, > > This is work in progress but maybe useful for someone. > > http://test.asenjo.nl/index.php/Mediawiki_ipa > > (feel free to use it for the freeipa.org wiki, I > consider it public domain). Hi Natxo, good job! Thank you very much for the tutorial. We have one tutorial for MediaWiki (http://freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA), but different MediaWiki extension was used there. The usage of LDAP extension seems to be more elegant. I'm going to merge both tutorials, so that potential users will be offered more options. If you create another tutorials, please share them with us. It will be highly welcomed. -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Jun 8 10:51:33 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 8 Jun 2012 12:51:33 +0200 Subject: [Freeipa-users] howto: mediawiki + IPA In-Reply-To: <4FD1D5E9.3010708@redhat.com> References: <4FD1D5E9.3010708@redhat.com> Message-ID: On Fri, Jun 8, 2012 at 12:37 PM, Ondrej Hamada wrote: > On 06/08/2012 10:16 AM, Natxo Asenjo wrote: > > hi, > > This is work in progress but maybe useful for someone. > > http://test.asenjo.nl/index.php/Mediawiki_ipa > > (feel free to use it for the freeipa.org wiki, I consider it public > domain). > > Hi Natxo, > good job! Thank you very much for the tutorial. > > We have one tutorial for MediaWiki ( > http://freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA), but > different MediaWiki extension was used there. The usage of LDAP extension > seems to be more elegant. I'm going to merge both tutorials, so that > potential users will be offered more options. > > :0 I totally missed that tutorial. It's great if you can use some bits of mine to improve the whole. > If you create another tutorials, please share them with us. It will be > highly welcomed. > will most certainly do. -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 8 14:26:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 08 Jun 2012 10:26:52 -0400 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves In-Reply-To: References: Message-ID: <4FD20BAC.40803@redhat.com> On 06/07/2012 09:22 PM, Cam McK wrote: > Hello > > > 2). We would also like to use FreeIPA in a trusted network but then > have perhaps a read-only slave sitting in DMZ with the possibility of > not containing the KDC or LDAP password stores on it, is this possible? > (Basically authentication being done by a different PAM module, but > pam_sss.so still allowing HBAC via the PAM 'account' directive.) > Is it possible to have a 'regular' LDAP directory (in the DMZ) just > slurping down the required LDAP info? > I suggest using an LDAP directory that can do proxy operations or proxy authentications. You might consider 389 and sync in some user accounts and groups while using pam passtrough capabilities. I think recent upstream versions of 389 made this configuration possible but you need to check with them. #389 on freenode is your best bet. Openldap has some capabilities that might be of the value here too. I am not quite sure what you are trying to accomplish here so a bit more details would be helpful. > Many Thanks > Campbell > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Fri Jun 8 15:00:23 2012 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 08 Jun 2012 08:00:23 -0700 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves In-Reply-To: <4FD20BAC.40803@redhat.com> References: <4FD20BAC.40803@redhat.com> Message-ID: <4FD21387.1050402@redhat.com> On 06/08/2012 07:26 AM, Dmitri Pal wrote: > On 06/07/2012 09:22 PM, Cam McK wrote: >> Hello >> >> >> 2). We would also like to use FreeIPA in a trusted network but then >> have perhaps a read-only slave sitting in DMZ with the possibility of >> not containing the KDC or LDAP password stores on it, is this possible? >> (Basically authentication being done by a different PAM module, but >> pam_sss.so still allowing HBAC via the PAM 'account' directive.) >> Is it possible to have a 'regular' LDAP directory (in the DMZ) just >> slurping down the required LDAP info? >> > I suggest using an LDAP directory that can do proxy operations or > proxy authentications. You might consider 389 and sync in some user > accounts and groups while using pam passtrough capabilities. I think > recent upstream versions of 389 made this configuration possible but > you need to check with them. #389 on freenode is your best bet. > Openldap has some capabilities that might be of the value here too. 389 can consult PAM to authenticate a user when performing an LDAP BIND operation. This would probably take care of the authentication piece of the puzzle. You would also need to use fractional replication to avoid replicating things like passwords or Kerberos related attributes to the DMZ LDAP server. Fractional replication can only trim out specific attributes. It does not allow you to select portions of the tree to replicate at the entry level. This would mean that all of your user accounts would need to be replicated out to the DMZ LDAP server, but you could trim sensitive attributes. > > I am not quite sure what you are trying to accomplish here so a bit > more details would be helpful. More details would definitely help. I don't think you can easily accomplish what you want right now. It could be possible with a lot of manual configuration of 389 on both the IPA and DMZ LDAP server sides, but I don't think anyone has set things up in this way with IPA before. -NGK > > >> Many Thanks >> Campbell >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 8 15:14:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 08 Jun 2012 11:14:57 -0400 Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves In-Reply-To: <4FD21387.1050402@redhat.com> References: <4FD20BAC.40803@redhat.com> <4FD21387.1050402@redhat.com> Message-ID: <4FD216F1.6080502@redhat.com> On 06/08/2012 11:00 AM, Nathan Kinder wrote: > On 06/08/2012 07:26 AM, Dmitri Pal wrote: >> On 06/07/2012 09:22 PM, Cam McK wrote: >>> Hello >>> >>> >>> 2). We would also like to use FreeIPA in a trusted network but then >>> have perhaps a read-only slave sitting in DMZ with the possibility >>> of not containing the KDC or LDAP password stores on it, is this >>> possible? >>> (Basically authentication being done by a different PAM module, but >>> pam_sss.so still allowing HBAC via the PAM 'account' directive.) >>> Is it possible to have a 'regular' LDAP directory (in the DMZ) just >>> slurping down the required LDAP info? >>> >> I suggest using an LDAP directory that can do proxy operations or >> proxy authentications. You might consider 389 and sync in some user >> accounts and groups while using pam passtrough capabilities. I think >> recent upstream versions of 389 made this configuration possible but >> you need to check with them. #389 on freenode is your best bet. >> Openldap has some capabilities that might be of the value here too. > 389 can consult PAM to authenticate a user when performing an LDAP > BIND operation. This would probably take care of the authentication > piece of the puzzle. > > You would also need to use fractional replication to avoid replicating > things like passwords or Kerberos related attributes to the DMZ LDAP > server. Fractional replication can only trim out specific > attributes. It does not allow you to select portions of the tree to > replicate at the entry level. This would mean that all of your user > accounts would need to be replicated out to the DMZ LDAP server, but > you could trim sensitive attributes. >> >> I am not quite sure what you are trying to accomplish here so a bit >> more details would be helpful. > More details would definitely help. I don't think you can easily > accomplish what you want right now. It could be possible with a lot > of manual configuration of 389 on both the IPA and DMZ LDAP server > sides, but I don't think anyone has set things up in this way with IPA > before. > Yes, but you are definitely welcome to give it a try. We had in mind that such request would emerge one day and would like to hear from you about your progress. > -NGK >> >> >>> Many Thanks >>> Campbell >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 8 15:45:15 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Jun 2012 11:45:15 -0400 Subject: [Freeipa-users] running ipa-server-install --uninstall hangs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCC3C40@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCC0A20@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCC0A59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD12566.2030302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCC0AB0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD16B52.1090401@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCC3C40@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD21E0B.30906@redhat.com> Steven Jones wrote: > Hi, > > The replica server no long exists, I bare metal kick-started it...so I need to get it to rejoin the domain which it wont. > > Given all the other issues Im wondering if a totally clean start isnt a plan now... You can leave the DNS entries. The others you'll need to use ldapmodify to remove the entry from defaultServerList and ldapdelete to remove the entries from cn=masters. rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 8 June 2012 3:02 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs > > Steven Jones wrote: >> Hi, >> >> Im must not be getting it, >> >> If I am un-installing and the dirsrv has been stopped as part of that process? why does it need to restart? if Im uninstalling? > > Because it needs to stop all the IPA services. The list of services is > stored in LDAP. > >> If I run a host del shouldnt that remove all residual info for the ex-replica in the db? > > No. It does not remove DNS records or replication agreements. > >> Alternatively how do I clean up so I can get the replica to rejoin the domain? > > Your best bet is to figure out why the dirsrv instance won't start. > > Trying to remove and restore everything manually can be a lot of work. > Figuring out why dirsrv won't start is likely the path of least resistence. > > rob > >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Friday, 8 June 2012 10:04 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs >> >> It is hanging because the dirsrv instance isn't starting. Check for >> AVCs, /var/log/messages, dmesg, >> /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being >> reported. >> >> Steven Jones wrote: >>> NB ipam005 is the renamed ipam002, which despite trying to remove seems to have residual info in the ldif output eg., >>> >>> ========== >>> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif >>> defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz >>> dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc >>> cn: vuwunicoipam002.ods.vuw.ac.nz >>> dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >>> dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od >>> dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d >>> dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc >>> dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d >>> dnahostname: vuwunicoipam002.ods.vuw.ac.nz >>> nSRecord: vuwunicoipam002.ods.vuw.ac.nz. >>> pTRRecord: vuwunicoipam002.ods.vuw.ac.nz. >> >> The server wasn't uninstalled, right? Why wouldn't these still be there. >> >> rob >> >>> [root at vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# >>> ========== >>> >>> I expected a zero return? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>> Sent: Friday, 8 June 2012 8:47 a.m. >>> Cc: freeipa-users at redhat.com >>> Subject: [Freeipa-users] running ipa-server-install --uninstall hangs >>> >>> Hi, >>> >>> I am trying to fix an ongoing problem with IPA and find that I cannot remove a replica from the domain... >>> >>> Screenshot attached... >>> >>> I also find that running a host del doesnt work and there is residual info in an ldif output of that replica...this then stops a bare metal rebuild of the replica being rejoined to the domain. If I change the name and IP however it can be a replica.... >>> >>> ideas please? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jlinoff at tabula.com Sat Jun 9 10:24:44 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Sat, 9 Jun 2012 03:24:44 -0700 Subject: [Freeipa-users] ipa client - turn off NetworkManager? Message-ID: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> Hi: I read somewhere that I should turn off the NetworkManager service on the IPA server. Should I do same on the clients? Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sat Jun 9 12:12:27 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 09 Jun 2012 14:12:27 +0200 Subject: [Freeipa-users] Converting a user group to a non-posix group Message-ID: <4FD33DAB.60801@nixtra.com> Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi From jhrozek at redhat.com Sat Jun 9 19:21:34 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 9 Jun 2012 21:21:34 +0200 Subject: [Freeipa-users] ipa client - turn off NetworkManager? In-Reply-To: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> Message-ID: <20120609192134.GA12287@hendrix.redhat.com> On Sat, Jun 09, 2012 at 03:24:44AM -0700, Joe Linoff wrote: > Hi: > > > > I read somewhere that I should turn off the NetworkManager service on > the IPA server. Should I do same on the clients? It doesn't really matter for the SSSD, we don't use NM for anything but we don't mind it running either. I personally use NM on my laptop where I login with the SSSD. From dale at themacartneyclan.com Sat Jun 9 20:23:10 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 09 Jun 2012 21:23:10 +0100 Subject: [Freeipa-users] IPA managed DNS stub-zones Message-ID: <4FD3B0AE.7090108@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Evening all I am trying to set up a stub zone from my IPA domain (example.com) to my Windows domain (nt.example.com. Network details as follows example.com managed by IPA server ds01.example.com 10.0.1.11 nt.example.com managed by Win server dc01.nt.example.com 10.0.2.11 I have tried adding the stub zone on the IPA server from the cli and now also from the web UI but results are both the same. When adding the stub zone, IPA seems to think of it as managing the entire zone and not pointing it to the remote DNS server. It basically add's itself as the SOA. see below output from dig. Queries have been run against ds01.example.com [root at ds01 ~]# dig -t soa example.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> -t soa example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2632 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;example.com. IN SOA ;; ANSWER SECTION: example.com. 86400 IN SOA ds01.example.com. root.ds01.example.com. 2037 3600 900 1209 3600 ;; AUTHORITY SECTION: example.com. 86400 IN NS ds01.example.com. ;; ADDITIONAL SECTION: ds01.example.com. 86400 IN A 10.0.1.11 ;; Query time: 0 msec ;; SERVER: 10.0.1.11#53(10.0.1.11) ;; WHEN: Sat Jun 9 22:13:51 2012 ;; MSG SIZE rcvd: 105 [root at ds01 ~]# dig -t soa nt.example.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> -t soa nt.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37259 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nt.example.com. IN SOA ;; ANSWER SECTION: nt.example.com. 86400 IN SOA ds01.example.com. root.nt.example.com. 2012090601 3600 900 1209600 3600 ;; AUTHORITY SECTION: nt.example.com. 86400 IN NS dc01.nt.example.com. ;; Query time: 2 msec ;; SERVER: 10.0.1.11#53(10.0.1.11) ;; WHEN: Sat Jun 9 22:14:02 2012 ;; MSG SIZE rcvd: 97 [root at ds01 ~]# from the cli and webUI there is no way of adding an alternative SOA record. I would prefer to keep all DNS attributes inside of LDAP, otherwise there isnt much purpose in running both ldap integrated DNS as well as standard bind servers. These should ideally be working together. Does anyone have any recommendations for setting an alternative SOA record for a stub zone in IPA? Has anyone encountered this before? Many thanks Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP07CiAAoJEAJsWS61tB+qG/UQAI9OtYSMfjIoUxDdryE5KPTB gRrszTMaQYGTN0gjUctnwuY5ZVetcIP9JFposRP/9uLgElkAvnmd1hQyBjbMCqLN 1VykTr4tgkqc4w3eJlimlYACV7w2Whq06Du3TCfo2seCzjNjEkh9nIoiJvNBgVVF noLTxbpaE5gbAqtXRfhF2CbQYyPJJLxVPmxDH2bDro3Pjt5+ohkdMRSWgckq+QQv iHW0Eca0A8GCBPTRt4/qMBo8piN8/meAcORUc73PWba0CJzgUPMTSngxkoAwo76T uEeZ18EjdZE6htRiiIY5K5CEUctX5Xgz2NhP5Nfb9+or3GGClouJLJJaYeHS3HGC 9X0EBVH0pT/LUWkbBvg3sAwd1oPuBfFm/X6/EJFvMG4HGPPEi2860N/SFutTflhf PbxGN/PHw9rEveJS80QmOJpLdOQkGWz2+7vsxeYvCoXMg3jMR4KTQ7OCUn5IElud 7bWlx4ovtkAHaljTN95B8cl/CUL058JsUKqZOleMNhPp7Tp9dCVkZgjyDzIfGDqE 1ehhTWLXOwM9aFN7I1RT8C/EY7K2a4eSsKet45wiHd3TF/ck27ZvuuRWFdnsURbJ h9MVtzKgPg/Sw6OODWNZkiuKnOSM6lyvo5llHlBzA/uo6lPNY5lejvE1IWsMOdcx bdRXu6OBBgBk5c99Wf7c =smD6 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From sigbjorn at nixtra.com Sat Jun 9 23:27:19 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 10 Jun 2012 01:27:19 +0200 Subject: [Freeipa-users] IPA managed DNS stub-zones In-Reply-To: <4FD3B0AE.7090108@themacartneyclan.com> References: <4FD3B0AE.7090108@themacartneyclan.com> Message-ID: <4FD3DBD7.8000909@nixtra.com> On 06/09/2012 10:23 PM, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Evening all > > I am trying to set up a stub zone from my IPA domain (example.com) to my > Windows domain (nt.example.com. > > Network details as follows > > example.com > managed by IPA server ds01.example.com 10.0.1.11 > > nt.example.com > managed by Win server dc01.nt.example.com 10.0.2.11 > > I have tried adding the stub zone on the IPA server from the cli and now > also from the web UI but results are both the same. > > When adding the stub zone, IPA seems to think of it as managing the > entire zone and not pointing it to the remote DNS server. It basically > add's itself as the SOA. > > > > see below output from dig. Queries have been run against ds01.example.com > > [root at ds01 ~]# dig -t soa example.com > > ;<<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2<<>> -t soa example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2632 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;example.com. IN SOA > > ;; ANSWER SECTION: > example.com. 86400 IN SOA ds01.example.com. > root.ds01.example.com. 2037 3600 900 1209 3600 > > ;; AUTHORITY SECTION: > example.com. 86400 IN NS ds01.example.com. > > ;; ADDITIONAL SECTION: > ds01.example.com. 86400 IN A 10.0.1.11 > > ;; Query time: 0 msec > ;; SERVER: 10.0.1.11#53(10.0.1.11) > ;; WHEN: Sat Jun 9 22:13:51 2012 > ;; MSG SIZE rcvd: 105 > > [root at ds01 ~]# dig -t soa nt.example.com > > ;<<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2<<>> -t soa nt.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37259 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;nt.example.com. IN SOA > > ;; ANSWER SECTION: > nt.example.com. 86400 IN SOA ds01.example.com. > root.nt.example.com. 2012090601 3600 900 1209600 3600 > > ;; AUTHORITY SECTION: > nt.example.com. 86400 IN NS dc01.nt.example.com. > > ;; Query time: 2 msec > ;; SERVER: 10.0.1.11#53(10.0.1.11) > ;; WHEN: Sat Jun 9 22:14:02 2012 > ;; MSG SIZE rcvd: 97 > > [root at ds01 ~]# > > > from the cli and webUI there is no way of adding an alternative SOA > record. I would prefer to keep all DNS attributes inside of LDAP, > otherwise there isnt much purpose in running both ldap integrated DNS as > well as standard bind servers. These should ideally be working together. > > Does anyone have any recommendations for setting an alternative SOA > record for a stub zone in IPA? Has anyone encountered this before? > > Many thanks > Just create nsrecords for "nt" in exampe.com if you are looking to delegate the nt.example.com subdomain to another server. I've never done this with IPA, but this works for bind with files as back-end. Provide glue, and then delegate zone: $ ipa dnsrecord-add example.com dc01.nt --a-rec=10.0.2.11 $ ipa dnsrecord-add example.com nt --ns-rec=dc01.nt.example.com Rgds, Siggi From mkosek at redhat.com Mon Jun 11 10:21:07 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 12:21:07 +0200 Subject: [Freeipa-users] Converting a user group to a non-posix group In-Reply-To: <4FD33DAB.60801@nixtra.com> References: <4FD33DAB.60801@nixtra.com> Message-ID: <1339410067.19118.14.camel@balmora.brq.redhat.com> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: > Hi, > > Is there a supported method for converting a posix user group to a > non-posix user group? > > > Regards, > Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 1994800003 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= ---------------------- Modified group "posix" ---------------------- Group name: posix Description: foo Martin From sigbjorn at nixtra.com Mon Jun 11 10:53:02 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 11 Jun 2012 12:53:02 +0200 (CEST) Subject: [Freeipa-users] Converting a user group to a non-posix group In-Reply-To: <1339410067.19118.14.camel@balmora.brq.redhat.com> References: <4FD33DAB.60801@nixtra.com> <1339410067.19118.14.camel@balmora.brq.redhat.com> Message-ID: <19420.213.225.75.97.1339411982.squirrel@www.nixtra.com> On Mon, June 11, 2012 12:21, Martin Kosek wrote: > On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> Is there a supported method for converting a posix user group to a >> non-posix user group? >> >> >> Regards, >> Siggi >> > > I am not aware of any supported method. This step is more tricky than > making a non-posix group a posix one, because you could break for example some existing file > ownerships for such group. > > But if you really want to make a posix group non-posix you could run > this group-mod command: > > # ipa group-show posix > Group name: posix > Description: foo > GID: 1994800003 > > > # ipa group-mod posix --delattr=objectclass=posixgroup > --setattr=gidnumber= > ---------------------- > Modified group "posix" > ---------------------- > Group name: posix > Description: foo > Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However we have some groups that are POSIX that does not need to be POSIX groups. I've done the change with an LDAP editor earlier, but that was the "supported" solution I was looking for. Thanks. Regards, Siggi From sigbjorn at nixtra.com Mon Jun 11 11:05:04 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 11 Jun 2012 13:05:04 +0200 (CEST) Subject: [Freeipa-users] Converting a user group to a non-posix group In-Reply-To: <19420.213.225.75.97.1339411982.squirrel@www.nixtra.com> References: <4FD33DAB.60801@nixtra.com> <1339410067.19118.14.camel@balmora.brq.redhat.com> <19420.213.225.75.97.1339411982.squirrel@www.nixtra.com> Message-ID: <22525.213.225.75.97.1339412704.squirrel@www.nixtra.com> On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: > > On Mon, June 11, 2012 12:21, Martin Kosek wrote: > >> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: >> >> >>> Hi, >>> >>> >>> >>> Is there a supported method for converting a posix user group to a >>> non-posix user group? >>> >>> >>> Regards, >>> Siggi >>> >>> >> >> I am not aware of any supported method. This step is more tricky than >> making a non-posix group a posix one, because you could break for example some existing file >> ownerships for such group. >> >> But if you really want to make a posix group non-posix you could run >> this group-mod command: >> >> # ipa group-show posix >> Group name: posix >> Description: foo >> GID: 1994800003 >> >> >> >> # ipa group-mod posix --delattr=objectclass=posixgroup >> --setattr=gidnumber= >> ---------------------- >> Modified group "posix" >> ---------------------- >> Group name: posix >> Description: foo >> >> > > Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However > we have some groups that are POSIX that does not need to be POSIX groups. > > I've done the change with an LDAP editor earlier, but that was the "supported" solution I was > looking for. > > Thanks. Is the "--delattr=" option new for 2.2? It does not exist in my 2.1 installation. Rgds, Siggi From mkosek at redhat.com Mon Jun 11 11:42:54 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jun 2012 13:42:54 +0200 Subject: [Freeipa-users] Converting a user group to a non-posix group In-Reply-To: <22525.213.225.75.97.1339412704.squirrel@www.nixtra.com> References: <4FD33DAB.60801@nixtra.com> <1339410067.19118.14.camel@balmora.brq.redhat.com> <19420.213.225.75.97.1339411982.squirrel@www.nixtra.com> <22525.213.225.75.97.1339412704.squirrel@www.nixtra.com> Message-ID: <1339414974.19118.20.camel@balmora.brq.redhat.com> On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote: > On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: > > > > > On Mon, June 11, 2012 12:21, Martin Kosek wrote: > > > >> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: > >> > >> > >>> Hi, > >>> > >>> > >>> > >>> Is there a supported method for converting a posix user group to a > >>> non-posix user group? > >>> > >>> > >>> Regards, > >>> Siggi > >>> > >>> > >> > >> I am not aware of any supported method. This step is more tricky than > >> making a non-posix group a posix one, because you could break for example some existing file > >> ownerships for such group. > >> > >> But if you really want to make a posix group non-posix you could run > >> this group-mod command: > >> > >> # ipa group-show posix > >> Group name: posix > >> Description: foo > >> GID: 1994800003 > >> > >> > >> > >> # ipa group-mod posix --delattr=objectclass=posixgroup > >> --setattr=gidnumber= > >> ---------------------- > >> Modified group "posix" > >> ---------------------- > >> Group name: posix > >> Description: foo > >> > >> > > > > Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However > > we have some groups that are POSIX that does not need to be POSIX groups. > > > > I've done the change with an LDAP editor earlier, but that was the "supported" solution I was > > looking for. > > > > Thanks. > > > Is the "--delattr=" option new for 2.2? It does not exist in my 2.1 installation. > > > Rgds, > Siggi > > It is new in IPA 2.2. In your case, you would need to set --setattr and specify all required object classes minus "posixgroup". Unfortunately, I see that new objectclass handling is not right in IPA 2.1: # ipa group-mod posix --setattr=gidnumber= --setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject ipa: ERROR: unknown object class "top,groupofnames,nestedgroup,ipausergroup,ipaobject" Thus, I think that using an LDIF you created may be the easiest way to perform this task in IPA 2.1. Martin From sigbjorn at nixtra.com Mon Jun 11 12:04:52 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 11 Jun 2012 14:04:52 +0200 (CEST) Subject: [Freeipa-users] Converting a user group to a non-posix group In-Reply-To: <1339414974.19118.20.camel@balmora.brq.redhat.com> References: <4FD33DAB.60801@nixtra.com> <1339410067.19118.14.camel@balmora.brq.redhat.com> <19420.213.225.75.97.1339411982.squirrel@www.nixtra.com> <22525.213.225.75.97.1339412704.squirrel@www.nixtra.com> <1339414974.19118.20.camel@balmora.brq.redhat.com> Message-ID: <19558.213.225.75.97.1339416292.squirrel@www.nixtra.com> On Mon, June 11, 2012 13:42, Martin Kosek wrote: > On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote: > >> On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: >> >>> >> >>> On Mon, June 11, 2012 12:21, Martin Kosek wrote: >>> >>> >>>> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: >>>> >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> Is there a supported method for converting a posix user group to a >>>>> non-posix user group? >>>>> >>>>> >>>>> Regards, >>>>> Siggi >>>>> >>>>> >>>>> >>>> >>>> I am not aware of any supported method. This step is more tricky than >>>> making a non-posix group a posix one, because you could break for example some existing file >>>> ownerships for such group. >>>> >>>> But if you really want to make a posix group non-posix you could run >>>> this group-mod command: >>>> >>>> # ipa group-show posix >>>> Group name: posix >>>> Description: foo >>>> GID: 1994800003 >>>> >>>> >>>> >>>> >>>> # ipa group-mod posix --delattr=objectclass=posixgroup >>>> --setattr=gidnumber= >>>> ---------------------- >>>> Modified group "posix" >>>> ---------------------- >>>> Group name: posix >>>> Description: foo >>>> >>>> >>>> >>> >>> Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. >>> However >>> we have some groups that are POSIX that does not need to be POSIX groups. >>> >>> I've done the change with an LDAP editor earlier, but that was the "supported" solution I was >>> looking for. >>> >>> Thanks. >>> >> >> >> Is the "--delattr=" option new for 2.2? It does not exist in my 2.1 installation. >> >> >> >> Rgds, >> Siggi >> >> >> > > It is new in IPA 2.2. In your case, you would need to set --setattr and > specify all required object classes minus "posixgroup". Unfortunately, I see that new objectclass > handling is not right in IPA 2.1: > > # ipa group-mod posix --setattr=gidnumber= > --setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject > ipa: ERROR: unknown object class > "top,groupofnames,nestedgroup,ipausergroup,ipaobject" > > > Thus, I think that using an LDIF you created may be the easiest way to > perform this task in IPA 2.1. > Ok, that's what I've done so far. Thanks. regards, Siggi From maciej.sawicki at polidea.pl Mon Jun 11 12:11:28 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Mon, 11 Jun 2012 14:11:28 +0200 Subject: [Freeipa-users] groups migration Message-ID: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. regards, Maciej Sawicki From ptader at linuxscope.com Mon Jun 11 14:16:23 2012 From: ptader at linuxscope.com (Paul Tader) Date: Mon, 11 Jun 2012 09:16:23 -0500 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <4FCE5F03.3000901@redhat.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> Message-ID: <4FD5FDB7.6030809@linuxscope.com> On 6/5/12 2:33 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >> >>> A couple days ago my (apache) certificates expired. Users are able to >>> kinit but tools such as sudo fail because of the expired >>> certificates. Lots of reading/Google'ing later I found this script >>> (steps) to renew these certs: >> >> I'm just curious, but, isn't certmonger supposed to automatically >> renew these? Is certmonger failing in this case? > > Yes, the first thing to do is figure out why certmonger didn't > automatically renew the certificates. Then it should be as simple as > setting the date back, letting certmonger do its thing, then setting it > forward again. > > That is very strange certmonger output. You might try setting the date > back a couple of days and trying something like: > > ipa-getcert resubmit -i 20110706215145 > > And see what the status goes to. > > rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl): [ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl): [ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting "20110706215145" to "IPA". # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes From dpal at redhat.com Mon Jun 11 16:25:00 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Jun 2012 12:25:00 -0400 Subject: [Freeipa-users] ipa client - turn off NetworkManager? In-Reply-To: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> Message-ID: <4FD61BDC.3090000@redhat.com> On 06/09/2012 06:24 AM, Joe Linoff wrote: > > Hi: > > > > I read somewhere that I should turn off the NetworkManager service on > the IPA server. Should I do same on the clients? > > > > Thanks, > > > > Joe > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users There was a problem with earlier versions which now is addressed for quite some time. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From darran.lofthouse at jboss.com Mon Jun 11 16:25:14 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Mon, 11 Jun 2012 17:25:14 +0100 Subject: [Freeipa-users] Installation Hang on Fedora 17 In-Reply-To: <4FD61ACD.50504@jboss.com> References: <4FD61ACD.50504@jboss.com> Message-ID: <4FD61BEA.1010305@jboss.com> I have recently been having problems on RHEL so I thought I would try installing a Fedora 17 installation to test this but appear to be running into further problems. Everything appears to go well with the installation until it stops on the following line: - Applying LDAP updates The last two lines in the log are: - 2012-06-11T15:33:05Z DEBUG cn: Write IPA Configuration 2012-06-11T15:33:05Z DEBUG description: Write IPA Configuration I have seen reported that there was a problem in the F17 Beta release where a downgrade of '389-ds-base' would address this but this does not seem to be an option now. Does anyone know the underlying cause of the hang? Maybe there is something I can do to address this. Regards, Darran Lofthouse. From dpal at redhat.com Mon Jun 11 16:29:51 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Jun 2012 12:29:51 -0400 Subject: [Freeipa-users] Installation Hang on Fedora 17 In-Reply-To: <4FD61BEA.1010305@jboss.com> References: <4FD61ACD.50504@jboss.com> <4FD61BEA.1010305@jboss.com> Message-ID: <4FD61CFF.3030007@redhat.com> On 06/11/2012 12:25 PM, Darran Lofthouse wrote: > I have recently been having problems on RHEL so I thought I would try > installing a Fedora 17 installation to test this but appear to be > running into further problems. > > Everything appears to go well with the installation until it stops on > the following line: - > > Applying LDAP updates > > The last two lines in the log are: - > > 2012-06-11T15:33:05Z DEBUG cn: Write IPA Configuration > 2012-06-11T15:33:05Z DEBUG description: Write IPA Configuration > > I have seen reported that there was a problem in the F17 Beta release > where a downgrade of '389-ds-base' would address this but this does not > seem to be an option now. > > Does anyone know the underlying cause of the hang? Maybe there is > something I can do to address this. > > Regards, > Darran Lofthouse. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users And now to the whole list... Have you downgraded your DS packages as recommended here http://www.freeipa.org/page/DS_Issues_Note ? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Mon Jun 11 16:34:14 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 Jun 2012 12:34:14 -0400 Subject: [Freeipa-users] ipa client - turn off NetworkManager? In-Reply-To: <4FD61BDC.3090000@redhat.com> References: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> <4FD61BDC.3090000@redhat.com> Message-ID: <1339432454.2471.25.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-11 at 12:25 -0400, Dmitri Pal wrote: > On 06/09/2012 06:24 AM, Joe Linoff wrote: > > Hi: > > > > > > > > I read somewhere that I should turn off the NetworkManager service > > on the IPA server. Should I do same on the clients? ... > > There was a problem with earlier versions which now is addressed for > quite some time. Just for clarity, do you mean that there were issues with early SSSD (which there were, and have long been fixed; years now) or do you mean that Network Manager now works reasonably with FreeIPA as well? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Mon Jun 11 17:09:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Jun 2012 13:09:18 -0400 Subject: [Freeipa-users] ipa client - turn off NetworkManager? In-Reply-To: <1339432454.2471.25.camel@sgallagh520.sgallagh.bos.redhat.com> References: <8AD4194C251EC74CB897E261038F447801005E14@mantaray.tabula.com> <4FD61BDC.3090000@redhat.com> <1339432454.2471.25.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4FD6263E.1060501@redhat.com> On 06/11/2012 12:34 PM, Stephen Gallagher wrote: > On Mon, 2012-06-11 at 12:25 -0400, Dmitri Pal wrote: >> On 06/09/2012 06:24 AM, Joe Linoff wrote: >>> Hi: >>> >>> >>> >>> I read somewhere that I should turn off the NetworkManager service >>> on the IPA server. Should I do same on the clients? > ... >> There was a problem with earlier versions which now is addressed for >> quite some time. > > Just for clarity, do you mean that there were issues with early SSSD > (which there were, and have long been fixed; years now) or do you mean > that Network Manager now works reasonably with FreeIPA as well? The former. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From darran.lofthouse at jboss.com Tue Jun 12 14:37:22 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Tue, 12 Jun 2012 15:37:22 +0100 Subject: [Freeipa-users] Installation Hang on Fedora 17 In-Reply-To: <4FD61CFF.3030007@redhat.com> References: <4FD61ACD.50504@jboss.com> <4FD61BEA.1010305@jboss.com> <4FD61CFF.3030007@redhat.com> Message-ID: <4FD75422.80303@jboss.com> On 06/11/2012 05:29 PM, Dmitri Pal wrote: > Have you downgraded your DS packages as recommended here > http://www.freeipa.org/page/DS_Issues_Note ? > Thank you Dmitri, that has now got me through the set up process - at the bottom of the instructions it says it is optional to disable the updates, are there further problems updating that package after installation is complete? From darran.lofthouse at jboss.com Tue Jun 12 15:10:05 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Tue, 12 Jun 2012 16:10:05 +0100 Subject: [Freeipa-users] Authentication Failure from Java - LoginException PREAUTH_FAILED - Partly Solved In-Reply-To: <4FC739D4.4000907@jboss.com> References: <4FC739D4.4000907@jboss.com> Message-ID: <4FD75BCD.7030804@jboss.com> Just sending a quick update as I am able to move on from this issue now. I have now moved over to Fedora 17 with the version of FreeIPA currently packaged for Fedora 17 and after getting over the installation hang I can confirm that my Java client is authenticating without issue against the newly installed server. At this point I don't know what is causing the failure on the previous version but I am suspecting some incompatibility with the messages generated with Java. Regards, Darran Lofthouse. On 05/31/2012 10:28 AM, Darran Lofthouse wrote: > My apologies if this has already been discussed somewhere, I have tried > a number of searches to see if this is either a known issue or common > error on the client side but so far only found references to Java issues > that should have been resolved a long time ago. > > I have a Red Hat server running in Amazon EC2 with IPA > ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a > test_user defined. > > From my local machine using kinit works without error. > > I have developed a test Java client to make use of the Krb5LoginModule, > I am currently debugging further but thought I would mail this in > parallel in case I am missing something obvious but I keep getting the > failure that is at the bottom of this message. > > This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 - > however I have also tried using various Oracle JDKs, both 6 and 7. > > I know the password is correct as verified using kinit, also if I use > jdk1.6.0_30 AND set the system property for Kerberos debugging to true > on the client it works. > > The only difference I currently see between the failure scenario and > success scenario is that for success rc4-hmac is selected for the > PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96 > is selected instead. > > For the work I am currently using IPA for I could just force the use of > rc4-hmac but would really like to get to the bottom of the cause of this. > > Looking forward to any ideas. > > Regards, > Darran Lofthouse. > > > Exception in thread "main" javax.security.auth.login.LoginException: > Integrity check on decrypted field failed (31) - PREAUTH_FAILED > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759) > > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:601) > at > javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) > at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) > at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) > > at javax.security.auth.login.LoginContext.login(LoginContext.java:590) > at > com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50) > > at > com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136) > > Caused by: KrbException: Integrity check on decrypted field failed (31) > - PREAUTH_FAILED > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721) > > ... 14 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) > at sun.security.krb5.internal.ASRep.init(ASRep.java:65) > at sun.security.krb5.internal.ASRep.(ASRep.java:60) > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) > ... 17 more From mkosek at redhat.com Tue Jun 12 15:10:10 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jun 2012 17:10:10 +0200 Subject: [Freeipa-users] Installation Hang on Fedora 17 In-Reply-To: <4FD75422.80303@jboss.com> References: <4FD61ACD.50504@jboss.com> <4FD61BEA.1010305@jboss.com> <4FD61CFF.3030007@redhat.com> <4FD75422.80303@jboss.com> Message-ID: <1339513810.20462.4.camel@balmora.brq.redhat.com> On Tue, 2012-06-12 at 15:37 +0100, Darran Lofthouse wrote: > On 06/11/2012 05:29 PM, Dmitri Pal wrote: > > Have you downgraded your DS packages as recommended here > > http://www.freeipa.org/page/DS_Issues_Note ? > > > > Thank you Dmitri, that has now got me through the set up process - at > the bottom of the instructions it says it is optional to disable the > updates, are there further problems updating that package after > installation is complete? I would not recommend updating to newer 389-ds-base until the reported issues are resolved - otherwise you may get deadlocks or other failures when running the DS. In this case, "optional" means that this is one way to disable 389-ds-based updates - you could for example want to not install versionlock yum plugin and use --exclude option for subsequent yum updates. Martin From darran.lofthouse at jboss.com Tue Jun 12 15:12:57 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Tue, 12 Jun 2012 16:12:57 +0100 Subject: [Freeipa-users] Installation Hang on Fedora 17 In-Reply-To: <1339513810.20462.4.camel@balmora.brq.redhat.com> References: <4FD61ACD.50504@jboss.com> <4FD61BEA.1010305@jboss.com> <4FD61CFF.3030007@redhat.com> <4FD75422.80303@jboss.com> <1339513810.20462.4.camel@balmora.brq.redhat.com> Message-ID: <4FD75C79.7000807@jboss.com> On 06/12/2012 04:10 PM, Martin Kosek wrote: > I would not recommend updating to newer 389-ds-base until the reported > issues are resolved - otherwise you may get deadlocks or other failures > when running the DS. Ok thanks for that, my new installation is only for development at the moment so I will disable those updates for now. Regards, Darran Lofthouse. > In this case, "optional" means that this is one way to disable > 389-ds-based updates - you could for example want to not install > versionlock yum plugin and use --exclude option for subsequent yum > updates. > > Martin > From cao2dan at yahoo.com Tue Jun 12 21:30:55 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Tue, 12 Jun 2012 14:30:55 -0700 (PDT) Subject: [Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FBC089E.3090103@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1339536655.87084.YahooMailNeo@web125705.mail.ne1.yahoo.com> Hi Rob, Rich and all, ?After read through all the mails in the list and the 2.2.0 document, It is still not clear how to promote a IPA replica to master after the master is dead. ? The basic setup is:? ?IPA 2.2.0 Master A; and IPA 2.2.0 replica B installed from A with '--setup-ca' option. That means, both A and B are running CA. According to 2.2.0 manual at chapter 18.8.1. All the steps, 1--5, are making no differences. ?So the problem turns into: how to let B has the root signing key, the following stanza are copied from chapter 18.8.1.?http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/promoting-replica.html ------------------------------------------------ The only difference between a replica in the IPA topology and the master server is that the master owns the master CA in the PKI hierarchy. The master CA is the authoritative CA; it has the root CA signing key and generates CRLs which are distributed among the other servers and replicas in the topology. A replica database is cloned (or copied) directly from that master database.? ------------------------------------------------ How to let B has the root signing key? Is that as simple as: overwrite B's /root/cacert.p12 from A (which I already saved in subversion)? Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue Jun 12 21:48:05 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Tue, 12 Jun 2012 14:48:05 -0700 (PDT) Subject: [Freeipa-users] IPA 2.2.0 document inaccuracy Message-ID: <1339537685.31952.YahooMailNeo@web125706.mail.ne1.yahoo.com> For the replication removal steps documented at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/removing-replica.html. ? The step 3 is inaccurate: 'del' should be 'disconnect' instead, otherwise oops -- all other 3 matsers/replicas are suddenly disappeared from IPA architecture. :) ?The step 3.5 which is missing: removal 'replica' from all other three IPA servers by force, and restart them: ?on ipaserver: ipa-csreplica-manage del replica.example.com --force ipa-replica-manage del replica.example.com --force ipa host-del replica.example.com ?## just double check in case the above steps don't remove the host entry. ipactl restart? on ipaserver1: same.... on ipareplica1: same ... --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 12 21:58:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jun 2012 17:58:43 -0400 Subject: [Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master? In-Reply-To: <1339536655.87084.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FBC089E.3090103@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz> <1339536655.87084.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <4FD7BB93.2000105@redhat.com> David Copperfield wrote: > Hi Rob, Rich and all, > > After read through all the mails in the list and the 2.2.0 document, It > is still not clear how to promote a IPA replica to master after the > master is dead. > > The basic setup is: > > IPA 2.2.0 Master A; and IPA 2.2.0 replica B installed from A with > '--setup-ca' option. That means, both A and B are running CA. According > to 2.2.0 manual at chapter 18.8.1. All the steps, 1--5, are making no > differences. > > So the problem turns into: how to let B has the root signing key, the > following stanza are copied from chapter 18.8.1. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/promoting-replica.html > > ------------------------------------------------ > The only difference between a replica in the IPA topology and the master > server is that the master owns the master CA in the PKI hierarchy. The > master CA is the authoritative CA; it has the root CA signing key and > generates CRLs which are distributed among the other servers and > replicas in the topology. A replica database is cloned (or copied) > directly from that master database. > ------------------------------------------------ > > How to let B has the root signing key? Is that as simple as: overwrite > B's /root/cacert.p12 from A (which I already saved in subversion)? > It already has the root signing key. The only difference is which one generates the CRL. The dogtag guys have told us that the first server installed is automatically the CRL generator and that the clones are not configured this way. It is unclear that this is actually the case in practice, AFAIK the dogtag team is working with our doc writer to clarify this. But in short the only thing to do is change the CRL generator per those instructions. It is otherwise already a full CA. If none or all of them are generating a CRL it isn't the end of the world either way, you could just end up with slightly different CRLs on different masters which can be confusing. /root/cacert.p12 is not used by a running server. rob From mkosek at redhat.com Wed Jun 13 09:20:51 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jun 2012 11:20:51 +0200 Subject: [Freeipa-users] IPA 2.2.0 document inaccuracy In-Reply-To: <1339537685.31952.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1339537685.31952.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <1339579251.2965.19.camel@balmora.brq.redhat.com> On Tue, 2012-06-12 at 14:48 -0700, David Copperfield wrote: > For the replication removal steps documented at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/removing-replica.html. > > > > The step 3 is inaccurate: 'del' should be 'disconnect' instead, > otherwise oops -- all other 3 matsers/replicas are suddenly > disappeared from IPA architecture. :) > > > The step 3.5 which is missing: removal 'replica' from all other three > IPA servers by force, and restart them: > > > on ipaserver: > > > ipa-csreplica-manage del replica.example.com --force > ipa-replica-manage del replica.example.com --force > ipa host-del replica.example.com ## just double check in case the > above steps don't remove the host entry. > ipactl restart > > > on ipaserver1: > > > same.... > > > on ipareplica1: > > > same ... > > > > > --David Thanks David, that's a good catch. I created a bugzilla to fix this doc bug: https://bugzilla.redhat.com/show_bug.cgi?id=831526 Martin From sigbjorn at nixtra.com Wed Jun 13 11:07:24 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 13 Jun 2012 13:07:24 +0200 (CEST) Subject: [Freeipa-users] ipa "user administrator" role - gidnumber Message-ID: <24673.213.225.75.97.1339585644.squirrel@www.nixtra.com> Hi, I have a user that's a member of the "user administrator" role. When this user attempts to change the gid of a user an error occur. ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'gidNumber' attribute of entry Looking at the privilege "user administrators" attached to the role, and the permission "modify users" attached to the privilege, I see that "gidnumber" is not ticked as a target to allow "modify users" to write to. So permissions are handeled correctly, but the write permission to gidnumber is missing. Is this a bug or intentional? I would see it as natural that a user admin has access to also change the gidnumber of a user. Rgds, Siggi From james.hogarth at gmail.com Wed Jun 13 14:27:10 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Wed, 13 Jun 2012 15:27:10 +0100 Subject: [Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master? In-Reply-To: <4FD7BB93.2000105@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FBC089E.3090103@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz> <1339536655.87084.YahooMailNeo@web125705.mail.ne1.yahoo.com> <4FD7BB93.2000105@redhat.com> Message-ID: > > But in short the only thing to do is change the CRL generator per those > instructions. It is otherwise already a full CA. If none or all of them are > generating a CRL it isn't the end of the world either way, you could just > end up with slightly different CRLs on different masters which can be > confusing. > Really trying to get to the bottom of this.... I've just installed FreeIPA 2.2 on Fedora 17 .... So far as I can see the first system immediately after being built does not have the following lines discussed in the 'promote replica' documentation in CS.cfg: ca.certStatusUpdateInterval ca.listenToCloneModifications Grabbing the info from the internal dogtag system for the first built system shows: PKI Subsystem Type: Root CA (Security Domain) After having installed the second system there is no change in the first system.... The second system is identical to the first for the given parameters mentioned in the docs.... Grabbing the info from the internal dogtag system for the second built system shows: PKI Subsystem Type: CA Clone (Security Domain) This appears to completely differ form the docs on a default install - to the extent described parameters in CS.cfg don't even exist..... Finally I decided to mimic a complete failure of the first system and and consequences thereof..... Installing a third system and using the second for ipa-replica-prepare all seemed to build cleanly.... After it was installed both systems apparently were clones according to the internal dogtag info - but replication seemed fine and both appeared to be generating CRLs..... The replication was as one would expect - system2 had agreements with systems 1 and 3 ... and system 3 only knew of system 1... Built a client to register against these next.... The client was able to use ipa-client to join this domain... Next httpd was installed on this client.... Using the normal methods (ipa service-add, ipa-getcert, ipa-getkeytab) the httpd instance was configured fine with an HTTP service keytab and SSL certificate being monitored via certmonger.... The only think I can get out of these diagnostics is that the whole 'ROOT' thing only on the first doesn't appear to matter since certificates could still be generated and all instances appeared to be generating CRLs..... Sorry for the wordiness but wanted to get all my steps and checks down for reference purposes.... Hope this helps out the next person who wonders about the whole 'promote' thing in the IPA documentation - it doesn't actually seem to apply in the slightest for a full Dogtag multimaster integrated setup.... Regards, James From Steven.Jones at vuw.ac.nz Wed Jun 13 20:54:44 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 20:54:44 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Has anyone seen replication issues when you have more than one replica? If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2.... I removed and re-added 2 and find that 3 now no longer works.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Wed Jun 13 21:00:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 21:00:08 +0000 Subject: [Freeipa-users] Removing a replica fails everytime Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA5E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Seems the un-install option for ipa-server hangs at un-configuring/stopping the web server every time....the result is the master thinks it has a replication agreement but the replica doesnt......its then not possible to re-add the replica to the master....its starts to work but fails when it tries to sync the data...that bit doesnt seem to occur.. Now the assumption seems to be the dirsrv on the server being removed is running...in effect you can only un-install if the system is working...which isnt why you want to --uninstall. DSo if you lose a server and it has no dirsrv you cannot remove it from the master's "memory" so a bare metal restore cannot be added.... Simple solution there needs to be a script or procedure that cleans the master properly. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Wed Jun 13 21:54:56 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 17:54:56 -0400 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD90C30.2020302@redhat.com> Steven Jones wrote: > Hi, > > Has anyone seen replication issues when you have more than one replica? > > If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2.... > > I removed and re-added 2 and find that 3 now no longer works.... > We need details. What doesn't work? How did you remove and re-add 2? Are any errors logged when this happens? rob From Steven.Jones at vuw.ac.nz Wed Jun 13 21:54:15 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 21:54:15 +0000 Subject: [Freeipa-users] Removing a replica fails everytime In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA5E4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA64E@STAWINCOX10MBX1.staff.vuw.ac.nz> any idea on this GSSAPI error? [root at vuwunicoipam001 ~]# ipa-replica-manage list vuwunicoipam002.ods.vuw.ac.nz: master vuwunicoipam005.ods.vuw.ac.nz: master vuwunicoipam003.ods.vuw.ac.nz: master vuwunicoipam004.ods.vuw.ac.nz: master vuwunicoipam001.ods.vuw.ac.nz: master [root at vuwunicoipam001 ~]# ipa-replica-manage del vuwunicoipam003.ods.vuw.ac.nz Unable to delete replica vuwunicoipam003.ods.vuw.ac.nz: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)', 'desc': 'Local error'} [root at vuwunicoipam001 ~]# I'd like to delete 4 and 5 as well as they are not masters.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 14 June 2012 9:00 a.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] Removing a replica fails everytime Hi, Seems the un-install option for ipa-server hangs at un-configuring/stopping the web server every time....the result is the master thinks it has a replication agreement but the replica doesnt......its then not possible to re-add the replica to the master....its starts to work but fails when it tries to sync the data...that bit doesnt seem to occur.. Now the assumption seems to be the dirsrv on the server being removed is running...in effect you can only un-install if the system is working...which isnt why you want to --uninstall. DSo if you lose a server and it has no dirsrv you cannot remove it from the master's "memory" so a bare metal restore cannot be added.... Simple solution there needs to be a script or procedure that cleans the master properly. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Jun 13 21:57:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 21:57:08 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <4FD90C30.2020302@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90C30.2020302@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> steps ============== 1) Fresh replica key 2) attempt to join with the ipa-manage-replica key command this fails 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 5) Check the 2nd servers dirsrv is still running 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 7) run ipa-server-install --uninstall on ipam002 8) run ipa-server-install and this seems to succeed So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.....1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to..... ============== So when adding 2 back in replication 1 to 3 breaks.....so I tried removing 3 and re-adding and that failed.....I get a GSSAPI error.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 14 June 2012 9:54 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > Hi, > > Has anyone seen replication issues when you have more than one replica? > > If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2.... > > I removed and re-added 2 and find that 3 now no longer works.... > We need details. What doesn't work? How did you remove and re-add 2? Are any errors logged when this happens? rob From rcritten at redhat.com Wed Jun 13 21:59:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 17:59:05 -0400 Subject: [Freeipa-users] Removing a replica fails everytime In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA5E4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD90D29.70308@redhat.com> Steven Jones wrote: > Hi, > > Seems the un-install option for ipa-server hangs at un-configuring/stopping the web server every time....the result is the master thinks it has a replication agreement but the replica doesnt......its then not possible to re-add the replica to the master....its starts to work but fails when it tries to sync the data...that bit doesnt seem to occur.. Can you investigate where it hangs? What is the last bit in the log? Is it that /sbin/service isn't returning? strace might be helpful. > Now the assumption seems to be the dirsrv on the server being removed is running...in effect you can only un-install if the system is working...which isnt why you want to --uninstall. DSo if you lose a server and it has no dirsrv you cannot remove it from the master's "memory" so a bare metal restore cannot be added.... If a box goes away then you can remove references on the master it connected with using: ipa-replica-manage del --force ipa host-del > Simple solution there needs to be a script or procedure that cleans the master properly. The solution is to figure out why your server is hanging. Nobody has ever reported seeing this before. rob From jason at lovesgoodfood.com Wed Jun 13 20:45:48 2012 From: jason at lovesgoodfood.com (Jason Riedy) Date: Wed, 13 Jun 2012 16:45:48 -0400 Subject: [Freeipa-users] Password pass-through to an existing LDAP server? Message-ID: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> I'm setting up an experimental subnet that needs a combination of local and remote users. The local users already have passwords available. I'd like to rely on those passwords without requiring them to manage it themselves. Is it possible to pass-through passwords to an external LDAP back-end? I was hoping to find this in the docs somewhere, but I can't find anything quite like OpenLDAP's {SASL}foo at example.com. I'd like to keep Kerberos integration for other reasons, otherwise I'd just use OpenLDAP and not worry. -- Jason From rcritten at redhat.com Wed Jun 13 22:08:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2012 18:08:43 -0400 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FD90F6B.2090009@redhat.com> Steven Jones wrote: > steps > > ============== > 1) Fresh replica key > 2) attempt to join with the ipa-manage-replica key command this fails > 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start > 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 > 5) Check the 2nd servers dirsrv is still running > 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 > 7) run ipa-server-install --uninstall on ipam002 > 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. > > So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.....1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to..... > ============== > > So when adding 2 back in replication 1 to 3 breaks.....so I tried removing 3 and re-adding and that failed.....I get a GSSAPI error.... If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob From dpal at redhat.com Wed Jun 13 22:09:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 13 Jun 2012 18:09:20 -0400 Subject: [Freeipa-users] Password pass-through to an existing LDAP server? In-Reply-To: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> References: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> Message-ID: <4FD90F90.5030800@redhat.com> On 06/13/2012 04:45 PM, Jason Riedy wrote: > I'm setting up an experimental subnet that needs a combination of > local and remote users. The local users already have passwords > available. I'd like to rely on those passwords without requiring > them to manage it themselves. > > Is it possible to pass-through passwords to an external LDAP > back-end? I was hoping to find this in the docs somewhere, but I > can't find anything quite like OpenLDAP's {SASL}foo at example.com. > I'd like to keep Kerberos integration for other reasons, > otherwise I'd just use OpenLDAP and not worry. That will work with SSSD if your local users are in passwd file and remote users are in the SSSD domain. It is the default SSSD configuration though it is assumed that only system accounts are in files. But local users should work OK. It is just not the best configuration we would hope for. Can you explain what is the reason of having local accounts other than system ones? SSSD can do caching of the central accounts and offline authentication so if the reason is the offline case than SSSD already handles it nicely allowing you to move all your human accounts into the central location leaving the passwd file for root and system accounts only. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 13 22:14:12 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 22:14:12 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <4FD90F6B.2090009@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90F6B.2090009@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> because Im trying to clean out the old "memory" of the ex-replica first...I have to do that before I can re-add it for some reason. All I have is the manual so Im doing my best to repair a system that seems unstable....so I was advised to make a new replica key as the original one used to initially make a replication agreement was no good. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 14 June 2012 10:08 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > steps > > ============== > 1) Fresh replica key > 2) attempt to join with the ipa-manage-replica key command this fails > 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start > 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 > 5) Check the 2nd servers dirsrv is still running > 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 > 7) run ipa-server-install --uninstall on ipam002 > 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. > > So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.....1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to..... > ============== > > So when adding 2 back in replication 1 to 3 breaks.....so I tried removing 3 and re-adding and that failed.....I get a GSSAPI error.... If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob From Steven.Jones at vuw.ac.nz Wed Jun 13 23:06:29 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 13 Jun 2012 23:06:29 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FD90F6B.2090009@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> OK, I have got ipa3 back in as a replica, however when I add a user to ipa1 (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I just added.... When I add a user to ipa2, it flows to ipa1 but not ipa3 When I add a user to ipa3 it doesnt flow to 1 or 2. When I run ipa-manage-replica list on all three IPA servers I see all three are listed as masters. ?? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 14 June 2012 10:14 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? because Im trying to clean out the old "memory" of the ex-replica first...I have to do that before I can re-add it for some reason. All I have is the manual so Im doing my best to repair a system that seems unstable....so I was advised to make a new replica key as the original one used to initially make a replication agreement was no good. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 14 June 2012 10:08 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > steps > > ============== > 1) Fresh replica key > 2) attempt to join with the ipa-manage-replica key command this fails > 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start > 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 > 5) Check the 2nd servers dirsrv is still running > 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 > 7) run ipa-server-install --uninstall on ipam002 > 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. > > So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.....1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to..... > ============== > > So when adding 2 back in replication 1 to 3 breaks.....so I tried removing 3 and re-adding and that failed.....I get a GSSAPI error.... If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Thu Jun 14 01:34:32 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jun 2012 21:34:32 -0400 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1339637672.8230.652.camel@willson.li.ssimo.org> On Wed, 2012-06-13 at 23:06 +0000, Steven Jones wrote: > OK, > > I have got ipa3 back in as a replica, however when I add a user to ipa1 (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I just added.... > > When I add a user to ipa2, it flows to ipa1 but not ipa3 > > When I add a user to ipa3 it doesnt flow to 1 or 2. > > When I run ipa-manage-replica list on all three IPA servers I see all three are listed as masters. If you reinstalled #3 but did not restart #1 after you deleted the previous #3 replica then replication will not work. Restart #1 (assuming the replication topology is 1-3) and replication will commence. This is an issue with re-install of a replica that we are going to address as soon as possible, meanwhile the workaround is to restart the master you are going to replicate from after you run a ipa-replica-manage del Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Thu Jun 14 01:56:14 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 14 Jun 2012 01:56:14 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <1339637672.8230.652.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1339637672.8230.652.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have done a restart numerous times demonstrating that named does not survive "service ipa restart" or a reboot...... I have just done it again on ipam001 (master) and created a user and that user doesnt appear on the second replica...but does on the frst replica. I have also service ipa restart's ipa002 (1st replica) and ipam003 (2nd replica) numerous times to no avail. So restarting isnt a fix right now, not for my setup anyway. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 14 June 2012 1:34 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? On Wed, 2012-06-13 at 23:06 +0000, Steven Jones wrote: > OK, > > I have got ipa3 back in as a replica, however when I add a user to ipa1 (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I just added.... > > When I add a user to ipa2, it flows to ipa1 but not ipa3 > > When I add a user to ipa3 it doesnt flow to 1 or 2. > > When I run ipa-manage-replica list on all three IPA servers I see all three are listed as masters. If you reinstalled #3 but did not restart #1 after you deleted the previous #3 replica then replication will not work. Restart #1 (assuming the replication topology is 1-3) and replication will commence. This is an issue with re-install of a replica that we are going to address as soon as possible, meanwhile the workaround is to restart the master you are going to replicate from after you run a ipa-replica-manage del Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 14 02:01:58 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jun 2012 22:01:58 -0400 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1339637672.8230.652.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1339639318.8230.658.camel@willson.li.ssimo.org> On Thu, 2012-06-14 at 01:56 +0000, Steven Jones wrote: > Hi, > > I have done a restart numerous times demonstrating that named does not survive "service ipa restart" or a reboot...... FWIW you do not need to restart all IPA component, just dirsrv. > I have just done it again on ipam001 (master) and created a user and > that user doesnt appear on the second replica...but does on the frst > replica. > > I have also service ipa restart's ipa002 (1st replica) and ipam003 > (2nd replica) numerous times to no avail. > > So restarting isnt a fix right now, not for my setup anyway. Please provide DS logs, if you are having replication errors they should show up in the logs. Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Thu Jun 14 10:54:47 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 14 Jun 2012 11:54:47 +0100 Subject: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation Message-ID: <4FD9C2F7.5080303@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all I have to say I am a little disappointed with myself to be honest as I thought I published this a while ago. I've just placed another wiki article for adding Jabber services to IPA. This is a work in progress as I'm aiming for SSO ability, but thought someone might find it useful in the interim. The link is as follows http://freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships Would love some feedback from other ejabberd users as I am not happy, personally, recommending people to use unencrypted LDAP queries for authentication purposes. I would appreciate some assistance from others on this if possible. I wasn't able to get LDAP with TLS or SSL working in the end. Best regards Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP2cL1AAoJEAJsWS61tB+q/NgP/2GGqZBNtBkSQC/Wsq5fuU96 q43k9QVZL6FAnJsyPBj8TNOwBS6ER9RPVIkSH54ge5kGk+Qfd7DB2mPBB1ojodVr BMhlv8kSNGy2sgsb2E58KDISpewD/OLHkKABzOt7Gbfjzwx3gVy97oCfSJKnd7zj SS0zCbhaeh5SRxJYXSQKbS4DqXJgPidDhenifSyns1R4li5hqIRaEoJIFIcksMi5 U17NJP8Up6UgsLYuby3bDZ4ffebX5IvxByF6cRYFY/bbMSGwS1LJhWksktqSPuCg izt2UjkCKfWQw3rFBLD3XriPlUjTQXPDQWYI4lshyZtTh6umovI5qPVrt1geY8/B cFU+6F164duk3BUWeXjq+5HXiYedpsGa8GJjhreZjP+rf2H0Ju2quxM4WNOQM4EO 5EFuSqiW+oMHnuVOTtMhtoHJiiUb6yA0ORQTSexM0jcQrySgwb2tV3VljrWXN3Aw 1naKO51JD7vCv63abA0kFSQv5XXTtTe9BP/siVvvB+TigVN5TJ0bhbGBNIH7nGJu XlnLBhZcKbk+uucG+hKEid6DpRPYRG3Ip8s3yceSxmT20nMc5LUUu7Tdo25ocjow 55DJIByUHS/n2Tjqj6DqtVuTF6pGV4Cpw3HEWEN7iiFuywSWbuTvjMlnCzD96J6j 8DLzkKYsmebz3rWCwsuS =W08C -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Thu Jun 14 11:50:20 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 14 Jun 2012 07:50:20 -0400 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCA813@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1339637672.8230.652.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1339639318.8230.658.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA813@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1339674620.8230.672.camel@willson.li.ssimo.org> On Thu, 2012-06-14 at 03:00 +0000, Steven Jones wrote: > Hi, > > 3 log sets from /var/log/dirsrv/slapd Looking at the first server's error log it looks like one of your replicas has a wrong PTR record and GSSAPI cannot therefore find the right ticket. Make sure your DNS is properly set up (or /etc/hosts entries) for all the servers. Simo. -- Simo Sorce * Red Hat, Inc * New York From maciej.sawicki at polidea.pl Thu Jun 14 13:34:25 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Thu, 14 Jun 2012 15:34:25 +0200 Subject: [Freeipa-users] groups migration In-Reply-To: References: Message-ID: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki wrote: > Hi, > I (almost) managed to migrate groups from my previous server. That is > groups names migrated perfectly, unfortunately when I login to web > panel all groups are empty. > > I used following command: > ipa migrate-ds ldap://192.168.1.125:389 > --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' > --group-objectclas='posixGroup' > > I will appreciate any help. > > regards, > Maciej Sawicki From jason at lovesgoodfood.com Thu Jun 14 13:54:47 2012 From: jason at lovesgoodfood.com (Jason Riedy) Date: Thu, 14 Jun 2012 09:54:47 -0400 Subject: [Freeipa-users] Password pass-through to an existing LDAP server? References: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> <4FD90F90.5030800@redhat.com> Message-ID: <87hauevw0o.fsf@NaN.sparse.dyndns.org> And Dmitri Pal writes: > Can you explain what is the reason of having local accounts > other than system ones? Sorry, I didn't explain well enough. I mean local to the *subnet*, not the host. I don't want them in /etc/passwd. Nor do I want all global users defined by default, although that's less important. That's what OpenLDAP's pass-through mechanism accomplishes. I'd declare the local users in the subnet's LDAP server and set their passwords to direct to another LDAP server. Does FreeIPA have a similar facility? -- Jason From natxo.asenjo at gmail.com Thu Jun 14 17:24:57 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 14 Jun 2012 19:24:57 +0200 Subject: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation In-Reply-To: <4FD9C2F7.5080303@themacartneyclan.com> References: <4FD9C2F7.5080303@themacartneyclan.com> Message-ID: On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've just placed another wiki article for adding Jabber services to IPA. > This is a work in progress as I'm aiming for SSO ability, but thought > someone might find it useful in the interim. > > The link is as follows > > > http://freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships > hi, thanks! It looks good. I am thinking of trying to implement a jabber openfire server, it supports gssapi apparently. I'll post the howto if I get it working :-). NIce to see a growing community. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Thu Jun 14 17:29:40 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 14 Jun 2012 18:29:40 +0100 Subject: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation In-Reply-To: References: <4FD9C2F7.5080303@themacartneyclan.com> Message-ID: <4FDA1F84.1060009@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/06/12 18:24, Natxo Asenjo wrote: > On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've just placed another wiki article for adding Jabber services to IPA. > This is a work in progress as I'm aiming for SSO ability, but thought > someone might find it useful in the interim. > > The link is as follows > > http://freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships > > > hi, > > thanks! It looks good. > > I am thinking of trying to implement a jabber openfire server, it supports gssapi apparently. I'll post the howto if I get it working :-). > > NIce to see a growing community. > > -- > natxo Give me a buzz if you'd like to bounce any ideas around with your implementation. I'm quite interested to see other use cases and variations of deployments. The more technologies we can cover, I think the better user adoption will be. Dale > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP2h97AAoJEAJsWS61tB+q7M4P/jGfDuXIqnZ011LHs3LinoC0 BKvu/WoWQDnHr+MttCOyDy+bn0P4lq4Zlt60BaEzry5FC7BEkrfmSTJGqsRYVo/z jze08E91dhN5h1P38+DJAWpCPAHgUlQmPQ5f/2oovqpfvIUwOcgdjxxuuVaE/t5q 5JMw9glb935f14Qp/Oh5Au1oM9+cC22UeeSbs950uSQxwuZ/kAQTzMzQ/gi0eNA7 yjsdZi2JcnMpUJ2bfxL1UYYeUJNK5WwBDeGxKFFtM0gAIuNjAqN43DJfK3+z2g6+ lTn2Q1akOl5Fc05s7Q3QzXvYZOH9SBvr6NsMgmvrV58MgFC5ygZsYgD7IoUVY6VS T2n1E7PMr7M9X5FSfy7I4xMIcz0FcjJn3y8dvqgDpp9yGfwqcMTsrH11T9FeC8+h npZo7kcf/6owCH4xSuEPwEBWlFv6Y1O9i8+dOxb2lw4g4x4nlb5jnD7wzDiTcuIw JBjApHYoyFz6NOhPFZGWWhLi1XhcpaILydE073cEwct50Zc6jjT9bbbG/zCVku0U NEe2P2SKTPY6vF1/d/KJhNKon2ific4sN/6fpQwvR+h+Ot9N6kTt8wiuCq3rgIgf mj9r0qk19Sfdfz0Lax9DXKTaUwctdt/Ia5ekgDwrD/55vsq7Ord4OXqxM51R2zzA ZH3mmr99VoiXJ5zzv0UK =BIUD -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Thu Jun 14 17:59:53 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 14 Jun 2012 13:59:53 -0400 Subject: [Freeipa-users] Password pass-through to an existing LDAP server? In-Reply-To: <87hauevw0o.fsf@NaN.sparse.dyndns.org> References: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> <4FD90F90.5030800@redhat.com> <87hauevw0o.fsf@NaN.sparse.dyndns.org> Message-ID: <1339696793.8230.686.camel@willson.li.ssimo.org> On Thu, 2012-06-14 at 09:54 -0400, Jason Riedy wrote: > And Dmitri Pal writes: > > Can you explain what is the reason of having local accounts > > other than system ones? > > Sorry, I didn't explain well enough. I mean local to the > *subnet*, not the host. I don't want them in /etc/passwd. > Nor do I want all global users defined by default, although > that's less important. > > That's what OpenLDAP's pass-through mechanism accomplishes. > I'd declare the local users in the subnet's LDAP server and set > their passwords to direct to another LDAP server. Does FreeIPA > have a similar facility? the underlying 389ds have a way to do that, but we do not expose it in IPA as it would make little sense there. That said we have plans to allow having 'branch office replicas' where only a subset of users is replicated to that branch replica. But these are future plans, it will take a few minor versions after 3.0 at least. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 14 18:00:52 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 14 Jun 2012 14:00:52 -0400 Subject: [Freeipa-users] groups migration In-Reply-To: References: Message-ID: <1339696852.8230.687.camel@willson.li.ssimo.org> On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: > bump > > On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki > wrote: > > Hi, > > I (almost) managed to migrate groups from my previous server. That is > > groups names migrated perfectly, unfortunately when I login to web > > panel all groups are empty. > > > > I used following command: > > ipa migrate-ds ldap://192.168.1.125:389 > > --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' > > --group-objectclas='posixGroup' > > > > I will appreciate any help. > > Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Thu Jun 14 22:12:29 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 14 Jun 2012 22:12:29 +0000 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <1339674620.8230.672.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1339637672.8230.652.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1339639318.8230.658.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA813@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1339674620.8230.672.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCCC01C@STAWINCOX10MBX1.staff.vuw.ac.nz> I have the forward zone (ods.vuw.ac.nz) setup in IPA but the reverse zone(s) is meant to be slaved back to the MS AD masters (vuw.ac.nz) and 10/8 and (130.195./16). What should the reverse/ PTR zone setup look like? ie if I had a flat file aka bind and named.conf its straightforward I can just look at the file(s), and that a reverse zone file is created on the salve however I have no screenhots or anything to indicate if I have setup that reverse function correctly. For instance there is nothing in /var/named/slaves, I have assumed that the slave data from the AD masters is actually held in the LDAP.....so how do I prove that? Also I notice when I create a zone using the dns ui it creates a file called 0.3.70.10, but when I add a replica it creates another zone file 3.70.10 and populates it....which it shouldnt as the MS AD is the master.....yet I used --no-reverse in the replica command... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 14 June 2012 11:50 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users Subject: RE: [Freeipa-users] Replication problems with having more than one replica? On Thu, 2012-06-14 at 03:00 +0000, Steven Jones wrote: > Hi, > > 3 log sets from /var/log/dirsrv/slapd Looking at the first server's error log it looks like one of your replicas has a wrong PTR record and GSSAPI cannot therefore find the right ticket. Make sure your DNS is properly set up (or /etc/hosts entries) for all the servers. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbingram at gmail.com Fri Jun 15 07:10:37 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 15 Jun 2012 00:10:37 -0700 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) Message-ID: Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos principals or must you use the cn=accounts,cn=users container? I'm thinking this for script-authenticated machine accounts (might be of form user-hostname at REALM or user/hostname at REALM) that need to authenticate to another machine and just a way to separate them from the regular user accounts in cn=accounts,cn=users. Steve From simo at redhat.com Fri Jun 15 13:09:55 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 15 Jun 2012 09:09:55 -0400 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) In-Reply-To: References: Message-ID: <1339765795.8230.694.camel@willson.li.ssimo.org> On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: > Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos > principals or must you use the cn=accounts,cn=users container? I'm > thinking this for script-authenticated machine accounts (might be of > form user-hostname at REALM or user/hostname at REALM) that need to > authenticate to another machine and just a way to separate them from > the regular user accounts in cn=accounts,cn=users. If you need to authenticate machines you probably want to use the machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM principal. The principal is stored in cn=computers,cn=accounts in the computer object if the machine is joined to IPA. for machines you do not want to join or if you want to use a different service principal name you should create a new service principal with 'ipa service-add' which will create a principal object in cn=services user-hostname or user/hostname are not common choices, while kerberos does not enforce any particular convention on names you usually want to use service/fqdn at REALm convention. Where 'service' is the service name. Many services already have conventions for the principal name (for example HTTP/fqdn at REALM for http servers). If your scripts are arbitrary you may decide to create your own script principal (useful if you want to assign special ACIs to it in IPA as you can reference the service account under cn=services in ACIs in theory. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Fri Jun 15 13:19:33 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 15 Jun 2012 15:19:33 +0200 (CEST) Subject: [Freeipa-users] odd cron behaviour Message-ID: <23455.213.225.75.97.1339766373.squirrel@www.nixtra.com> Hi, I've seen cron jobs on some of our machines not being run after they we're migrated to IPA. The machines in question has not been restarted after they we're migrated from NIS to IPA. These are RHEL 6 machines. The users that has the crontab that's not run, was in NIS, and the same account having the same UID/GID exists in IPA. Cron jobs for local accounts run as they did before migrating to IPA. Jun 15 13:53:01 hostname crond[1810]: (username) ORPHAN (no passwd entry) Restarting the cron daemon solves the issue, and the cron jobs immediately starts running again. Has anyone else seen this issue? Rgds, Siggi From simo at redhat.com Fri Jun 15 13:09:55 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 15 Jun 2012 09:09:55 -0400 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) In-Reply-To: References: Message-ID: <1339765795.8230.694.camel@willson.li.ssimo.org> On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: > Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos > principals or must you use the cn=accounts,cn=users container? I'm > thinking this for script-authenticated machine accounts (might be of > form user-hostname at REALM or user/hostname at REALM) that need to > authenticate to another machine and just a way to separate them from > the regular user accounts in cn=accounts,cn=users. If you need to authenticate machines you probably want to use the machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM principal. The principal is stored in cn=computers,cn=accounts in the computer object if the machine is joined to IPA. for machines you do not want to join or if you want to use a different service principal name you should create a new service principal with 'ipa service-add' which will create a principal object in cn=services user-hostname or user/hostname are not common choices, while kerberos does not enforce any particular convention on names you usually want to use service/fqdn at REALm convention. Where 'service' is the service name. Many services already have conventions for the principal name (for example HTTP/fqdn at REALM for http servers). If your scripts are arbitrary you may decide to create your own script principal (useful if you want to assign special ACIs to it in IPA as you can reference the service account under cn=services in ACIs in theory. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Jun 15 14:24:51 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 15 Jun 2012 10:24:51 -0400 Subject: [Freeipa-users] odd cron behaviour In-Reply-To: <23455.213.225.75.97.1339766373.squirrel@www.nixtra.com> References: <23455.213.225.75.97.1339766373.squirrel@www.nixtra.com> Message-ID: <1339770291.2727.6.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-06-15 at 15:19 +0200, Sigbjorn Lie wrote: > Hi, > > I've seen cron jobs on some of our machines not being run after they we're migrated to IPA. The > machines in question has not been restarted after they we're migrated from NIS to IPA. > > These are RHEL 6 machines. The users that has the crontab that's not run, was in NIS, and the same > account having the same UID/GID exists in IPA. Cron jobs for local accounts run as they did before > migrating to IPA. > > Jun 15 13:53:01 hostname crond[1810]: (username) ORPHAN (no passwd entry) > > Restarting the cron daemon solves the issue, and the cron jobs immediately starts running again. > > Has anyone else seen this issue? Running daemons cannot pick up changes to /etc/nsswitch.conf. They have to be restarted. This is a long-standing bug in glibc (well, the glibc upstream doesn't consider it a bug, but their users do). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Fri Jun 15 15:21:46 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 15 Jun 2012 17:21:46 +0200 Subject: [Freeipa-users] odd cron behaviour In-Reply-To: <1339770291.2727.6.camel@sgallagh520.sgallagh.bos.redhat.com> References: <23455.213.225.75.97.1339766373.squirrel@www.nixtra.com> <1339770291.2727.6.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4FDB530A.8070301@nixtra.com> On 06/15/2012 04:24 PM, Stephen Gallagher wrote: > On Fri, 2012-06-15 at 15:19 +0200, Sigbjorn Lie wrote: >> Hi, >> >> I've seen cron jobs on some of our machines not being run after they we're migrated to IPA. The >> machines in question has not been restarted after they we're migrated from NIS to IPA. >> >> These are RHEL 6 machines. The users that has the crontab that's not run, was in NIS, and the same >> account having the same UID/GID exists in IPA. Cron jobs for local accounts run as they did before >> migrating to IPA. >> >> Jun 15 13:53:01 hostname crond[1810]: (username) ORPHAN (no passwd entry) >> >> Restarting the cron daemon solves the issue, and the cron jobs immediately starts running again. >> >> Has anyone else seen this issue? > > Running daemons cannot pick up changes to /etc/nsswitch.conf. They have > to be restarted. This is a long-standing bug in glibc (well, the glibc > upstream doesn't consider it a bug, but their users do). Ok, thank you for the explanation. Rgds, Siggi From natxo.asenjo at gmail.com Sat Jun 16 21:45:37 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 16 Jun 2012 23:45:37 +0200 Subject: [Freeipa-users] xmpp/jabber SSO with freeipa Message-ID: hi, After some initial troubles (thanks rcrit on irc) I got this to work nicely. I have used the openfire http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber server. Instructions here: http://test.asenjo.nl/index.php/Openfire_ipa -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sun Jun 17 13:27:22 2012 From: simo at redhat.com (Simo Sorce) Date: Sun, 17 Jun 2012 09:27:22 -0400 Subject: [Freeipa-users] xmpp/jabber SSO with freeipa In-Reply-To: References: Message-ID: <1339939642.32038.35.camel@willson.li.ssimo.org> On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: > hi, > > After some initial troubles (thanks rcrit on irc) I got this to work > nicely. I have used the openfire > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber > server. > > Instructions here: > > http://test.asenjo.nl/index.php/Openfire_ipa Nice writeup Natxo, I am curious about the SSO setup. Why did you need to restrict the keytab to des3 ? Using the default settings (that include AES keys would be normally better). If it is due to restrictions in the java security library, you should be able to download a library with full support for AES from Oracle (they have a separate build due to some export control stuff that is available for download). I am also curious about the need to set isInitiator to false. Service keys in IPA can be used to init security contexts, what kind of failure did you see setting it to true ? The 'isInitiator=false' may be necessary in AD where servicePrincipals and userPrincipals are considered distinct entities and AD forbids servicePrincipals to perform AS Requests, but this is not limited in IPA, by default you should be able to initiate just fine. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From natxo.asenjo at gmail.com Sun Jun 17 16:26:54 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 17 Jun 2012 18:26:54 +0200 Subject: [Freeipa-users] xmpp/jabber SSO with freeipa In-Reply-To: <1339939642.32038.35.camel@willson.li.ssimo.org> References: <1339939642.32038.35.camel@willson.li.ssimo.org> Message-ID: On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce wrote: > On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: > > hi, > > > > After some initial troubles (thanks rcrit on irc) I got this to work > > nicely. I have used the openfire > > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber > > server. > > > > Instructions here: > > > > http://test.asenjo.nl/index.php/Openfire_ipa > > Nice writeup Natxo, > I am curious about the SSO setup. Why did you need to restrict the > keytab to des3 ? Using the default settings (that include AES keys would > be normally better). If it is due to restrictions in the java security > library, you should be able to download a library with full support for > AES from Oracle (they have a separate build due to some export control > stuff that is available for download). > > Apparently this is the recommended setting by openfire. > I am also curious about the need to set isInitiator to false. Service > keys in IPA can be used to init security contexts, what kind of failure > did you see setting it to true ? The 'isInitiator=false' may be > necessary in AD where servicePrincipals and userPrincipals are > considered distinct entities and AD forbids servicePrincipals to perform > AS Requests, but this is not limited in IPA, by default you should be > able to initiate just fine. > > when I set isInitiator=true; and reload openfire I get this error in the logifle: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is xmpp/ipaclient01.ipa.asenjo.nx at IPA.ASENJO.NX tryFirstPass is false useFirstPass is false storePass is false clearPass is false principal's key obtained from the keytab Acquire TGT using AS Exchange [Krb5LoginModule] authentication failed Cannot get kdc for realm IPA.ASENJO.NX I am not sure why it does not work, but it doesn't. Believe me, I tried :-) According to the person who wrote this community doc http://community.igniterealtime.org/docs/DOC-1522: " Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.". In the AD setups, the isInitiator directive is not necessary, apparently. That is why I could not get it to work with the instructions on their site until I found that clue. -- groet, natxo HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Jun 17 23:46:23 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 17 Jun 2012 23:46:23 +0000 Subject: [Freeipa-users] users fisrt login Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD00FE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, My understanding is on first login with a IPA'd reset password the user should be forced to change to a permanent password immediately and not continue to login? as below this appears to be not the case....how do I set this? or is it a bug? Also the 1 hour warning seems new? copy and paste as below, ======== [yyyyy at 8kxl72s ~]$ ssh vuwunicosas0002.ods.vuw.ac.nz -l xxxxxxx xxxxxxxx at vuwunicosas0002.ods.vuw.ac.nz's password: Creating home directory for xxxxxxxx. Kickstarted on 2012-02-27 [xxxxxxxxx at vuwunicosas0002 ~]$ passwd Changing password for user xxxxxxxxx. Current Password: New password: Retype new password: Password change failed. Server message: Password change failed Err5: Password too simple. Warning: Your password will expire in less than one hour on Mon Jun 18 11:39:00 2012 passwd: Authentication token manipulation error [xxxxxxxxx at vuwunicosas0002 ~]$ passwd Changing password for user xxxxxxxxxxx. Current Password: New password: Retype new password: Warning: Your password will expire in less than one hour on Mon Jun 18 11:39:00 2012 passwd: all authentication tokens updated successfully. [xxxxxxxxx at vuwunicosas0002 ~]$ [xxxxxxx at vuwunicosas0002 ~]$ logout Connection to vuwunicosas0002.ods.vuw.ac.nz closed. [yyyyyyy at 8kxl72s ~]$ ssh vuwunicosas0002.ods.vuw.ac.nz -l xxxxxxxxx xxxxx at vuwunicosas0002.ods.vuw.ac.nz's password: Last login: Mon Jun 18 11:39:25 2012 from 130.195.245.249 Kickstarted on 2012-02-27 [xxxxxx at vuwunicosas0002 ~]$ =========== regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Sat Jun 16 20:02:20 2012 From: george_he7 at yahoo.com (george he) Date: Sat, 16 Jun 2012 13:02:20 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. Message-ID: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hello all, I'm trying to install freeipa for a small lab with <10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 18 13:43:34 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 09:43:34 -0400 Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <4FDF3086.5080907@redhat.com> george he wrote: > Hello all, > > I'm trying to install freeipa for a small lab with <10 computers, all > running fedora 17. > I seemed to have installed ipa server (without DNS) successfully, > > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > but when I try to run ipa-client-install on a client machine, I get this > error message: > > is not an IPA v2 Server. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > what am I missing? > ps, I'm following the instructions here: > https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > Thanks, > George If you look in /var/log/ipaclient-install.log it may have more details. Some possible problems: - It found SRV records for your domain that point to an AD server - Ports 80, 389 and 443 are not open on your IPA server - DNS resolution issues rob From george_he7 at yahoo.com Mon Jun 18 13:44:10 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 06:44:10 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) ??? ? Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) ??? ? Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago ??? ?Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) ??? ?Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) ??? Main PID: 16233 (httpd) ??? ? CGroup: name=systemd:/system/httpd.service ??? ??? ? ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ??? ??? ? ? 16233 /usr/sbin/httpd -k start ??? ??? ? ? 16236 /usr/sbin/httpd -k start ??? ??? ? ? 16237 /usr/sbin/httpd -k start ??? ??? ? ? 16238 /usr/sbin/httpd -k start ??? ??? ? ? 16239 /usr/sbin/httpd -k start ??? ??? ? ? 16240 /usr/sbin/httpd -k start ??? ??? ? ? 16241 /usr/sbin/httpd -k start ??? ??? ? ? 16242 /usr/sbin/httpd -k start ??? ??? ? ? 16243 /usr/sbin/httpd -k start ??? ??? ? ? 16244 /usr/sbin/httpd -k start ??? ??? ? ? 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George >________________________________ > From: george he >To: "freeipa-users at redhat.com" >Sent: Saturday, June 16, 2012 4:02 PM >Subject: is not an IPA v2 Server. > > >Hello all, > > >I'm trying to install freeipa for a small lab with <10 computers, all running fedora 17. >I seemed to have installed ipa server (without DNS) successfully, > > > ># ipactl status >Directory Service: RUNNING >KDC Service: RUNNING >KPASSWD Service: RUNNING >MEMCACHE Service: RUNNING >HTTP Service: RUNNING >CA Service: RUNNING > > > >but when I try to run ipa-client-install on a client machine, I get this error message: > > > is not an IPA v2 Server. >Installation failed. Rolling back changes. >IPA client is not configured on this system. > > > >what am I missing? >ps, I'm following the instructions here: > >https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > >Thanks, >George > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Mon Jun 18 14:06:08 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 18 Jun 2012 16:06:08 +0200 Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <4FDF35D0.3080804@redhat.com> On 06/18/2012 03:44 PM, george he wrote: > Hello all, > > here is the error message from /var/log/ipaclient-install.log on the > client machine: > > Connecting to myserver|myserver ip|:80... failed: No route to host. > Retrieving CA from myserver failed. > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 > http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? > but httpd seems running on myserver and port 80 is open. > # systemctl status httpd.service > httpd.service - The Apache HTTP Server (prefork MPM) > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, > status=0/SUCCESS) > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, > status=0/SUCCESS) > Main PID: 16233 (httpd) > CGroup: name=systemd:/system/httpd.service > ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias > ? 16233 /usr/sbin/httpd -k start > ? 16236 /usr/sbin/httpd -k start > ? 16237 /usr/sbin/httpd -k start > ? 16238 /usr/sbin/httpd -k start > ? 16239 /usr/sbin/httpd -k start > ? 16240 /usr/sbin/httpd -k start > ? 16241 /usr/sbin/httpd -k start > ? 16242 /usr/sbin/httpd -k start > ? 16243 /usr/sbin/httpd -k start > ? 16244 /usr/sbin/httpd -k start > ? 16245 /usr/sbin/httpd -k start > I have been working on this for days to set this thing up. Any help will > be very appreciated. > George > > ------------------------------------------------------------------------ > *From:* george he > *To:* "freeipa-users at redhat.com" > *Sent:* Saturday, June 16, 2012 4:02 PM > *Subject:* is not an IPA v2 Server. > > Hello all, > > I'm trying to install freeipa for a small lab with <10 computers, > all running fedora 17. > I seemed to have installed ipa server (without DNS) successfully, > > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > but when I try to run ipa-client-install on a client machine, I get > this error message: > > > is not an IPA v2 Server. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > what am I missing? > ps, I'm following the instructions here: > https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > Thanks, > George > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr? From george_he7 at yahoo.com Mon Jun 18 14:12:42 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 07:12:42 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <4FDF35D0.3080804@redhat.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> Message-ID: <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George >________________________________ > From: Petr Viktorin >To: "freeipa-users at redhat.com" >Cc: george he >Sent: Monday, June 18, 2012 10:06 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >On 06/18/2012 03:44 PM, george he wrote: >> Hello all, >> >> here is the error message from /var/log/ipaclient-install.log on the >> client machine: >> >> Connecting to myserver|myserver ip|:80... failed: No route to host. >> Retrieving CA from myserver failed. >> Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >> http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 > >Seems like a routing issue. Can you ping myserver from the client machine? > > >> but httpd seems running on myserver and port 80 is open. >> # systemctl status httpd.service >> httpd.service - The Apache HTTP Server (prefork MPM) >> Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >> Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago >> Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, >> status=0/SUCCESS) >> Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, >> status=0/SUCCESS) >> Main PID: 16233 (httpd) >> CGroup: name=systemd:/system/httpd.service >> ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >> ? 16233 /usr/sbin/httpd -k start >> ? 16236 /usr/sbin/httpd -k start >> ? 16237 /usr/sbin/httpd -k start >> ? 16238 /usr/sbin/httpd -k start >> ? 16239 /usr/sbin/httpd -k start >> ? 16240 /usr/sbin/httpd -k start >> ? 16241 /usr/sbin/httpd -k start >> ? 16242 /usr/sbin/httpd -k start >> ? 16243 /usr/sbin/httpd -k start >> ? 16244 /usr/sbin/httpd -k start >> ? 16245 /usr/sbin/httpd -k start >> I have been working on this for days to set this thing up. Any help will >> be very appreciated. >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* george he >>? ? *To:* "freeipa-users at redhat.com" >>? ? *Sent:* Saturday, June 16, 2012 4:02 PM >>? ? *Subject:* is not an IPA v2 Server. >> >>? ? Hello all, >> >>? ? I'm trying to install freeipa for a small lab with <10 computers, >>? ? all running fedora 17. >>? ? I seemed to have installed ipa server (without DNS) successfully, >> >>? ? # ipactl status >>? ? Directory Service: RUNNING >>? ? KDC Service: RUNNING >>? ? KPASSWD Service: RUNNING >>? ? MEMCACHE Service: RUNNING >>? ? HTTP Service: RUNNING >>? ? CA Service: RUNNING >> >>? ? but when I try to run ipa-client-install on a client machine, I get >>? ? this error message: >> >>? ? > is not an IPA v2 Server. >>? ? Installation failed. Rolling back changes. >>? ? IPA client is not configured on this system. >> >>? ? what am I missing? >>? ? ps, I'm following the instructions here: >>? ? https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>? ? Thanks, >>? ? George >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- >Petr? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Mon Jun 18 14:47:06 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 18 Jun 2012 16:47:06 +0200 Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <4FDF3F6A.5070601@redhat.com> Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: > Hello Petr, > I can ping or ssh to myserver with no problem. > btw, here are the ports I opened: > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp --dport 389 -j ACCEPT > iptables -A INPUT -p tcp --dport 636 -j ACCEPT > iptables -A INPUT -p tcp --dport 88 -j ACCEPT > iptables -A INPUT -p udp --dport 88 -j ACCEPT > iptables -A INPUT -p tcp --dport 464 -j ACCEPT > iptables -A INPUT -p udp --dport 464 -j ACCEPT > iptables -A INPUT -p tcp --dport 53 -j ACCEPT > iptables -A INPUT -p udp --dport 53 -j ACCEPT > iptables -A INPUT -p udp --dport 123 -j ACCEPT > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Petr Viktorin > *To:* "freeipa-users at redhat.com" > *Cc:* george he > *Sent:* Monday, June 18, 2012 10:06 AM > *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. > > On 06/18/2012 03:44 PM, george he wrote: > > Hello all, > > > > here is the error message from /var/log/ipaclient-install.log on the > > client machine: > > > > Connecting to myserver|myserver ip|:80... failed: No route to host. > > Retrieving CA from myserver failed. > > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 > > http://myserver/ipa/config/ca.crt' > returned non-zero exit status 4 > > Seems like a routing issue. Can you ping myserver from the client > machine? > > > > but httpd seems running on myserver and port 80 is open. > > # systemctl status httpd.service > > httpd.service - The Apache HTTP Server (prefork MPM) > > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) > > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; > 22h ago > > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop > (code=exited, > > status=0/SUCCESS) > > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start > (code=exited, > > status=0/SUCCESS) > > Main PID: 16233 (httpd) > > CGroup: name=systemd:/system/httpd.service > > ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias > > ? 16233 /usr/sbin/httpd -k start > > ? 16236 /usr/sbin/httpd -k start > > ? 16237 /usr/sbin/httpd -k start > > ? 16238 /usr/sbin/httpd -k start > > ? 16239 /usr/sbin/httpd -k start > > ? 16240 /usr/sbin/httpd -k start > > ? 16241 /usr/sbin/httpd -k start > > ? 16242 /usr/sbin/httpd -k start > > ? 16243 /usr/sbin/httpd -k start > > ? 16244 /usr/sbin/httpd -k start > > ? 16245 /usr/sbin/httpd -k start > > I have been working on this for days to set this thing up. Any > help will > > be very appreciated. > > George > > > > > ------------------------------------------------------------------------ > > *From:* george he > > > *To:* "freeipa-users at redhat.com > " > > > *Sent:* Saturday, June 16, 2012 4:02 PM > > *Subject:* is not an IPA v2 Server. > > > > Hello all, > > > > I'm trying to install freeipa for a small lab with <10 computers, > > all running fedora 17. > > I seemed to have installed ipa server (without DNS) successfully, > > > > # ipactl status > > Directory Service: RUNNING > > KDC Service: RUNNING > > KPASSWD Service: RUNNING > > MEMCACHE Service: RUNNING > > HTTP Service: RUNNING > > CA Service: RUNNING > > > > but when I try to run ipa-client-install on a client machine, I get > > this error message: > > > > > > is not an IPA v2 Server. > > Installation failed. Rolling back changes. > > IPA client is not configured on this system. > > > > what am I missing? > > ps, I'm following the instructions here: > > > https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > > Thanks, > > George > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Petr? > > -- Petr? From bdwheele at indiana.edu Mon Jun 18 14:49:23 2012 From: bdwheele at indiana.edu (Brian Wheeler) Date: Mon, 18 Jun 2012 10:49:23 -0400 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment Message-ID: <4FDF3FF3.80600@indiana.edu> Hello I'm a sysadmin at a smallish department at my university. We're investigating FreeIPA to replace our homegrown openldap/perl script user management stuff. The difficulty we're facing is that university has standardized on Active Directory and they've got it pretty well locked down. We currently use the university's kerberos for authentication and our openldap instance to store user/group data. When we create a new user a perl script copies the relevant data from AD via an authenticated ldap bind since they do not support anonymous binds. For groups we just maintain the ones within our ldap environment (AD groups are never copied). For hosts we have a private network that we use nss_ldap to look up hosts and then fall back to the university's DNS. All of the documentation that I've been able to find on FreeIPA seem to assume that the people setting up FreeIPA have full access to AD and can modify the structure/security settings. This is not the case for us since a different group handles it and due to the vastness of the university they are reluctant to make any changes. Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? Thanks! Brian Wheeler System Administrator Digital Library Program Indiana University From george_he7 at yahoo.com Mon Jun 18 15:03:37 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 08:03:37 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <4FDF3F6A.5070601@redhat.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> Message-ID: <1340031817.2900.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hi Petr, Yes, I still get the "failed: No route to host" error. and I cannot connect to the webUI from the client, but I can open the web UI on myserver. Thanks, George >________________________________ > From: Petr Viktorin >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 18, 2012 10:47 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >Hi, >If you run the wget manually (downloading to an existing directory >instead of /tmp/tmpjibrhe), do you get the same error? > >Can you connect to the web UI from the client? > > >On 06/18/2012 04:12 PM, george he wrote: >> Hello Petr, >> I can ping or ssh to myserver with no problem. >> btw, here are the ports I opened: >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT >> iptables -A INPUT -p tcp --dport 389 -j ACCEPT >> iptables -A INPUT -p tcp --dport 636 -j ACCEPT >> iptables -A INPUT -p tcp --dport 88 -j ACCEPT >> iptables -A INPUT -p udp --dport 88 -j ACCEPT >> iptables -A INPUT -p tcp --dport 464 -j ACCEPT >> iptables -A INPUT -p udp --dport 464 -j ACCEPT >> iptables -A INPUT -p tcp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 123 -j ACCEPT >> Thanks, >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Petr Viktorin >>? ? *To:* "freeipa-users at redhat.com" >>? ? *Cc:* george he >>? ? *Sent:* Monday, June 18, 2012 10:06 AM >>? ? *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >>? ? On 06/18/2012 03:44 PM, george he wrote: >>? ? ? > Hello all, >>? ? ? > >>? ? ? > here is the error message from /var/log/ipaclient-install.log on the >>? ? ? > client machine: >>? ? ? > >>? ? ? > Connecting to myserver|myserver ip|:80... failed: No route to host. >>? ? ? > Retrieving CA from myserver failed. >>? ? ? > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >>? ? ? > http://myserver/ipa/config/ca.crt' >>? ? returned non-zero exit status 4 >> >>? ? Seems like a routing issue. Can you ping myserver from the client >>? ? machine? >> >> >>? ? ? > but httpd seems running on myserver and port 80 is open. >>? ? ? > # systemctl status httpd.service >>? ? ? > httpd.service - The Apache HTTP Server (prefork MPM) >>? ? ? > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >>? ? ? > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; >>? ? 22h ago >>? ? ? > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop >>? ? (code=exited, >>? ? ? > status=0/SUCCESS) >>? ? ? > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start >>? ? (code=exited, >>? ? ? > status=0/SUCCESS) >>? ? ? > Main PID: 16233 (httpd) >>? ? ? > CGroup: name=systemd:/system/httpd.service >>? ? ? > ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >>? ? ? > ? 16233 /usr/sbin/httpd -k start >>? ? ? > ? 16236 /usr/sbin/httpd -k start >>? ? ? > ? 16237 /usr/sbin/httpd -k start >>? ? ? > ? 16238 /usr/sbin/httpd -k start >>? ? ? > ? 16239 /usr/sbin/httpd -k start >>? ? ? > ? 16240 /usr/sbin/httpd -k start >>? ? ? > ? 16241 /usr/sbin/httpd -k start >>? ? ? > ? 16242 /usr/sbin/httpd -k start >>? ? ? > ? 16243 /usr/sbin/httpd -k start >>? ? ? > ? 16244 /usr/sbin/httpd -k start >>? ? ? > ? 16245 /usr/sbin/httpd -k start >>? ? ? > I have been working on this for days to set this thing up. Any >>? ? help will >>? ? ? > be very appreciated. >>? ? ? > George >>? ? ? > >>? ? ? > >>? ? ------------------------------------------------------------------------ >>? ? ? > *From:* george he >? ? > >>? ? ? > *To:* "freeipa-users at redhat.com >>? ? " >? ? > >>? ? ? > *Sent:* Saturday, June 16, 2012 4:02 PM >>? ? ? > *Subject:* is not an IPA v2 Server. >>? ? ? > >>? ? ? > Hello all, >>? ? ? > >>? ? ? > I'm trying to install freeipa for a small lab with <10 computers, >>? ? ? > all running fedora 17. >>? ? ? > I seemed to have installed ipa server (without DNS) successfully, >>? ? ? > >>? ? ? > # ipactl status >>? ? ? > Directory Service: RUNNING >>? ? ? > KDC Service: RUNNING >>? ? ? > KPASSWD Service: RUNNING >>? ? ? > MEMCACHE Service: RUNNING >>? ? ? > HTTP Service: RUNNING >>? ? ? > CA Service: RUNNING >>? ? ? > >>? ? ? > but when I try to run ipa-client-install on a client machine, I get >>? ? ? > this error message: >>? ? ? > >>? ? ? > > >>? ? is not an IPA v2 Server. >>? ? ? > Installation failed. Rolling back changes. >>? ? ? > IPA client is not configured on this system. >>? ? ? > >>? ? ? > what am I missing? >>? ? ? > ps, I'm following the instructions here: >>? ? ? > >>? ? https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>? ? ? > Thanks, >>? ? ? > George >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > _______________________________________________ >>? ? ? > Freeipa-users mailing list >>? ? ? > Freeipa-users at redhat.com >>? ? ? > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >>? ? -- >>? ? Petr? >> >> > > >-- >Petr? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 18 15:13:52 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 Jun 2012 09:13:52 -0600 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <4FDF3FF3.80600@indiana.edu> References: <4FDF3FF3.80600@indiana.edu> Message-ID: <4FDF45B0.30404@redhat.com> On 06/18/2012 08:49 AM, Brian Wheeler wrote: > Hello > > I'm a sysadmin at a smallish department at my university. We're > investigating FreeIPA to replace our homegrown openldap/perl script > user management stuff. The difficulty we're facing is that university > has standardized on Active Directory and they've got it pretty well > locked down. We currently use the university's kerberos for > authentication and our openldap instance to store user/group data. > When we create a new user a perl script copies the relevant data from > AD via an authenticated ldap bind since they do not support anonymous > binds. For groups we just maintain the ones within our ldap > environment (AD groups are never copied). For hosts we have a private > network that we use nss_ldap to look up hosts and then fall back to > the university's DNS. > > All of the documentation that I've been able to find on FreeIPA seem > to assume that the people setting up FreeIPA have full access to AD > and can modify the structure/security settings. Not exactly. What documentation are you talking about? For IPA Windows Sync, IPA needs to be able to use the DirSync control provided by AD. http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx IPA needs the Bind DN and password of an AD user with the rights specified in that document. For IPA to get passwords sync'd from AD, you need to install the PassSync.msi on all of your domain controllers. > This is not the case for us since a different group handles it and due > to the vastness of the university they are reluctant to make any changes. > > Is there any way to integrate FreeIPA into an environment such as ours > or am I going to have to continue with my homegrown way of doing things? > > Thanks! > > Brian Wheeler > System Administrator > Digital Library Program > Indiana University > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From george_he7 at yahoo.com Mon Jun 18 15:43:19 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 08:43:19 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <4FDF3F6A.5070601@redhat.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> Message-ID: <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your browser. Or you can use form-based authentication. but I can use the form based authentication sometimes, not always. Thanks, George >________________________________ > From: Petr Viktorin >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 18, 2012 10:47 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >Hi, >If you run the wget manually (downloading to an existing directory >instead of /tmp/tmpjibrhe), do you get the same error? > >Can you connect to the web UI from the client? > > >On 06/18/2012 04:12 PM, george he wrote: >> Hello Petr, >> I can ping or ssh to myserver with no problem. >> btw, here are the ports I opened: >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT >> iptables -A INPUT -p tcp --dport 389 -j ACCEPT >> iptables -A INPUT -p tcp --dport 636 -j ACCEPT >> iptables -A INPUT -p tcp --dport 88 -j ACCEPT >> iptables -A INPUT -p udp --dport 88 -j ACCEPT >> iptables -A INPUT -p tcp --dport 464 -j ACCEPT >> iptables -A INPUT -p udp --dport 464 -j ACCEPT >> iptables -A INPUT -p tcp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 123 -j ACCEPT >> Thanks, >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Petr Viktorin >>? ? *To:* "freeipa-users at redhat.com" >>? ? *Cc:* george he >>? ? *Sent:* Monday, June 18, 2012 10:06 AM >>? ? *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >>? ? On 06/18/2012 03:44 PM, george he wrote: >>? ? ? > Hello all, >>? ? ? > >>? ? ? > here is the error message from /var/log/ipaclient-install.log on the >>? ? ? > client machine: >>? ? ? > >>? ? ? > Connecting to myserver|myserver ip|:80... failed: No route to host. >>? ? ? > Retrieving CA from myserver failed. >>? ? ? > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >>? ? ? > http://myserver/ipa/config/ca.crt' >>? ? returned non-zero exit status 4 >> >>? ? Seems like a routing issue. Can you ping myserver from the client >>? ? machine? >> >> >>? ? ? > but httpd seems running on myserver and port 80 is open. >>? ? ? > # systemctl status httpd.service >>? ? ? > httpd.service - The Apache HTTP Server (prefork MPM) >>? ? ? > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >>? ? ? > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; >>? ? 22h ago >>? ? ? > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop >>? ? (code=exited, >>? ? ? > status=0/SUCCESS) >>? ? ? > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start >>? ? (code=exited, >>? ? ? > status=0/SUCCESS) >>? ? ? > Main PID: 16233 (httpd) >>? ? ? > CGroup: name=systemd:/system/httpd.service >>? ? ? > ? 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >>? ? ? > ? 16233 /usr/sbin/httpd -k start >>? ? ? > ? 16236 /usr/sbin/httpd -k start >>? ? ? > ? 16237 /usr/sbin/httpd -k start >>? ? ? > ? 16238 /usr/sbin/httpd -k start >>? ? ? > ? 16239 /usr/sbin/httpd -k start >>? ? ? > ? 16240 /usr/sbin/httpd -k start >>? ? ? > ? 16241 /usr/sbin/httpd -k start >>? ? ? > ? 16242 /usr/sbin/httpd -k start >>? ? ? > ? 16243 /usr/sbin/httpd -k start >>? ? ? > ? 16244 /usr/sbin/httpd -k start >>? ? ? > ? 16245 /usr/sbin/httpd -k start >>? ? ? > I have been working on this for days to set this thing up. Any >>? ? help will >>? ? ? > be very appreciated. >>? ? ? > George >>? ? ? > >>? ? ? > >>? ? ------------------------------------------------------------------------ >>? ? ? > *From:* george he >? ? > >>? ? ? > *To:* "freeipa-users at redhat.com >>? ? " >? ? > >>? ? ? > *Sent:* Saturday, June 16, 2012 4:02 PM >>? ? ? > *Subject:* is not an IPA v2 Server. >>? ? ? > >>? ? ? > Hello all, >>? ? ? > >>? ? ? > I'm trying to install freeipa for a small lab with <10 computers, >>? ? ? > all running fedora 17. >>? ? ? > I seemed to have installed ipa server (without DNS) successfully, >>? ? ? > >>? ? ? > # ipactl status >>? ? ? > Directory Service: RUNNING >>? ? ? > KDC Service: RUNNING >>? ? ? > KPASSWD Service: RUNNING >>? ? ? > MEMCACHE Service: RUNNING >>? ? ? > HTTP Service: RUNNING >>? ? ? > CA Service: RUNNING >>? ? ? > >>? ? ? > but when I try to run ipa-client-install on a client machine, I get >>? ? ? > this error message: >>? ? ? > >>? ? ? > > >>? ? is not an IPA v2 Server. >>? ? ? > Installation failed. Rolling back changes. >>? ? ? > IPA client is not configured on this system. >>? ? ? > >>? ? ? > what am I missing? >>? ? ? > ps, I'm following the instructions here: >>? ? ? > >>? ? https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>? ? ? > Thanks, >>? ? ? > George >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > _______________________________________________ >>? ? ? > Freeipa-users mailing list >>? ? ? > Freeipa-users at redhat.com >>? ? ? > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >>? ? -- >>? ? Petr? >> >> > > >-- >Petr? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at lovesgoodfood.com Mon Jun 18 15:37:29 2012 From: jason at lovesgoodfood.com (Jason Riedy) Date: Mon, 18 Jun 2012 11:37:29 -0400 Subject: [Freeipa-users] Password pass-through to an existing LDAP server? References: <87aa07x7nn.fsf@NaN.sparse.dyndns.org> <4FD90F90.5030800@redhat.com> <87hauevw0o.fsf@NaN.sparse.dyndns.org> <1339696793.8230.686.camel@willson.li.ssimo.org> Message-ID: <87vciopr5y.fsf@NaN.sparse.dyndns.org> And Simo Sorce writes: > the underlying 389ds have a way to do that, but we do not > expose it in IPA as it would make little sense there. > > That said we have plans to allow having 'branch office > replicas' where only a subset of users is replicated to that > branch replica. But these are future plans, it will take a few > minor versions after 3.0 at least. Oh well. Won't work for our needs, but good to know there are future plans. Thanks! -- Jason From rcritten at redhat.com Mon Jun 18 15:51:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 11:51:21 -0400 Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FDF4E79.2060509@redhat.com> george he wrote: > Hello all, > > Here is some other information. > I'm setting this up for a lab in a university. The university has its > own kerberos server (and DNS server, which I use). > I'm not sure whether anybody has set a kerberos server for the > department, or some other labs used the department sub-domain. > But I'm sure the realm name is unique. > > When I open the web UI on the server (firefox 13.0), I almost always get > this error: > Your Kerberos ticket is no longer valid. Please run kinit and then click > 'Retry'. If this is your first time running the IPA Web UI follow these > directions to > configure your browser. > Or you can use form-based authentication > . > but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob From darran.lofthouse at jboss.com Mon Jun 18 15:58:39 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Mon, 18 Jun 2012 16:58:39 +0100 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change Message-ID: <4FDF502F.7090805@jboss.com> Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their password the first time they run kinit. However I created a user and immediately used ipa-getkeytab as this user will be a non-interactive process, despite the ipa-getkeytab resetting the secret for the user the first attempt at authentication failed as the user was still told to change their password. My expectation would have been that any update to the secret should meet the requirement for the user to change their password. Regards, Darran Lofthouse. From george_he7 at yahoo.com Mon Jun 18 16:21:25 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 09:21:25 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <4FDF4E79.2060509@redhat.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF4E79.2060509@redhat.com> Message-ID: <1340036485.87630.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users at redhat.com" >Sent: Monday, June 18, 2012 11:51 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >george he wrote: >> Hello all, >> >> Here is some other information. >> I'm setting this up for a lab in a university. The university has its >> own kerberos server (and DNS server, which I use). >> I'm not sure whether anybody has set a kerberos server for the >> department, or some other labs used the department sub-domain. >> But I'm sure the realm name is unique. >> >> When I open the web UI on the server (firefox 13.0), I almost always get >> this error: >> Your Kerberos ticket is no longer valid. Please run kinit and then click >> 'Retry'. If this is your first time running the IPA Web UI follow these >> directions to >> configure your browser. >> Or you can use form-based authentication >> . >> but I can use the form based authentication sometimes, not always. > >You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. > >I'm not sure why forms-based auth work work only sometimes, additional details would be needed. > >I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maciej.sawicki at polidea.pl Mon Jun 18 16:39:00 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Mon, 18 Jun 2012 18:39:00 +0200 Subject: [Freeipa-users] groups migration In-Reply-To: <1339696852.8230.687.camel@willson.li.ssimo.org> References: <1339696852.8230.687.camel@willson.li.ssimo.org> Message-ID: On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce wrote: > On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: >> bump >> >> On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki >> wrote: >> > Hi, >> > I (almost) managed to migrate groups from my previous server. That is >> > groups names migrated perfectly, unfortunately when I login to web >> > panel all groups are empty. >> > >> > I used following command: >> > ipa migrate-ds ldap://192.168.1.125:389 >> > --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' >> > --group-objectclas='posixGroup' >> > >> > I will appreciate any help. >> > > > Hi Maciej, > what kind of schema is in used in the server you want to migrate from ? > rfc2309/rfc2309bis ? other ? > I think its rfc2307: maciej.sawicki at lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki at lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 regards, Maciej Sawicki From rcritten at redhat.com Mon Jun 18 17:24:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 13:24:00 -0400 Subject: [Freeipa-users] groups migration In-Reply-To: References: <1339696852.8230.687.camel@willson.li.ssimo.org> Message-ID: <4FDF6430.50407@redhat.com> Maciej Sawicki wrote: > On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce wrote: >> On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: >>> bump >>> >>> On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki >>> wrote: >>>> Hi, >>>> I (almost) managed to migrate groups from my previous server. That is >>>> groups names migrated perfectly, unfortunately when I login to web >>>> panel all groups are empty. >>>> >>>> I used following command: >>>> ipa migrate-ds ldap://192.168.1.125:389 >>>> --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' >>>> --group-objectclas='posixGroup' >>>> >>>> I will appreciate any help. >>>> >> >> Hi Maciej, >> what kind of schema is in used in the server you want to migrate from ? >> rfc2309/rfc2309bis ? other ? >> > > I think its rfc2307: > > maciej.sawicki at lem:/etc/ldap$ grep -r 2307 schema/nis.schema > # Definitions from RFC2307 (Experimental) > # Note: The definitions in RFC2307 are given in syntaxes closely related > # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 > maciej.sawicki at lem:/etc/ldap$ > > Is there any better way to check this? > > Some more info about ipa server: > os: Fedora 17 > ipa version: 2.2 > If you could provide an ldif for one of the groups to be migrated we can tell you. rob From rcritten at redhat.com Mon Jun 18 17:28:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2012 13:28:46 -0400 Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1340036485.87630.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF4E79.2060509@redhat.com> <1340036485.87630.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FDF654E.20205@redhat.com> george he wrote: > Hello Rob, > > Yes, I did the configuration earlier today. And I did kinit too. > It seems the web UI loads really slowly - the circular thing can turn > for minutes. So maybe I wasn't patient enough to let the page load. A fair bit of javascript is loaded the very first time you visit IPA, that can be slow. Otherwise it should be relatively quick. Not minutes anyway. > I can ssh to the server and the client from my home, so I don't think > there's another firewall blocking the connection. Different ports and that isn't the client talking to the server, it is you talking to the client and to the server. This is definitely some sort of networking problem, though "no route to host" is rather odd since you can ping. You might also look at the iptables configuration on the client. rob > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* Petr Viktorin ; > "freeipa-users at redhat.com" > *Sent:* Monday, June 18, 2012 11:51 AM > *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. > > george he wrote: > > Hello all, > > > > Here is some other information. > > I'm setting this up for a lab in a university. The university has its > > own kerberos server (and DNS server, which I use). > > I'm not sure whether anybody has set a kerberos server for the > > department, or some other labs used the department sub-domain. > > But I'm sure the realm name is unique. > > > > When I open the web UI on the server (firefox 13.0), I almost > always get > > this error: > > Your Kerberos ticket is no longer valid. Please run kinit and > then click > > 'Retry'. If this is your first time running the IPA Web UI follow > these > > directions > to > > configure your browser. > > Or you can use form-based authentication > > . > > but I can use the form based authentication sometimes, not always. > > You need to configure the browser to do Kerberos single sign-on. > There should be a link in the failure message to take you to a page > to help you configure this. You also need to have done a kinit. > > I'm not sure why forms-based auth work work only sometimes, > additional details would be needed. > > I'm not sure why the server would be pingable from your client but > HTTP doesn't work. There may be another firewall blocking the > packets on your network. > > rob > > From george_he7 at yahoo.com Mon Jun 18 17:41:41 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 10:41:41 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <4FDF654E.20205@redhat.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF4E79.2060509@redhat.com> <1340036485.87630.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF654E.20205@redhat.com> Message-ID: <1340041301.7178.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hi Rob, I was just thinking it's very unlikely the university would block http connections from inside, but not ssh from outside. but I'll contact our ITS anyways. BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps outlined here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html There may be some steps that are obvious to people know these things and they are not listed in the document, then I could have missed them. Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users at redhat.com" >Sent: Monday, June 18, 2012 1:28 PM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >george he wrote: >> Hello Rob, >> >> Yes, I did the configuration earlier today. And I did kinit too. >> It seems the web UI loads really slowly - the circular thing can turn >> for minutes. So maybe I wasn't patient enough to let the page load. > >A fair bit of javascript is loaded the very first time you visit IPA, >that can be slow. Otherwise it should be relatively quick. Not minutes >anyway. > >> I can ssh to the server and the client from my home, so I don't think >> there's another firewall blocking the connection. > >Different ports and that isn't the client talking to the server, it is >you talking to the client and to the server. This is definitely some >sort of networking problem, though "no route to host" is rather odd >since you can ping. You might also look at the iptables configuration on >the client. > >rob > >> Thanks, >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Rob Crittenden >>? ? *To:* george he >>? ? *Cc:* Petr Viktorin ; >>? ? "freeipa-users at redhat.com" >>? ? *Sent:* Monday, June 18, 2012 11:51 AM >>? ? *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >>? ? george he wrote: >>? ? ? > Hello all, >>? ? ? > >>? ? ? > Here is some other information. >>? ? ? > I'm setting this up for a lab in a university. The university has its >>? ? ? > own kerberos server (and DNS server, which I use). >>? ? ? > I'm not sure whether anybody has set a kerberos server for the >>? ? ? > department, or some other labs used the department sub-domain. >>? ? ? > But I'm sure the realm name is unique. >>? ? ? > >>? ? ? > When I open the web UI on the server (firefox 13.0), I almost >>? ? always get >>? ? ? > this error: >>? ? ? > Your Kerberos ticket is no longer valid. Please run kinit and >>? ? then click >>? ? ? > 'Retry'. If this is your first time running the IPA Web UI follow >>? ? these >>? ? ? > directions >>? ? to >>? ? ? > configure your browser. >>? ? ? > Or you can use form-based authentication >>? ? ? > . >>? ? ? > but I can use the form based authentication sometimes, not always. >> >>? ? You need to configure the browser to do Kerberos single sign-on. >>? ? There should be a link in the failure message to take you to a page >>? ? to help you configure this. You also need to have done a kinit. >> >>? ? I'm not sure why forms-based auth work work only sometimes, >>? ? additional details would be needed. >> >>? ? I'm not sure why the server would be pingable from your client but >>? ? HTTP doesn't work. There may be another firewall blocking the >>? ? packets on your network. >> >>? ? rob >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Mon Jun 18 17:51:24 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 10:51:24 -0700 (PDT) Subject: [Freeipa-users] is not an IPA v2 Server. In-Reply-To: <1340041301.7178.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1339876940.99957.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340027050.71767.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FDF35D0.3080804@redhat.com> <1340028762.33907.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FDF3F6A.5070601@redhat.com> <1340034199.83850.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF4E79.2060509@redhat.com> <1340036485.87630.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FDF654E.20205@redhat.com> <1340041301.7178.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1340041884.42678.YahooMailNeo@web120003.mail.ne1.yahoo.com> forget to mention that the server is installed by following this https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/installing-ipa.html and the client has the same ports open as the server. George >________________________________ > From: george he >To: Rob Crittenden >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 18, 2012 1:41 PM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > > >Hi Rob, >I was just thinking it's very unlikely the university would block http connections from inside, but not ssh from outside. but I'll contact our ITS anyways. >BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps outlined here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >There may be some steps that are obvious to people know these things and they are not listed in the document, then I could have missed them. >Thanks, >George > > > > > >>________________________________ >> From: Rob Crittenden >>To: george he >>Cc: Petr Viktorin ; "freeipa-users at redhat.com" >>Sent: Monday, June 18, 2012 1:28 PM >>Subject: Re: [Freeipa-users] is not an IPA v2 Server. >> >>george he wrote: >>> Hello Rob, >>> >>> Yes, I did the configuration earlier today. And I did kinit too. >>> It seems the web UI loads really slowly - the circular thing can turn >>> for minutes. So maybe I wasn't patient enough to let the page load. >> >>A fair bit of javascript is loaded the very first time you visit IPA, >>that can be slow. Otherwise it should be relatively quick. Not minutes >>anyway. >> >>> I can ssh to the server and the client from my home, so I don't think >>> there's another firewall blocking the connection. >> >>Different ports and that isn't the client talking to the server, it is >>you talking to the client and to the server. This is definitely some >>sort of networking problem, though "no route to host" is rather odd >>since you can ping. You might also look at the iptables configuration on >>the client. >> >>rob >> >>> Thanks, >>> George >>> >>>? ? ------------------------------------------------------------------------ >>>? ? *From:* Rob Crittenden >>>? ? *To:* george he >>>? ? *Cc:* Petr Viktorin ; >>>? ? "freeipa-users at redhat.com" >>>? ? *Sent:* Monday, June 18, 2012 11:51 AM >>>? ? *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >>> >>>? ? george he wrote: >>>? ? ? > Hello all, >>>? ? ? > >>>? ? ? > Here is some other information. >>>? ? ? > I'm setting this up for a lab in a university. The university has its >>>? ? ? > own kerberos server (and DNS server, which I use). >>>? ? ? > I'm not sure whether anybody has set a kerberos server for the >>>? ? ? > department, or some other labs used the department sub-domain. >>>? ? ? > But I'm sure the realm name is unique. >>>? ? ? > >>>? ? ? > When I open the web UI on the server (firefox 13.0), I almost >>>? ? always get >>>? ? ? > this error: >>>? ? ? > Your Kerberos ticket is no longer valid. Please run kinit and >>>? ? then click >>>? ? ? > 'Retry'. If this is your first time running the IPA Web UI follow >>>? ? these >>>? ? ? > directions >>>? ? to >>>? ? ? > configure your browser. >>>? ? ? > Or you can use form-based authentication >>>? ? ? > . >>>? ? ? > but I can use the form based authentication sometimes, not always. >>> >>>? ? You need to configure the browser to do Kerberos single sign-on. >>>? ? There should be a link in the failure message to take you to a page >>>? ? to help you configure this. You also need to have done a kinit. >>> >>>? ? I'm not sure why forms-based auth work work only sometimes, >>>? ? additional details would be needed. >>> >>>? ? I'm not sure why the server would be pingable from your client but >>>? ? HTTP doesn't work. There may be another firewall blocking the >>>? ? packets on your network. >>> >>>? ? rob >>> >>> >> >> >> >> >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Mon Jun 18 22:26:11 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 18 Jun 2012 15:26:11 -0700 (PDT) Subject: [Freeipa-users] ipa installation problem Message-ID: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, While waiting for more suggestions on my thread "is not an IPA v2 Server", I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was "Connection refused". Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jun 18 23:41:00 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 18 Jun 2012 23:41:00 +0000 Subject: [Freeipa-users] ipa installation problem In-Reply-To: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD0A79@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Installing the original master should be nothing more than that command. With some flags though maybe so my command was, ipa-server-install -a secret123 -p 123Secret -domain=unix.vuw.ac.nz -realm=UNIX.VUW.AC.NZ --setup-dns ?forwarder=130.195.85.25 ?forwarder=130.195.98.151 --no-reverse ?selfsign So my master DNS zone is a Microsoft AD as vuw.ac.nz with 2 DNS servers hence forwarder twice. The MS AD servers treat unix.vuw.ac.nz as a stub zone delegation....they retain the ptr zone hence --no-reverse....so I have to add that manually. check the rpm versions of the server and client.......they should be identical. "is not an IPA v2 Server" Just double check you have not made a typo......I put in "vyw" and not "vuw" while doing the client install and got that............the other possibility is iptables....or a firewall blocking......Ive had that same error and found it was the cisco FWSM..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of george he [george_he7 at yahoo.com] Sent: Tuesday, 19 June 2012 10:26 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] ipa installation problem Hello all, While waiting for more suggestions on my thread "is not an IPA v2 Server", I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was "Connection refused". Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From djuran at redhat.com Tue Jun 19 07:17:24 2012 From: djuran at redhat.com (David Juran) Date: Tue, 19 Jun 2012 09:17:24 +0200 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <4FDF3FF3.80600@indiana.edu> References: <4FDF3FF3.80600@indiana.edu> Message-ID: <1340090244.4780.4.camel@localhost.localdomain> On m?n, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: > Is there any way to integrate FreeIPA into an environment such as ours > or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From maciej.sawicki at polidea.pl Tue Jun 19 09:52:46 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Tue, 19 Jun 2012 11:52:46 +0200 Subject: [Freeipa-users] groups migration In-Reply-To: <4FDF6430.50407@redhat.com> References: <1339696852.8230.687.camel@willson.li.ssimo.org> <4FDF6430.50407@redhat.com> Message-ID: On Mon, Jun 18, 2012 at 7:24 PM, Rob Crittenden wrote > > If you could provide an ldif for one of the groups to be migrated we can > tell you. > dn: cn=management-team,ou=groups,dc=domain,dc=com objectClass: posixGroup cn: management-team gidNumber: 10004 description: Management team of SomeCompany memberUid: some.user0 memberUid: some.user1 memberUid: some.user2 regards, Maciej Sawicki From dpal at redhat.com Tue Jun 19 09:54:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 19 Jun 2012 05:54:23 -0400 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: <4FDF502F.7090805@jboss.com> References: <4FDF502F.7090805@jboss.com> Message-ID: <4FE04C4F.8040009@redhat.com> On 06/18/2012 11:58 AM, Darran Lofthouse wrote: > Just experienced some weird behaviour on my Fedora 17 installation, > just wanted to check if this was expected. > > I have the default config that requires a user to change their > password the first time they run kinit. > > However I created a user and immediately used ipa-getkeytab as this > user will be a non-interactive process, despite the ipa-getkeytab > resetting the secret for the user the first attempt at authentication > failed as the user was still told to change their password. > I do not think we have anticipated this use. The ipa-getkeytab is designed for the host and services keytabs not for users. I suggest that use a service principal rather than a user principal to run those jobs. You can also file an RFE to allow keytabs for users if you think that services would not work for you. > My expectation would have been that any update to the secret should > meet the requirement for the user to change their password. > > Regards, > Darran Lofthouse. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From james.hogarth at gmail.com Tue Jun 19 12:04:03 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 19 Jun 2012 13:04:03 +0100 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication Message-ID: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend.... I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Kind regards, James From maciej.sawicki at polidea.pl Tue Jun 19 12:06:45 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Tue, 19 Jun 2012 14:06:45 +0200 Subject: [Freeipa-users] groups migration In-Reply-To: References: Message-ID: On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki wrote: > Hi, > I (almost) managed to migrate groups from my previous server. That is > groups names migrated perfectly, unfortunately when I login to web > panel all groups are empty. > > I used following command: > ipa migrate-ds ldap://192.168.1.125:389 > --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' > --group-objectclas='posixGroup' > > I will appreciate any help. > I think the problem is that my current installation use "memberUid" attribute in group object and free-ipa uses "memberUid" in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? regards, Maciek Sawicki From james.hogarth at gmail.com Tue Jun 19 12:26:33 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 19 Jun 2012 13:26:33 +0100 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <1340090244.4780.4.camel@localhost.localdomain> References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> Message-ID: > I wonder if the (very) new IPA AD trust feature could solve at least > some of your problems. Have a look at > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this > can be tested. > The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? James From bdwheele at indiana.edu Tue Jun 19 13:14:33 2012 From: bdwheele at indiana.edu (Brian Wheeler) Date: Tue, 19 Jun 2012 09:14:33 -0400 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <1340090244.4780.4.camel@localhost.localdomain> References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> Message-ID: <4FE07B39.2000101@indiana.edu> I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. Brian On 06/19/2012 03:17 AM, David Juran wrote: > On m?n, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: > >> Is there any way to integrate FreeIPA into an environment such as ours >> or am I going to have to continue with my homegrown way of doing things? > I wonder if the (very) new IPA AD trust feature could solve at least > some of your problems. Have a look at > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this > can be tested. > > From rcritten at redhat.com Tue Jun 19 13:19:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jun 2012 09:19:44 -0400 Subject: [Freeipa-users] groups migration In-Reply-To: References: Message-ID: <4FE07C70.3080505@redhat.com> Maciej Sawicki wrote: > On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki > wrote: >> Hi, >> I (almost) managed to migrate groups from my previous server. That is >> groups names migrated perfectly, unfortunately when I login to web >> panel all groups are empty. >> >> I used following command: >> ipa migrate-ds ldap://192.168.1.125:389 >> --bind-dn="cn=admin,dc=domain,dc=com" --group-container='ou=groups' >> --group-objectclas='posixGroup' >> >> I will appreciate any help. >> > > I think the problem is that my current installation use "memberUid" > attribute in group object and free-ipa uses "memberUid" in user > object. > > I find the compatibility plugin so I think after migration it will > allow me to use IPA in legacy environment. The problem is how to > preform migration? Can I use migrate script for this or should I write > my own? Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. rob From rcritten at redhat.com Tue Jun 19 13:32:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jun 2012 09:32:50 -0400 Subject: [Freeipa-users] ipa installation problem In-Reply-To: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FE07F82.9070008@redhat.com> george he wrote: > Hello all, > While waiting for more suggestions on my thread "is not an IPA v2 > Server", I tried to install ipa server on other machines running fc16 > and fc15. > When server is on fc16, I get the same error as when it's on fc17, wget > failed: No route to host. > when server is on fc15, wget still failed, but the reason was > "Connection refused". > Seems to me there's something else to do after running > ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob From djuran at redhat.com Tue Jun 19 13:44:34 2012 From: djuran at redhat.com (David Juran) Date: Tue, 19 Jun 2012 15:44:34 +0200 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> Message-ID: <1340113474.4780.44.camel@localhost.localdomain> On tis, 2012-06-19 at 13:26 +0100, James Hogarth wrote: > > I wonder if the (very) new IPA AD trust feature could solve at least > > some of your problems. Have a look at > > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this > > can be tested. > > > > The initial documentation looks like it's describing a full two way > trust - in principal would a one way trust be feasible? > Allow the AD users (or a selection thereof) access to the systems part > of the IPA domain but not vice versa? AFAIK, that is the only thing currently implemented. -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From george_he7 at yahoo.com Tue Jun 19 13:50:36 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 19 Jun 2012 06:50:36 -0700 (PDT) Subject: [Freeipa-users] ipa installation problem In-Reply-To: <4FE07F82.9070008@redhat.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE07F82.9070008@redhat.com> Message-ID: <1340113836.48273.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the "usual" way and they both run with no problem. Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, June 19, 2012 9:32 AM >Subject: Re: [Freeipa-users] ipa installation problem > >george he wrote: >> Hello all, >> While waiting for more suggestions on my thread "is not an IPA v2 >> Server", I tried to install ipa server on other machines running fc16 >> and fc15. >> When server is on fc16, I get the same error as when it's on fc17, wget >> failed: No route to host. >> when server is on fc15, wget still failed, but the reason was >> "Connection refused". >> Seems to me there's something else to do after running >> ipa-server-install on the server. > >This is unrelated to IPA. We do no network configuration changes, only start services. > >The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jun 19 14:41:10 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 19 Jun 2012 10:41:10 -0400 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> Message-ID: <1340116870.32038.101.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 13:26 +0100, James Hogarth wrote: > > I wonder if the (very) new IPA AD trust feature could solve at least > > some of your problems. Have a look at > > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this > > can be tested. > > > > The initial documentation looks like it's describing a full two way > trust - in principal would a one way trust be feasible? > > Allow the AD users (or a selection thereof) access to the systems part > of the IPA domain but not vice versa? Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 19 14:42:08 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 19 Jun 2012 10:42:08 -0400 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <4FE07B39.2000101@indiana.edu> References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> <4FE07B39.2000101@indiana.edu> Message-ID: <1340116928.32038.102.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: > I will look into that. I've got nearly a year before I have to do my > machine migrations, so one would assume that this feature would > stabilize by the time I get around to doing an actual implementation. > I'll play with it and see if I can make it work. Although, the > instructions do mention validating it from the windows side of things > which may stop me dead in the water since I have no access. you need the windows domain credentials to set up the trust, so you definitely need collaboration from the windows domain admins. w/o that collaboration there isn't much you can really do in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jun 19 14:43:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jun 2012 10:43:42 -0400 Subject: [Freeipa-users] ipa installation problem In-Reply-To: <1340113836.48273.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE07F82.9070008@redhat.com> <1340113836.48273.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <4FE0901E.6010406@redhat.com> george he wrote: > Hello Rob, > Can it be that the httpd service is not running properly? > On all servers, I can only run wget on the server itself successfully... > At least on fc15, the client was able to contact the server, but the > connection was refused. > maybe the configuration part of httpd? > On other machines in the same lab, I have set up two web servers in the > "usual" way and they both run with no problem. I don't know what to tell you. This problem is independent of IPA. It means that the client doesn't know how to get to the server (no route to host) Connection refused would suggest that the server isn't accepting connections. You could use netstat to confirm that it is listening on ports 80 and 443, I think you'll find it is. IPA doesn't do anything particularly clever with the web server, just configures it to use mod_nss as an SSL listener. Since wget is using port 80 you aren't even using any changes made by IPA. And no route to host suggests it isn't even getting that far. You might try shutting down iptables on the server and client and try that. rob > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* "freeipa-users at redhat.com" > *Sent:* Tuesday, June 19, 2012 9:32 AM > *Subject:* Re: [Freeipa-users] ipa installation problem > > george he wrote: > > Hello all, > > While waiting for more suggestions on my thread "is not an IPA v2 > > Server", I tried to install ipa server on other machines running fc16 > > and fc15. > > When server is on fc16, I get the same error as when it's on > fc17, wget > > failed: No route to host. > > when server is on fc15, wget still failed, but the reason was > > "Connection refused". > > Seems to me there's something else to do after running > > ipa-server-install on the server. > > This is unrelated to IPA. We do no network configuration changes, > only start services. > > The client is doing a simple wget which just issues an HTTP request. > The network stack is saying it can't talk to the IPA server so I'd > start there. wireshark might be helpful. > > rob > > From james.hogarth at gmail.com Tue Jun 19 14:44:23 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 19 Jun 2012 15:44:23 +0100 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <1340116870.32038.101.camel@willson.li.ssimo.org> References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> <1340116870.32038.101.camel@willson.li.ssimo.org> Message-ID: > Well, at the moment we only set up a two way trust > but the windows admins would certainly be able to delete the outgoing > trust right after it is created, it should cause trouble for win users > that want to access ipa hosts. > > We may take an RFE about creating only a one way trust, but it won't be > there by 3.0 I think. > Gotcha - I know here I'll probably end up with a requirement for windows users to access one or more of my linux systems (and web interfaces) with their windows AD credentials but there is no way the Windows team (or IT Security) would want my users in IPA to be able to log into the windows clients etc in the enterprise. From george_he7 at yahoo.com Tue Jun 19 15:01:29 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 19 Jun 2012 08:01:29 -0700 (PDT) Subject: [Freeipa-users] ipa installation problem In-Reply-To: <4FE0901E.6010406@redhat.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE07F82.9070008@redhat.com> <1340113836.48273.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FE0901E.6010406@redhat.com> Message-ID: <1340118089.48863.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello Rob, netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things like this: httpd?? 4206 apache??? 5u? IPv6 846355?????? TCP *:http (LISTEN) is the IPv6 here a problem? Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, June 19, 2012 10:43 AM >Subject: Re: [Freeipa-users] ipa installation problem > >george he wrote: >> Hello Rob, >> Can it be that the httpd service is not running properly? >> On all servers, I can only run wget on the server itself successfully... >> At least on fc15, the client was able to contact the server, but the >> connection was refused. >> maybe the configuration part of httpd? >> On other machines in the same lab, I have set up two web servers in the >> "usual" way and they both run with no problem. > >I don't know what to tell you. This problem is independent of IPA. It >means that the client doesn't know how to get to the server (no route to >host) > >Connection refused would suggest that the server isn't accepting >connections. You could use netstat to confirm that it is listening on >ports 80 and 443, I think you'll find it is. > >IPA doesn't do anything particularly clever with the web server, just >configures it to use mod_nss as an SSL listener. Since wget is using >port 80 you aren't even using any changes made by IPA. And no route to >host suggests it isn't even getting that far. > >You might try shutting down iptables on the server and client and try that. > >rob > >> Thanks, >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Rob Crittenden >>? ? *To:* george he >>? ? *Cc:* "freeipa-users at redhat.com" >>? ? *Sent:* Tuesday, June 19, 2012 9:32 AM >>? ? *Subject:* Re: [Freeipa-users] ipa installation problem >> >>? ? george he wrote: >>? ? ? > Hello all, >>? ? ? > While waiting for more suggestions on my thread "is not an IPA v2 >>? ? ? > Server", I tried to install ipa server on other machines running fc16 >>? ? ? > and fc15. >>? ? ? > When server is on fc16, I get the same error as when it's on >>? ? fc17, wget >>? ? ? > failed: No route to host. >>? ? ? > when server is on fc15, wget still failed, but the reason was >>? ? ? > "Connection refused". >>? ? ? > Seems to me there's something else to do after running >>? ? ? > ipa-server-install on the server. >> >>? ? This is unrelated to IPA. We do no network configuration changes, >>? ? only start services. >> >>? ? The client is doing a simple wget which just issues an HTTP request. >>? ? The network stack is saying it can't talk to the IPA server so I'd >>? ? start there. wireshark might be helpful. >> >>? ? rob >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bdwheele at indiana.edu Tue Jun 19 15:31:07 2012 From: bdwheele at indiana.edu (Brian Wheeler) Date: Tue, 19 Jun 2012 11:31:07 -0400 Subject: [Freeipa-users] FreeIPA in a locked down Active Directory environment In-Reply-To: <1340116928.32038.102.camel@willson.li.ssimo.org> References: <4FDF3FF3.80600@indiana.edu> <1340090244.4780.4.camel@localhost.localdomain> <4FE07B39.2000101@indiana.edu> <1340116928.32038.102.camel@willson.li.ssimo.org> Message-ID: <4FE09B3B.9000506@indiana.edu> OOps, forgot to reply to list last time. On 06/19/2012 10:42 AM, Simo Sorce wrote: > On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: >> I will look into that. I've got nearly a year before I have to do my >> machine migrations, so one would assume that this feature would >> stabilize by the time I get around to doing an actual implementation. >> I'll play with it and see if I can make it work. Although, the >> instructions do mention validating it from the windows side of things >> which may stop me dead in the water since I have no access. > you need the windows domain credentials to set up the trust, so you > definitely need collaboration from the windows domain admins. > > w/o that collaboration there isn't much you can really do in any case. I've got rights to join machines to the domain, would that be sufficient? > Simo. > From sbingram at gmail.com Tue Jun 19 16:15:25 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 19 Jun 2012 09:15:25 -0700 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: <4FE04C4F.8040009@redhat.com> References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> Message-ID: On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: > On 06/18/2012 11:58 AM, Darran Lofthouse wrote: >> Just experienced some weird behaviour on my Fedora 17 installation, >> just wanted to check if this was expected. >> >> I have the default config that requires a user to change their >> password the first time they run kinit. >> >> However I created a user and immediately used ipa-getkeytab as this >> user will be a non-interactive process, despite the ipa-getkeytab >> resetting the secret for the user the first attempt at authentication >> failed as the user was still told to change their password. >> > > > I do not think we have anticipated this use. The ipa-getkeytab is > designed for the host and services keytabs not for users. I suggest that > use a service principal rather than a user principal to run those jobs. > You can also file an RFE to allow keytabs for users if you think that > services would not work for you. > >> My expectation would have been that any update to the secret should >> meet the requirement for the user to change their password. Darren- I'm not sure if you went further with this, but if you do change the password through other means, you then will be able to get a copy of the keytab for the user with ipa-getkeytab. I tried it out because the thought of not being able to get a keytab for a user was concerning. I agree that the service keytabs make more sense for these instances (I was also told this by Simo in another thread), but I keep being told by the application people that I need to use a user principal, which, thankfully works. Steve From sbingram at gmail.com Tue Jun 19 16:28:23 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 19 Jun 2012 09:28:23 -0700 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) In-Reply-To: <1339765795.8230.694.camel@willson.li.ssimo.org> References: <1339765795.8230.694.camel@willson.li.ssimo.org> Message-ID: On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce wrote: > On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: >> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos >> principals or must you use the cn=accounts,cn=users container? I'm >> thinking this for script-authenticated machine accounts (might be of >> form user-hostname at REALM or user/hostname at REALM) that need to >> authenticate to another machine and just a way to separate them from >> the regular user accounts in cn=accounts,cn=users. > > If you need to authenticate machines you probably want to use the > machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM > principal. > > The principal is stored in cn=computers,cn=accounts in the computer > object if the machine is joined to IPA. > > for machines you do not want to join or if you want to use a different > service principal name you should create a new service principal with > 'ipa service-add' which will create a principal object in cn=services > > user-hostname or user/hostname are not common choices, while kerberos > does not enforce any particular convention on names you usually want to > use ?service/fqdn at REALm convention. Where 'service' is the service name. > Many services already have conventions for the principal name (for > example HTTP/fqdn at REALM for http servers). > > If your scripts are arbitrary you may decide to create your own script > principal (useful if you want to assign special ACIs to it in IPA as you > can reference the service account under cn=services in ACIs in theory. I couldn't agree more. Here's the situation though. I'm trying to use IPA for a Cyrus IMAP Murder configuration. This involves machine-to-machine authentication, but it's not really the machine, it's a process on the machine. It's a process client authenticating itself to a process server. The client constantly authenticates using a script to obtain keys from a keytab. The server is authenticated when the client connects to it. I was thinking like you are suggesting, to use service principals, but I'm being told that user principals are the way to go on the client end of things. Not wanting to mix service users in with my regular users, I thought about putting them in sysaccounts. I should probably take this up on the kerberos list, but I was trying to do this within the constructs of IPA. I've read that kerberos is indifferent to user vs service principals. Is this true also of IPA besides the organization of the keys? Steve From simo at redhat.com Tue Jun 19 16:54:47 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 19 Jun 2012 12:54:47 -0400 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) In-Reply-To: References: <1339765795.8230.694.camel@willson.li.ssimo.org> Message-ID: <1340124887.32038.131.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote: > On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce wrote: > > On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: > >> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos > >> principals or must you use the cn=accounts,cn=users container? I'm > >> thinking this for script-authenticated machine accounts (might be of > >> form user-hostname at REALM or user/hostname at REALM) that need to > >> authenticate to another machine and just a way to separate them from > >> the regular user accounts in cn=accounts,cn=users. > > > > If you need to authenticate machines you probably want to use the > > machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM > > principal. > > > > The principal is stored in cn=computers,cn=accounts in the computer > > object if the machine is joined to IPA. > > > > for machines you do not want to join or if you want to use a different > > service principal name you should create a new service principal with > > 'ipa service-add' which will create a principal object in cn=services > > > > user-hostname or user/hostname are not common choices, while kerberos > > does not enforce any particular convention on names you usually want to > > use service/fqdn at REALm convention. Where 'service' is the service name. > > Many services already have conventions for the principal name (for > > example HTTP/fqdn at REALM for http servers). > > > > If your scripts are arbitrary you may decide to create your own script > > principal (useful if you want to assign special ACIs to it in IPA as you > > can reference the service account under cn=services in ACIs in theory. > > I couldn't agree more. Here's the situation though. I'm trying to use > IPA for a Cyrus IMAP Murder configuration. This involves > machine-to-machine authentication, but it's not really the machine, > it's a process on the machine. It's a process client authenticating > itself to a process server. The client constantly authenticates using > a script to obtain keys from a keytab. The server is authenticated > when the client connects to it. I was thinking like you are > suggesting, to use service principals, but I'm being told that user > principals are the way to go on the client end of things. Not wanting > to mix service users in with my regular users, I thought about putting > them in sysaccounts. I should probably take this up on the kerberos > list, but I was trying to do this within the constructs of IPA. I've > read that kerberos is indifferent to user vs service principals. Is > this true also of IPA besides the organization of the keys? Yes with IPA you can use service principals to initiate context w/o problems. That's why I suggested you use a service principal. AD has a limitation that you must use an actual user to initiate a context, that may be where the suggestion is coming from. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 19 16:55:57 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 19 Jun 2012 12:55:57 -0400 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> Message-ID: <1340124957.32038.132.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: > On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: > > On 06/18/2012 11:58 AM, Darran Lofthouse wrote: > >> Just experienced some weird behaviour on my Fedora 17 installation, > >> just wanted to check if this was expected. > >> > >> I have the default config that requires a user to change their > >> password the first time they run kinit. > >> > >> However I created a user and immediately used ipa-getkeytab as this > >> user will be a non-interactive process, despite the ipa-getkeytab > >> resetting the secret for the user the first attempt at authentication > >> failed as the user was still told to change their password. > >> > > > > > > I do not think we have anticipated this use. The ipa-getkeytab is > > designed for the host and services keytabs not for users. I suggest that > > use a service principal rather than a user principal to run those jobs. > > You can also file an RFE to allow keytabs for users if you think that > > services would not work for you. > > > >> My expectation would have been that any update to the secret should > >> meet the requirement for the user to change their password. > > Darren- > > I'm not sure if you went further with this, but if you do change the > password through other means, you then will be able to get a copy of > the keytab for the user with ipa-getkeytab. I tried it out because the > thought of not being able to get a keytab for a user was concerning. I > agree that the service keytabs make more sense for these instances (I > was also told this by Simo in another thread), but I keep being told > by the application people that I need to use a user principal, which, > thankfully works. Ask them why, I am curious about the requirement. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 19 17:27:56 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 19 Jun 2012 13:27:56 -0400 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: References: Message-ID: <1340126876.32038.140.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using Apache > with SNI and kerberos authentication with an IPA backend.... > > I'd be interested in any feedback: > > http://freeipa.org/page/Apache_SNI_With_Kerberos Very nice writeup! I see you use mod_ssl, can this configuration be obtained with mod_nss as well ? I was going to try it but on an ipa server we use mod_nss and would like to avoid having to find out how to reconfigure stuff to use mod_ssl. Simo. -- Simo Sorce * Red Hat, Inc * New York From natxo.asenjo at gmail.com Tue Jun 19 17:48:21 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 19 Jun 2012 19:48:21 +0200 Subject: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts) In-Reply-To: <1340124887.32038.131.camel@willson.li.ssimo.org> References: <1339765795.8230.694.camel@willson.li.ssimo.org> <1340124887.32038.131.camel@willson.li.ssimo.org> Message-ID: On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce wrote: > Yes with IPA you can use service principals to initiate context w/o > problems. That's why I suggested you use a service principal. > AD has a limitation that you must use an actual user to initiate a > context, that may be where the suggestion is coming from. > > I was just wondering how to to use a service principal coupled to a host in the case of a webapp. We all know those, applications that require binding to a database with a login/pass combo in a file. And was assuming that creating a service principal and then creating a postgresql role with the name of the principal would not work, that I could not login postgresql with that kerberos principal. It turns out it does work! I can create service principals and have them connect to our postgresql servers. Awesome! I need to test this more thouroughly, but this is looking great security wise. Thanks for the tip! :-) -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Jun 19 18:03:07 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 19 Jun 2012 20:03:07 +0200 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: References: Message-ID: On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using Apache > with SNI and kerberos authentication with an IPA backend.... > > I'd be interested in any feedback: > > http://freeipa.org/page/Apache_SNI_With_Kerberos > nice! I will try it shortly. Thanks! -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Tue Jun 19 18:12:17 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 19 Jun 2012 11:12:17 -0700 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: <1340124957.32038.132.camel@willson.li.ssimo.org> References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> <1340124957.32038.132.camel@willson.li.ssimo.org> Message-ID: On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote: > On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: >> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: >> > On 06/18/2012 11:58 AM, Darran Lofthouse wrote: >> >> Just experienced some weird behaviour on my Fedora 17 installation, >> >> just wanted to check if this was expected. >> >> >> >> I have the default config that requires a user to change their >> >> password the first time they run kinit. >> >> >> >> However I created a user and immediately used ipa-getkeytab as this >> >> user will be a non-interactive process, despite the ipa-getkeytab >> >> resetting the secret for the user the first attempt at authentication >> >> failed as the user was still told to change their password. >> >> >> > >> > >> > I do not think we have anticipated this use. The ipa-getkeytab is >> > designed for the host and services keytabs not for users. I suggest that >> > use a service principal rather than a user principal to run those jobs. >> > You can also file an RFE to allow keytabs for users if you think that >> > services would not work for you. >> > >> >> My expectation would have been that any update to the secret should >> >> meet the requirement for the user to change their password. >> >> Darren- >> >> I'm not sure if you went further with this, but if you do change the >> password through other means, you then will be able to get a copy of >> the keytab for the user with ipa-getkeytab. I tried it out because the >> thought of not being able to get a keytab for a user was concerning. I >> agree that the service keytabs make more sense for these instances (I >> was also told this by Simo in another thread), but I keep being told >> by the application people that I need to use a user principal, which, >> thankfully works. > > Ask them why, I am curious about the requirement. I'm still waiting for responses. The only thing I've been told thus far is that since there are multiple processes authenticating to their respective servers, it might be difficult to direct each to the proper credential cache. If you use one user to auth to each server process then there is only one credential cache. Steve From rcritten at redhat.com Tue Jun 19 18:44:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jun 2012 14:44:04 -0400 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: <1340126876.32038.140.camel@willson.li.ssimo.org> References: <1340126876.32038.140.camel@willson.li.ssimo.org> Message-ID: <4FE0C874.6030302@redhat.com> Simo Sorce wrote: > On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: >> Hi all, >> >> As mentioned on IRC today I've finished my write up of using Apache >> with SNI and kerberos authentication with an IPA backend.... >> >> I'd be interested in any feedback: >> >> http://freeipa.org/page/Apache_SNI_With_Kerberos > > Very nice writeup! > > I see you use mod_ssl, can this configuration be obtained with mod_nss > as well ? > I was going to try it but on an ipa server we use mod_nss and would like > to avoid having to find out how to reconfigure stuff to use mod_ssl. > > Simo. > mod_nss doesn't support SNI yet because the NSS support isn't complete yet (though getting closer). rob From dpal at redhat.com Tue Jun 19 18:45:06 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 19 Jun 2012 14:45:06 -0400 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> <1340124957.32038.132.camel@willson.li.ssimo.org> Message-ID: <4FE0C8B2.3070503@redhat.com> On 06/19/2012 02:12 PM, Stephen Ingram wrote: > On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote: >> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: >>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: >>>> On 06/18/2012 11:58 AM, Darran Lofthouse wrote: >>>>> Just experienced some weird behaviour on my Fedora 17 installation, >>>>> just wanted to check if this was expected. >>>>> >>>>> I have the default config that requires a user to change their >>>>> password the first time they run kinit. >>>>> >>>>> However I created a user and immediately used ipa-getkeytab as this >>>>> user will be a non-interactive process, despite the ipa-getkeytab >>>>> resetting the secret for the user the first attempt at authentication >>>>> failed as the user was still told to change their password. >>>>> >>>> >>>> I do not think we have anticipated this use. The ipa-getkeytab is >>>> designed for the host and services keytabs not for users. I suggest that >>>> use a service principal rather than a user principal to run those jobs. >>>> You can also file an RFE to allow keytabs for users if you think that >>>> services would not work for you. >>>> >>>>> My expectation would have been that any update to the secret should >>>>> meet the requirement for the user to change their password. >>> Darren- >>> >>> I'm not sure if you went further with this, but if you do change the >>> password through other means, you then will be able to get a copy of >>> the keytab for the user with ipa-getkeytab. I tried it out because the >>> thought of not being able to get a keytab for a user was concerning. I >>> agree that the service keytabs make more sense for these instances (I >>> was also told this by Simo in another thread), but I keep being told >>> by the application people that I need to use a user principal, which, >>> thankfully works. >> Ask them why, I am curious about the requirement. > I'm still waiting for responses. The only thing I've been told thus > far is that since there are multiple processes authenticating to their > respective servers, it might be difficult to direct each to the proper > credential cache. If you use one user to auth to each server process > then there is only one credential cache. > > Steve This seems like an orthogonal problem. It does not matter if it is a service principal(s) or user principal(s). As long as a group of processes that are using the same principal are configured to use the same cache you should be OK. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From james.hogarth at gmail.com Tue Jun 19 19:08:17 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 19 Jun 2012 20:08:17 +0100 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: <4FE0C874.6030302@redhat.com> References: <1340126876.32038.140.camel@willson.li.ssimo.org> <4FE0C874.6030302@redhat.com> Message-ID: > > mod_nss doesn't support SNI yet because the NSS support isn't complete yet (though getting closer). > Accidentally sent this to only rob (Android Gmail client I blame... defaults to reply rather than reply all)... For the benefit of the list.... That's what I thought based on the Mozilla bugzilla entries plus the changelog of mod_nss over at the fedora ds site... But then I found this on Googling which implies SNI should work with mod_nss: http://arika.firstyear.id.au/blog/ I'll try and replicate the blog findings in the course of the next couple of days .... if it works I'll add it to the wiki ... J -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Jun 19 21:37:03 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 19 Jun 2012 23:37:03 +0200 Subject: [Freeipa-users] TGT invalid after KDC restart? Message-ID: <4FE0F0FF.6060205@nixtra.com> Hi, Does a users kerberos tickets become invalid after a restart of the KDC who granted the tickets? Regards, Siggi From dpal at redhat.com Tue Jun 19 22:04:32 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 19 Jun 2012 18:04:32 -0400 Subject: [Freeipa-users] TGT invalid after KDC restart? In-Reply-To: <4FE0F0FF.6060205@nixtra.com> References: <4FE0F0FF.6060205@nixtra.com> Message-ID: <4FE0F770.50905@redhat.com> On 06/19/2012 05:37 PM, Sigbjorn Lie wrote: > Hi, > > Does a users kerberos tickets become invalid after a restart of the > KDC who granted the tickets? Should not. > > > > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 20 02:17:22 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 20 Jun 2012 02:17:22 +0000 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> My IPA servers are say ipa1 and 2.ipa.example.com I have existing linux servers that I would rather not change the FQDN on, say server1.example.com Do I actually have to make the client server1.ipa.example.com or can I leave it as is at server1.example.com? Would that give any IPA problems? or is it just poor practice? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From darran.lofthouse at jboss.com Wed Jun 20 09:01:06 2012 From: darran.lofthouse at jboss.com (Darran Lofthouse) Date: Wed, 20 Jun 2012 10:01:06 +0100 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> <1340124957.32038.132.camel@willson.li.ssimo.org> Message-ID: <4FE19152.8040605@jboss.com> On 06/19/2012 07:12 PM, Stephen Ingram wrote: > On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote: >> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: >>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: >>>> On 06/18/2012 11:58 AM, Darran Lofthouse wrote: >>>>> Just experienced some weird behaviour on my Fedora 17 installation, >>>>> just wanted to check if this was expected. >>>>> >>>>> I have the default config that requires a user to change their >>>>> password the first time they run kinit. >>>>> >>>>> However I created a user and immediately used ipa-getkeytab as this >>>>> user will be a non-interactive process, despite the ipa-getkeytab >>>>> resetting the secret for the user the first attempt at authentication >>>>> failed as the user was still told to change their password. >>>>> >>>> >>>> >>>> I do not think we have anticipated this use. The ipa-getkeytab is >>>> designed for the host and services keytabs not for users. I suggest that >>>> use a service principal rather than a user principal to run those jobs. >>>> You can also file an RFE to allow keytabs for users if you think that >>>> services would not work for you. >>>> >>>>> My expectation would have been that any update to the secret should >>>>> meet the requirement for the user to change their password. >>> >>> Darren- >>> >>> I'm not sure if you went further with this, but if you do change the >>> password through other means, you then will be able to get a copy of >>> the keytab for the user with ipa-getkeytab. I tried it out because the >>> thought of not being able to get a keytab for a user was concerning. I >>> agree that the service keytabs make more sense for these instances (I >>> was also told this by Simo in another thread), but I keep being told >>> by the application people that I need to use a user principal, which, >>> thankfully works. >> >> Ask them why, I am curious about the requirement. What I was trying to achieve was a single Java process obtaining it's own ticket before it connected to a service that was identified by a service principal mapping. In this scenario the client process is just as non-interactive as the server process so both sides were being configured with a keytab. Obtaining the keytab works fine and the client can use it - the only part that was a surprise was that the requirement for the client to change their password remained even though it was now redundant as a keytab had been generated. > I'm still waiting for responses. The only thing I've been told thus > far is that since there are multiple processes authenticating to their > respective servers, it might be difficult to direct each to the proper > credential cache. If you use one user to auth to each server process > then there is only one credential cache. > > Steve > From james.hogarth at gmail.com Wed Jun 20 11:43:42 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Wed, 20 Jun 2012 12:43:42 +0100 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: References: <1340126876.32038.140.camel@willson.li.ssimo.org> <4FE0C874.6030302@redhat.com> Message-ID: > I'll try and replicate the blog findings in the course of the next couple of > days .... if it works I'll add it to the wiki ... > Set up a test this morning using Centos 6: nss-3.13.1-7.el6_2.x86_64 mod_nss-1.0.8-14.el6_2.x86_64 The behaviour was... odd.... SNI itself must have been working as the contents differed depending on the domain which matched the expectation from the two virtual hosts however there appears to remain certificate selection issues and/or issues with respect to the the behaviour of the NSS options - only the last NSSCertificateDatabase seemed to apply rather than be local to a given VirtualHost (if separating certificate databases) and if in a common database although Apache reported different nicknamed certificates in error_log only the first NSSNickname seemed to be used to obtain the correct certificate... Set up a similar test on Fedora 17: nss-3.13.4-3.fc17.x86_64 mod_nss-1.0.8-17.fc17.x86_64 Same behaviour occurred (not that surprising given the versions).... So the short of it is ignore that blog and Rob is right - mod_nss is not ready yet... if you want SNI you need mod_ssl (or mod_gnutls)... if you have FIPS etc requirements or other reasons to use mod_nss then SNI is not at this time possible if you want valid certificates in place... James From gspurgeon at dageek.co.uk Wed Jun 20 12:25:44 2012 From: gspurgeon at dageek.co.uk (Gavin Spurgeon) Date: Wed, 20 Jun 2012 13:25:44 +0100 Subject: [Freeipa-users] Non IPA Connected Slave DNS Server ? Message-ID: <4FE1C148.2070501@dageek.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, Just have a quick question re: $subject I have seen some BZ's about this, but just wanted to check with the list to see what people have to say about this. I have an IPA Domain (example.com) and it is running as it should be. I also have 2 Public DNS Servers that run all of my non IPA Zones (in the 100s) I want these to DNS Serves to act as Standard Bind Slave Servers for my IPA Domain (i.e. to do a simple AXFR from the IPA Master) a, No adding the Public DNS Servers to IPA is not an option... b, Is this possible *now* c, does any one have any other suggestions, on how to get my desired goal ? d, if not, when will this be possible ? - -- Gavin Spurgeon. AKA Da Geek - ---------------------------------------------------------------------- "The happiest of people don't necessarily have the best of everything, they just make the most of everything that comes along their way.." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/hwUgACgkQvp6arS3vDioMxQCgo1wvXeQfCTpMOtuz6jer0air 4HgAnRou7qmGc79VNEm8WA7sCqidYakh =8M1P -----END PGP SIGNATURE----- -- This message was scanned by DaGeek Spam Filter and is believed to be clean. From simo at redhat.com Wed Jun 20 12:46:29 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 20 Jun 2012 08:46:29 -0400 Subject: [Freeipa-users] ipa-getkeytab and mandatory password change In-Reply-To: <4FE19152.8040605@jboss.com> References: <4FDF502F.7090805@jboss.com> <4FE04C4F.8040009@redhat.com> <1340124957.32038.132.camel@willson.li.ssimo.org> <4FE19152.8040605@jboss.com> Message-ID: <1340196389.32038.148.camel@willson.li.ssimo.org> On Wed, 2012-06-20 at 10:01 +0100, Darran Lofthouse wrote: > On 06/19/2012 07:12 PM, Stephen Ingram wrote: > > On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote: > >> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: > >>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote: > >>>> On 06/18/2012 11:58 AM, Darran Lofthouse wrote: > >>>>> Just experienced some weird behaviour on my Fedora 17 installation, > >>>>> just wanted to check if this was expected. > >>>>> > >>>>> I have the default config that requires a user to change their > >>>>> password the first time they run kinit. > >>>>> > >>>>> However I created a user and immediately used ipa-getkeytab as this > >>>>> user will be a non-interactive process, despite the ipa-getkeytab > >>>>> resetting the secret for the user the first attempt at authentication > >>>>> failed as the user was still told to change their password. > >>>>> > >>>> > >>>> > >>>> I do not think we have anticipated this use. The ipa-getkeytab is > >>>> designed for the host and services keytabs not for users. I suggest that > >>>> use a service principal rather than a user principal to run those jobs. > >>>> You can also file an RFE to allow keytabs for users if you think that > >>>> services would not work for you. > >>>> > >>>>> My expectation would have been that any update to the secret should > >>>>> meet the requirement for the user to change their password. > >>> > >>> Darren- > >>> > >>> I'm not sure if you went further with this, but if you do change the > >>> password through other means, you then will be able to get a copy of > >>> the keytab for the user with ipa-getkeytab. I tried it out because the > >>> thought of not being able to get a keytab for a user was concerning. I > >>> agree that the service keytabs make more sense for these instances (I > >>> was also told this by Simo in another thread), but I keep being told > >>> by the application people that I need to use a user principal, which, > >>> thankfully works. > >> > >> Ask them why, I am curious about the requirement. > > What I was trying to achieve was a single Java process obtaining it's > own ticket before it connected to a service that was identified by a > service principal mapping. > > In this scenario the client process is just as non-interactive as the > server process so both sides were being configured with a keytab. > > Obtaining the keytab works fine and the client can use it - the only > part that was a surprise was that the requirement for the client to > change their password remained even though it was now redundant as a > keytab had been generated. Users must obey password policies, that's why I suggest people to use real service keytabs. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 20 13:23:19 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 20 Jun 2012 09:23:19 -0400 Subject: [Freeipa-users] TGT invalid after KDC restart? In-Reply-To: <4FE0F0FF.6060205@nixtra.com> References: <4FE0F0FF.6060205@nixtra.com> Message-ID: <1340198599.32038.149.camel@willson.li.ssimo.org> On Tue, 2012-06-19 at 23:37 +0200, Sigbjorn Lie wrote: > Hi, > > Does a users kerberos tickets become invalid after a restart of the KDC > who granted the tickets? No, tickets are encrypted with long term keys. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jun 20 13:28:17 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 09:28:17 -0400 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: References: <1340126876.32038.140.camel@willson.li.ssimo.org> <4FE0C874.6030302@redhat.com> Message-ID: <4FE1CFF1.2080700@redhat.com> James Hogarth wrote: >> I'll try and replicate the blog findings in the course of the next couple of >> days .... if it works I'll add it to the wiki ... >> > > Set up a test this morning using Centos 6: > nss-3.13.1-7.el6_2.x86_64 > mod_nss-1.0.8-14.el6_2.x86_64 > > The behaviour was... odd.... > > SNI itself must have been working as the contents differed depending > on the domain which matched the expectation from the two virtual hosts > however there appears to remain certificate selection issues and/or > issues with respect to the the behaviour of the NSS options - only the > last NSSCertificateDatabase seemed to apply rather than be local to a > given VirtualHost (if separating certificate databases) and if in a > common database although Apache reported different nicknamed > certificates in error_log only the first NSSNickname seemed to be used > to obtain the correct certificate... > > Set up a similar test on Fedora 17: > nss-3.13.4-3.fc17.x86_64 > mod_nss-1.0.8-17.fc17.x86_64 > > Same behaviour occurred (not that surprising given the versions).... > > So the short of it is ignore that blog and Rob is right - mod_nss is > not ready yet... if you want SNI you need mod_ssl (or mod_gnutls)... > if you have FIPS etc requirements or other reasons to use mod_nss then > SNI is not at this time possible if you want valid certificates in > place... > Only one nss database may be opened at a time. mod_nss should probably error out if multiple are defined to prevent confusion. I'd think a nickname should be unique to a given VirtualServer. If not then it's a bug. rob From james.hogarth at gmail.com Wed Jun 20 13:42:06 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Wed, 20 Jun 2012 14:42:06 +0100 Subject: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication In-Reply-To: <4FE1CFF1.2080700@redhat.com> References: <1340126876.32038.140.camel@willson.li.ssimo.org> <4FE0C874.6030302@redhat.com> <4FE1CFF1.2080700@redhat.com> Message-ID: > > Only one nss database may be opened at a time. mod_nss should probably error > out if multiple are defined to prevent confusion. > > I'd think a nickname should be unique to a given VirtualServer. If not then > it's a bug. That makes sense - and yeah it should probably error out rather than just open the last without notice. Pretty sure the NSSNickname issue is a bug - but at this time not sure where that lies exactly given that mod_nss doesn't claim SNI support currently anyway.... I'm going to let this lie for now to get on with other bits and will probably pick it up again in a weke or so to dig a little deeper (ie use multiple IPs and compare behaviour versus on a single IP etc)... If I can find anything relevant I'll open appropriate tickets with the appropriate parties then. For now (and in the context of this thread) I'll not mention mod_nss and leave the wiki page as is. James From rcritten at redhat.com Wed Jun 20 17:34:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 13:34:01 -0400 Subject: [Freeipa-users] Updated 389-ds-base released Message-ID: <4FE20989.7040908@redhat.com> An update of 389-ds-base has been released which should resolve the problems that IPA was having. 389-ds-base-1.2.11.5-1.fc17 corrects the problems we were seeing with managed entries. Don't forget to remove 389-ds-base from excludes in your yum.conf and/or use yum versionlock delete 389-ds-base{,-devel,-libs} regards rob From jlinoff at tabula.com Wed Jun 20 18:17:46 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 20 Jun 2012 11:17:46 -0700 Subject: [Freeipa-users] IPA client ldapsearch Message-ID: <8AD4194C251EC74CB897E261038F447801006150@mantaray.tabula.com> Hi: This is a best practices question. I am really impressed with FreeIPA and I want to make sure that I follow the recommended usage paradigms. What is the best way to do a ldapsearch operation on a FreeIPA client? One approach would be to install LDAP utilities on the client and run ldapsearch. Another approach might be to install the ipa-admintools package on the client. Since all I want to do is a simple query (like "ipa user-find" on the ipa-server), I wasn't sure whether the ipa-admintools made sense. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 20 18:25:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 14:25:42 -0400 Subject: [Freeipa-users] IPA client ldapsearch In-Reply-To: <8AD4194C251EC74CB897E261038F447801006150@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801006150@mantaray.tabula.com> Message-ID: <4FE215A6.4070006@redhat.com> Joe Linoff wrote: > Hi: > > This is a best practices question. I am really impressed with FreeIPA > and I want to make sure that I follow the recommended usage paradigms. > > What is the best way to do a ldapsearch operation on a FreeIPA client? > > One approach would be to install LDAP utilities on the client and run > ldapsearch. > > Another approach might be to install the ipa-admintools package on the > client. > > Since all I want to do is a simple query (like ?ipa user-find? on the > ipa-server), I wasn?t sure whether the ipa-admintools made sense. Your best bet is to use the ipa-admintools package. This way you don't have to work about the LDAP internals. If you have some need for something the tools can't provide you can always fall back to using ldapsearch. You probably don't to install this on every client. rob From george_he7 at yahoo.com Wed Jun 20 20:03:01 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 20 Jun 2012 13:03:01 -0700 (PDT) Subject: [Freeipa-users] ipa installation problem -- 2 Message-ID: <1340222581.75591.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, My first problem was related to firewall, the command iptables -A INPUT -p tcp --dport 80 -j ACCEPT opened port 80 after this line in iptables thus the problem I had. REJECT???? all? --? anywhere???????????? anywhere???????????? reject-with icmp-host-prohibited Now I have another problem when I run ipa-client-install on the client (after it asked for admin password): Joining realm failed: HTTP response code is 400, not 200 Here are the related lines in /var/log/ipaclient-install.log 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu 2012-06-20T19:46:53Z DEBUG stdout= 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 Suggestions, please. Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Jun 20 20:13:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 20 Jun 2012 20:13:16 +0000 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz> I assume with no reply, now one knows? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 20 June 2012 2:17 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? My IPA servers are say ipa1 and 2.ipa.example.com I have existing linux servers that I would rather not change the FQDN on, say server1.example.com Do I actually have to make the client server1.ipa.example.com or can I leave it as is at server1.example.com? Would that give any IPA problems? or is it just poor practice? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Jun 20 20:24:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 16:24:32 -0400 Subject: [Freeipa-users] ipa installation problem -- 2 In-Reply-To: <1340222581.75591.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340222581.75591.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FE23180.1090104@redhat.com> george he wrote: > Hello all, > > My first problem was related to firewall, the command > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > opened port 80 after this line in iptables thus the problem I had. > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited > > Now I have another problem when I run ipa-client-install on the client > (after it asked for admin password): > > Joining realm failed: HTTP response code is 400, not 200 > > Here are the related lines in /var/log/ipaclient-install.log > 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s > cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu > 2012-06-20T19:46:53Z DEBUG stdout= > 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 > > Try updating mod_nss to mod_nss.x86_64 0:1.0.8-17.fc17. rob From rcritten at redhat.com Wed Jun 20 20:31:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jun 2012 16:31:09 -0400 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FE2330D.8080504@redhat.com> Steven Jones wrote: > I assume with no reply, now one knows? That's not really fair, it hasn't even been 24 hours. > My IPA servers are say ipa1 and 2.ipa.example.com > > I have existing linux servers that I would rather not change the FQDN on, say server1.example.com Do I actually have to make the client server1.ipa.example.com or can I leave it as is at server1.example.com? Would that give any IPA problems? or is it just poor practice? Yes, you should be able to enroll server1.example.com into the ipa.example.com realm. You'll need a v2.2+ client for this to work. A patch was added (contributed by a user, actually) that will add a domain mapping to krb5.conf so this should work. rob From Steven.Jones at vuw.ac.nz Wed Jun 20 20:44:03 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 20 Jun 2012 20:44:03 +0000 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? In-Reply-To: <4FE2330D.8080504@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FE2330D.8080504@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD33C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Sorry..... but Im getting hammered by my management for instant answers.......they asked last night and expect an answer this morning.....and I'm expected to catch up and deploy several important solutions/projects all hinging on IPA ASAP....... 2.2 isnt in RHEL6.3 though? Anyway I will leave it longer, but Qs seem to drop off the list pretty quickly....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 21 June 2012 8:31 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? Steven Jones wrote: > I assume with no reply, now one knows? That's not really fair, it hasn't even been 24 hours. > My IPA servers are say ipa1 and 2.ipa.example.com > > I have existing linux servers that I would rather not change the FQDN on, say server1.example.com Do I actually have to make the client server1.ipa.example.com or can I leave it as is at server1.example.com? Would that give any IPA problems? or is it just poor practice? Yes, you should be able to enroll server1.example.com into the ipa.example.com realm. You'll need a v2.2+ client for this to work. A patch was added (contributed by a user, actually) that will add a domain mapping to krb5.conf so this should work. rob From erinn.looneytriggs at gmail.com Wed Jun 20 20:58:45 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 20 Jun 2012 14:58:45 -0600 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD33C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FE2330D.8080504@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCD33C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Yeah it is: cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 -Erinn On Wed, Jun 20, 2012 at 2:44 PM, Steven Jones wrote: > Hi, > > Sorry..... > > but Im getting hammered by my management for instant answers.......they > asked last night and expect an answer this morning.....and I'm expected to > catch up and deploy several important solutions/projects all hinging on IPA > ASAP....... > > 2.2 isnt in RHEL6.3 though? > > Anyway I will leave it longer, but Qs seem to drop off the list pretty > quickly....... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Thursday, 21 June 2012 8:31 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Do clients have to be in teh same DNS zone / > FQDN as the IPA servers / Kerberos Realm? > > Steven Jones wrote: > > I assume with no reply, now one knows? > > That's not really fair, it hasn't even been 24 hours. > > > My IPA servers are say ipa1 and 2.ipa.example.com > > > > I have existing linux servers that I would rather not change the FQDN > on, say server1.example.com Do I actually have to make the client > server1.ipa.example.com or can I leave it as is at server1.example.com? > Would that give any IPA problems? or is it just poor practice? > > Yes, you should be able to enroll server1.example.com into the > ipa.example.com realm. You'll need a v2.2+ client for this to work. A > patch was added (contributed by a user, actually) that will add a domain > mapping to krb5.conf so this should work. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Wed Jun 20 21:24:19 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 20 Jun 2012 14:24:19 -0700 Subject: [Freeipa-users] IPA client ldapsearch In-Reply-To: <4FE215A6.4070006@redhat.com> References: <8AD4194C251EC74CB897E261038F447801006150@mantaray.tabula.com> <4FE215A6.4070006@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801006171@mantaray.tabula.com> Hi Rob: > Your best bet is to use the ipa-admintools package. Thank you, I appreciate the help. As you suggested, I will use the ipa-admintools package. > You probably don't to install this on every client. That makes sense. Regards, Joe -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, June 20, 2012 11:26 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA client ldapsearch Joe Linoff wrote: > Hi: > > This is a best practices question. I am really impressed with FreeIPA > and I want to make sure that I follow the recommended usage paradigms. > > What is the best way to do a ldapsearch operation on a FreeIPA client? > > One approach would be to install LDAP utilities on the client and run > ldapsearch. > > Another approach might be to install the ipa-admintools package on the > client. > > Since all I want to do is a simple query (like "ipa user-find" on the > ipa-server), I wasn't sure whether the ipa-admintools made sense. Your best bet is to use the ipa-admintools package. This way you don't have to work about the LDAP internals. If you have some need for something the tools can't provide you can always fall back to using ldapsearch. You probably don't to install this on every client. rob From Steven.Jones at vuw.ac.nz Wed Jun 20 21:37:00 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 20 Jun 2012 21:37:00 +0000 Subject: [Freeipa-users] IPA client ldapsearch In-Reply-To: <8AD4194C251EC74CB897E261038F447801006171@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F447801006150@mantaray.tabula.com> <4FE215A6.4070006@redhat.com>, <8AD4194C251EC74CB897E261038F447801006171@mantaray.tabula.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD3421@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I export an ldif and use jexplorer.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Joe Linoff [jlinoff at tabula.com] Sent: Thursday, 21 June 2012 9:24 a.m. To: Rob Crittenden Cc: Joe Linoff; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA client ldapsearch Hi Rob: > Your best bet is to use the ipa-admintools package. Thank you, I appreciate the help. As you suggested, I will use the ipa-admintools package. > You probably don't to install this on every client. That makes sense. Regards, Joe -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, June 20, 2012 11:26 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA client ldapsearch Joe Linoff wrote: > Hi: > > This is a best practices question. I am really impressed with FreeIPA > and I want to make sure that I follow the recommended usage paradigms. > > What is the best way to do a ldapsearch operation on a FreeIPA client? > > One approach would be to install LDAP utilities on the client and run > ldapsearch. > > Another approach might be to install the ipa-admintools package on the > client. > > Since all I want to do is a simple query (like "ipa user-find" on the > ipa-server), I wasn't sure whether the ipa-admintools made sense. Your best bet is to use the ipa-admintools package. This way you don't have to work about the LDAP internals. If you have some need for something the tools can't provide you can always fall back to using ldapsearch. You probably don't to install this on every client. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From george_he7 at yahoo.com Wed Jun 20 22:18:46 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 20 Jun 2012 15:18:46 -0700 (PDT) Subject: [Freeipa-users] ipa installation problem -- 2 In-Reply-To: <4FE23180.1090104@redhat.com> References: <1340222581.75591.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE23180.1090104@redhat.com> Message-ID: <1340230726.94271.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hi Rob, Client configuration complete. but it says Failed to upload host SSH public keys. Hope it's OK. Thanks a lot, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Wednesday, June 20, 2012 4:24 PM >Subject: Re: [Freeipa-users] ipa installation problem -- 2 > >george he wrote: >> Hello all, >> >> My first problem was related to firewall, the command >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> opened port 80 after this line in iptables thus the problem I had. >> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited >> >> Now I have another problem when I run ipa-client-install on the client >> (after it asked for admin password): >> >> Joining realm failed: HTTP response code is 400, not 200 >> >> Here are the related lines in /var/log/ipaclient-install.log >> 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s >> cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu >> 2012-06-20T19:46:53Z DEBUG stdout= >> 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 >> >> > >Try updating mod_nss to mod_nss.x86_64 0:1.0.8-17.fc17. > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.hogarth at gmail.com Thu Jun 21 06:05:04 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Thu, 21 Jun 2012 07:05:04 +0100 Subject: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD33C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCD23E5@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCD2841@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FE2330D.8080504@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCD33C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: > but Im getting hammered by my management for instant answers.......they asked last night and expect an answer this morning.....and I'm expected to catch up and deploy several important solutions/projects all hinging on IPA ASAP....... > > 2.2 isnt in RHEL6.3 though? > Are you using fedora, centos or rhel? The last bit implies rhel but then you seem to desire an SLA and a response on the upstream users' mailing list.... Although there are a large number of people here using IPA along with redhat developers might I suggest for a critical thing where you need an answer within 24 hours you are better off following the standard support channels of your RHEL contract? If you don't have a support contract now could be a good time to explain to management that if they require quick answers then they need to pay for them... if they do things on the cheap then they require patience... -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Thu Jun 21 14:42:39 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 07:42:39 -0700 (PDT) Subject: [Freeipa-users] Joining realm failed: Host is already joined Message-ID: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, When I do ipa-client-install on a client with previous unsuccessful installation, I get this error message: Joining realm failed: Host is already joined. Installation failed. Rolling back changes. IPA client is not configured on this system. How do I clean up the machine for a clean installation? I tried ipa-client-install --uninstall but get this: IPA client is not configured on this system. Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Thu Jun 21 14:50:18 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 21 Jun 2012 16:50:18 +0200 Subject: [Freeipa-users] Joining realm failed: Host is already joined In-Reply-To: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FE334AA.4090603@redhat.com> On 06/21/2012 04:42 PM, george he wrote: > Hello all, > > When I do ipa-client-install on a client with previous unsuccessful > installation, I get this error message: > > Joining realm failed: Host is already joined. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > How do I clean up the machine for a clean installation? > I tried > ipa-client-install --uninstall > but get this: > IPA client is not configured on this system. > > Thanks, > George > Do a ipa host-del on the server. -- Petr? From george_he7 at yahoo.com Thu Jun 21 15:08:17 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 08:08:17 -0700 (PDT) Subject: [Freeipa-users] Joining realm failed: Host is already joined In-Reply-To: <4FE334AA.4090603@redhat.com> References: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE334AA.4090603@redhat.com> Message-ID: <1340291297.99749.YahooMailNeo@web120005.mail.ne1.yahoo.com> Thanks Petr, Now it says: Failed to obtain host TGT. Installation failed. Rolling back changes. I did the manual installation on this machine when the ipa-client-install script failed. I guess there's a lot to clean up :( George >________________________________ > From: Petr Viktorin >To: freeipa-users at redhat.com >Sent: Thursday, June 21, 2012 10:50 AM >Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined > >On 06/21/2012 04:42 PM, george he wrote: >> Hello all, >> >> When I do ipa-client-install on a client with previous unsuccessful >> installation, I get this error message: >> >> Joining realm failed: Host is already joined. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> How do I clean up the machine for a clean installation? >> I tried >> ipa-client-install --uninstall >> but get this: >> IPA client is not configured on this system. >> >> Thanks, >> George >> > >Do a ipa host-del on the server. > > >-- >Petr? > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 21 15:18:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jun 2012 11:18:11 -0400 Subject: [Freeipa-users] Joining realm failed: Host is already joined In-Reply-To: <1340291297.99749.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE334AA.4090603@redhat.com> <1340291297.99749.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <4FE33B33.6040005@redhat.com> george he wrote: > Thanks Petr, > > Now it says: > > Failed to obtain host TGT. > Installation failed. Rolling back changes. > I did the manual installation on this machine when the > ipa-client-install script failed. > I guess there's a lot to clean up :( /var/log/ipaclient-install.log may have more details on the failure. It could be that you have a lingering host principal. Run klist -kt /etc/krb5.keytab. To remove all principals for your realm from this keytab run: # ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM rob From maciej.sawicki at polidea.pl Thu Jun 21 15:24:06 2012 From: maciej.sawicki at polidea.pl (Maciej Sawicki) Date: Thu, 21 Jun 2012 17:24:06 +0200 Subject: [Freeipa-users] groups migration In-Reply-To: <4FE07C70.3080505@redhat.com> References: <4FE07C70.3080505@redhat.com> Message-ID: On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden wrote: > Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. > Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki From george_he7 at yahoo.com Thu Jun 21 15:43:13 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 08:43:13 -0700 (PDT) Subject: [Freeipa-users] Joining realm failed: Host is already joined In-Reply-To: <4FE33B33.6040005@redhat.com> References: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE334AA.4090603@redhat.com> <1340291297.99749.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE33B33.6040005@redhat.com> Message-ID: <1340293393.98130.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello Rob, Here is what I get by running the commands: # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp???????? Principal ---- ----------------- -------------------------------------------------------- # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM realm not found # I thought the commands didn't solve the problem, but when I run ipa-client-install again, it says at the end "Client configuration complete." and it was found on the server by "ipa host-find". So I guess the problem is gone. Your help is very appreciated. George >________________________________ > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users at redhat.com" >Sent: Thursday, June 21, 2012 11:18 AM >Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined > >george he wrote: >> Thanks Petr, >> >> Now it says: >> >> Failed to obtain host TGT. >> Installation failed. Rolling back changes. >> I did the manual installation on this machine when the >> ipa-client-install script failed. >> I guess there's a lot to clean up :( > >/var/log/ipaclient-install.log may have more details on the failure. > >It could be that you have a lingering host principal. Run klist -kt >/etc/krb5.keytab. To remove all principals for your realm from this >keytab run: > ># ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Thu Jun 21 18:25:17 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 11:25:17 -0700 (PDT) Subject: [Freeipa-users] ipa user-add Message-ID: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though "ipa config-show --all" shows ? Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using "ipa user-del myname", but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jun 21 18:43:19 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 Jun 2012 12:43:19 -0600 Subject: [Freeipa-users] ipa user-add In-Reply-To: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <4FE36B47.2030905@redhat.com> On 06/21/2012 12:25 PM, george he wrote: > Hello all, > > After the server and the client are installed, I run > > ipa user-add myname > > to add users. The users are added successfully, but each user get his > own GID, which is the same as his UID, even though "ipa config-show > --all" shows > Default users group: ipausers > > How do I put all new users to this ipausers group? If I use > --gidnumber=INT, how to find out the GID of the ipausers group? > > I tried to delete a user using "ipa user-del myname", but the private > group myname is left there. So I did the following: > > # ipa group-del myname > ipa: ERROR: Deleting a managed group is not allowed. It must be > detached first. > # ipa group-detach myname > ipa: ERROR: myname: group not found > # ipa user-add myname > First name: myfirstname > Last name: mylastname > ipa: ERROR: Unable to create private group. A group 'myname' already > exists. > > How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI < > Thanks, > George > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 21 18:50:47 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jun 2012 14:50:47 -0400 Subject: [Freeipa-users] groups migration In-Reply-To: References: <4FE07C70.3080505@redhat.com> Message-ID: <4FE36D07.3020304@redhat.com> Maciej Sawicki wrote: > On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden wrote: >> Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. >> > > Thank you Rob. I tried this option and it didn't helped, my groups in > ipa are steel empty :(. > > regards, > Maciej Sawicki It won't re-migrate a group once it is added. Did you remove the group in IPA before trying again? I did a quickie test using a current build from master (what will become 3.0) and it worked ok. We haven't done any migration changes since 2.2 so it should be the same code. What version and platform are you using? The command-line I used was: # ipa migrate-ds ldap://pogo.example.com:3389 --schema=RFC2307 --with- compat My data was: dn: uid=user1,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user1 uidnumber: 10000 gidnumber: 10001 loginshell: /bin/sh homedirectory: /home/user1 cn: Test User dn: uid=user2,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user2 uidnumber: 10003 gidnumber: 10004 loginshell: /bin/sh homedirectory: /home/user2 cn: Test User 2 dn: uid=user3,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user3 uidnumber: 10005 gidnumber: 10006 loginshell: /bin/sh homedirectory: /home/user3 cn: Test User 3 dn: cn=schema,ou=Groups,dc=greyoak,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: posixgroup cn: schema ou: groups gidnumber: 10004 description: People who can manage engineer entries memberUid: user1 memberUid: user2 memberUid: user3 # ipa group-show schema Group name: schema Description: People who can manage engineer entries GID: 10004 Member users: user1, user2, user3 rob From rcritten at redhat.com Thu Jun 21 18:54:53 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jun 2012 14:54:53 -0400 Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE36B47.2030905@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> Message-ID: <4FE36DFD.8050702@redhat.com> Rich Megginson wrote: > On 06/21/2012 12:25 PM, george he wrote: >> Hello all, >> >> After the server and the client are installed, I run >> >> ipa user-add myname >> >> to add users. The users are added successfully, but each user get his >> own GID, which is the same as his UID, even though "ipa config-show >> --all" shows >> Default users group: ipausers >> >> How do I put all new users to this ipausers group? If I use >> --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. >> >> I tried to delete a user using "ipa user-del myname", but the private >> group myname is left there. So I did the following: >> >> # ipa group-del myname >> ipa: ERROR: Deleting a managed group is not allowed. It must be >> detached first. >> # ipa group-detach myname >> ipa: ERROR: myname: group not found >> # ipa user-add myname >> First name: myfirstname >> Last name: mylastname >> ipa: ERROR: Unable to create private group. A group 'myname' already >> exists. >> >> How do I get out of this loop? > > What is your platform and 389-ds-base version? > > I'm not familiar with group-detach, but you can manually detach and > remove the private group using ldapsearch and ldapmodify: > > assuming you have done kinit admin: > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn > This will give you the DN of the group - ignore any entries in the > compat tree > > 2) ldapmodify -Y GSSAPI < dn: DN of the group from ldapsearch > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > - > > dn: DN of the group from ldapsearch > changetype: delete > EOF > > This will remove the private group. >> >> Thanks, >> George >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From george_he7 at yahoo.com Thu Jun 21 19:10:18 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 12:10:18 -0700 (PDT) Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE36DFD.8050702@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <4FE36DFD.8050702@redhat.com> Message-ID: <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> it's x86_64? 2.2.0-1.fc17. Thanks, George >________________________________ > From: Rob Crittenden >To: Rich Megginson >Cc: george he ; "freeipa-users at redhat.com" >Sent: Thursday, June 21, 2012 2:54 PM >Subject: Re: [Freeipa-users] ipa user-add > >Rich Megginson wrote: >> On 06/21/2012 12:25 PM, george he wrote: >>> Hello all, >>> >>> After the server and the client are installed, I run >>> >>> ipa user-add myname >>> >>> to add users. The users are added successfully, but each user get his >>> own GID, which is the same as his UID, even though "ipa config-show >>> --all" shows >>> Default users group: ipausers >>> >>> How do I put all new users to this ipausers group? If I use >>> --gidnumber=INT, how to find out the GID of the ipausers group? > >It would help to know what version and platform of IPA you are using. >The method differs by version. > >>> >>> I tried to delete a user using "ipa user-del myname", but the private >>> group myname is left there. So I did the following: >>> >>> # ipa group-del myname >>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>> detached first. >>> # ipa group-detach myname >>> ipa: ERROR: myname: group not found >>> # ipa user-add myname >>> First name: myfirstname >>> Last name: mylastname >>> ipa: ERROR: Unable to create private group. A group 'myname' already >>> exists. >>> >>> How do I get out of this loop? >> >> What is your platform and 389-ds-base version? >> >> I'm not familiar with group-detach, but you can manually detach and >> remove the private group using ldapsearch and ldapmodify: >> >> assuming you have done kinit admin: >> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >> This will give you the DN of the group - ignore any entries in the >> compat tree >> >> 2) ldapmodify -Y GSSAPI <> dn: DN of the group from ldapsearch >> changetype: modify >> delete: objectclass >> objectclass: mepManagedEntry >> - >> delete: mepManagedBy >> - >> >> dn: DN of the group from ldapsearch >> changetype: delete >> EOF >> >> This will remove the private group. >>> >>> Thanks, >>> George >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jun 21 19:30:40 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 21 Jun 2012 15:30:40 -0400 Subject: [Freeipa-users] Joining realm failed: Host is already joined In-Reply-To: <1340293393.98130.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340289759.76340.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE334AA.4090603@redhat.com> <1340291297.99749.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE33B33.6040005@redhat.com> <1340293393.98130.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <4FE37660.1010609@redhat.com> On 06/21/2012 11:43 AM, george he wrote: > Hello Rob, > > Here is what I get by running the commands: > > # klist -kt /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM > realm not found > # > > I thought the commands didn't solve the problem, but when I run > ipa-client-install again, it says at the end "Client configuration > complete." > and it was found on the server by "ipa host-find". So I guess the > problem is gone. > > Your help is very appreciated. > George > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* Petr Viktorin ; > "freeipa-users at redhat.com" > *Sent:* Thursday, June 21, 2012 11:18 AM > *Subject:* Re: [Freeipa-users] Joining realm failed: Host is > already joined > > george he wrote: > > Thanks Petr, > > > > Now it says: > > > > Failed to obtain host TGT. > > Installation failed. Rolling back changes. > > I did the manual installation on this machine when the > > ipa-client-install script failed. > > I guess there's a lot to clean up :( > > /var/log/ipaclient-install.log may have more details on the failure. > > It could be that you have a lingering host principal. Run klist -kt > /etc/krb5.keytab. To remove all principals for your realm from this > keytab run: > > # ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Rob, IMO for cases like this we should have a page about "how to wipe out the client manually". In the past I ran the uninstall several times in a row and sometimes it helped. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jun 21 19:47:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 21 Jun 2012 15:47:23 -0400 Subject: [Freeipa-users] ipa user-add In-Reply-To: <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <4FE36DFD.8050702@redhat.com> <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <4FE37A4B.8090103@redhat.com> On 06/21/2012 03:10 PM, george he wrote: > it's x86_64 2.2.0-1.fc17. > Thanks, > George You are looking at the private group feature. By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. The value of this is that the files on the file system can be owned just by the user. It is a good practice. To turn it off there is a utility to turn the managed entries creation. Please do not use LDAP directly (at least yet). There is another feature that allows one to specify a criteria for placing users or hosts into groups. Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* Rich Megginson > *Cc:* george he ; "freeipa-users at redhat.com" > > *Sent:* Thursday, June 21, 2012 2:54 PM > *Subject:* Re: [Freeipa-users] ipa user-add > > Rich Megginson wrote: > > On 06/21/2012 12:25 PM, george he wrote: > >> Hello all, > >> > >> After the server and the client are installed, I run > >> > >> ipa user-add myname > >> > >> to add users. The users are added successfully, but each user > get his > >> own GID, which is the same as his UID, even though "ipa config-show > >> --all" shows > >> Default users group: ipausers > >> > >> How do I put all new users to this ipausers group? If I use > >> --gidnumber=INT, how to find out the GID of the ipausers group? > > It would help to know what version and platform of IPA you are using. > The method differs by version. > > >> > >> I tried to delete a user using "ipa user-del myname", but the > private > >> group myname is left there. So I did the following: > >> > >> # ipa group-del myname > >> ipa: ERROR: Deleting a managed group is not allowed. It must be > >> detached first. > >> # ipa group-detach myname > >> ipa: ERROR: myname: group not found > >> # ipa user-add myname > >> First name: myfirstname > >> Last name: mylastname > >> ipa: ERROR: Unable to create private group. A group 'myname' > already > >> exists. > >> > >> How do I get out of this loop? > > > > What is your platform and 389-ds-base version? > > > > I'm not familiar with group-detach, but you can manually detach and > > remove the private group using ldapsearch and ldapmodify: > > > > assuming you have done kinit admin: > > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn > > This will give you the DN of the group - ignore any entries in the > > compat tree > > > > 2) ldapmodify -Y GSSAPI < > dn: DN of the group from ldapsearch > > changetype: modify > > delete: objectclass > > objectclass: mepManagedEntry > > - > > delete: mepManagedBy > > - > > > > dn: DN of the group from ldapsearch > > changetype: delete > > EOF > > > > This will remove the private group. > >> > >> Thanks, > >> George > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Thu Jun 21 20:07:31 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 13:07:31 -0700 (PDT) Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE37A4B.8090103@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <4FE36DFD.8050702@redhat.com> <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE37A4B.8090103@redhat.com> Message-ID: <1340309251.91897.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hello Dmitri, OK, I can accept the good practice of using private groups, then I need to delete the "left over" group. The instructions in the document failed as stated in my original email. Any suggestions how to delete the private group whose user has been deleted? Thanks, George >________________________________ > From: Dmitri Pal >To: freeipa-users at redhat.com >Sent: Thursday, June 21, 2012 3:47 PM >Subject: Re: [Freeipa-users] ipa user-add > > >On 06/21/2012 03:10 PM, george he wrote: >it's x86_64? 2.2.0-1.fc17. >>Thanks, >>George >> > >You are looking at the private group feature. >By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. >The value of this is that the files on the file system can be owned just by the user. It is a good practice. >To turn it off there is a utility to turn the managed entries creation. > >Please do not use LDAP directly (at least yet). > >There is another feature that allows one to specify a criteria for placing users or hosts into groups. >Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. > > > >> >> >>>________________________________ >>> From: Rob Crittenden >>>To: Rich Megginson >>>Cc: george he ; "freeipa-users at redhat.com" >>>Sent: Thursday, June 21, 2012 2:54 PM >>>Subject: Re: [Freeipa-users] ipa user-add >>> >>>Rich Megginson wrote: >>>> On 06/21/2012 12:25 PM, george he wrote: >>>>> Hello all, >>>>> >>>>> After the server and the client are installed, I run >>>>> >>>>> ipa user-add myname >>>>> >>>>> to add users. The users are added successfully, but each user get his >>>>> own GID, which is the same as his UID, even though "ipa config-show >>>>> --all" shows >>>>> Default users group: ipausers >>>>> >>>>> How do I put all new users to this ipausers group? If I use >>>>> --gidnumber=INT, how to find out the GID of the ipausers group? >>> >>>It would help to know what version and platform of IPA you are using. >>>The method differs by version. >>> >>>>> >>>>> I tried to delete a user using "ipa user-del myname", but the private >>>>> group myname is left there. So I did the following: >>>>> >>>>> # ipa group-del myname >>>>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>>>> detached first. >>>>> # ipa group-detach myname >>>>> ipa: ERROR: myname: group not found >>>>> # ipa user-add myname >>>>> First name: myfirstname >>>>> Last name: mylastname >>>>> ipa: ERROR: Unable to create private group. A group 'myname' already >>>>> exists. >>>>> >>>>> How do I get out of this loop? >>>> >>>> What is your platform and 389-ds-base version? >>>> >>>> I'm not familiar with group-detach, but you can manually detach and >>>> remove the private group using ldapsearch and ldapmodify: >>>> >>>> assuming you have done kinit admin: >>>> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >>>> This will give you the DN of the group - ignore any entries in the >>>> compat tree >>>> >>>> 2) ldapmodify -Y GSSAPI <>>> dn: DN of the group from ldapsearch >>>> changetype: modify >>>> delete: objectclass >>>> objectclass: mepManagedEntry >>>> - >>>> delete: mepManagedBy >>>> - >>>> >>>> dn: DN of the group from ldapsearch >>>> changetype: delete >>>> EOF >>>> >>>> This will remove the private group. >>>>> >>>>> Thanks, >>>>> George >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >> _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 21 20:23:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jun 2012 16:23:30 -0400 Subject: [Freeipa-users] ipa user-add In-Reply-To: <1340309251.91897.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <4FE36DFD.8050702@redhat.com> <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE37A4B.8090103@redhat.com> <1340309251.91897.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <4FE382C2.9040709@redhat.com> george he wrote: > Hello Dmitri, > OK, I can accept the good practice of using private groups, then I need > to delete the "left over" group. > The instructions in the document failed as stated in my original email. > Any suggestions how to delete the private group whose user has been deleted? You first should upgrade 389-ds-base. Otherwise I guarantee you'll see this problem again. Then run the steps Rich provided. There is no ipa command to delete a dangling managed entry because it should never happen. rob From george_he7 at yahoo.com Thu Jun 21 20:11:32 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 13:11:32 -0700 (PDT) Subject: [Freeipa-users] replica installation clean up Message-ID: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root at myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: ??? % ipa-replica-manage del myreplica Remove the host entry: ??? % ipa host-del myreplica If I run this on myreplica: [root at myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root at myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure.? Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root at mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"} [root at mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 21 20:35:10 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jun 2012 16:35:10 -0400 Subject: [Freeipa-users] replica installation clean up In-Reply-To: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <4FE3857E.5000008@redhat.com> george he wrote: > Hi, > > after ipa-replica-install and ipa-replica-install --uninstall, now I get > > [root at myreplica ~]# ipa-replica-install --setup-ca > /var/lib/ipa/replica-info.gpg > . > . > . > Connection check OK > The host myreplica already exists on the master server. Depending on > your configuration, you may perform the following: > > Remove the replication agreement, if any: > % ipa-replica-manage del myreplica > Remove the host entry: > % ipa host-del myreplica > > If I run this on myreplica: > [root at myreplica ~]# ipa-replica-manage del myreplica > IPA is not configured on this system. > [root at myreplica ~]# ipa host-del myreplica > ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may > provide more information', 851968)/('Cannot find KDC for requested > realm', -1765328230) > > If I un this on mymaster: > [root at mymaster ~]# ipa-replica-manage del myreplica > Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"} > [root at mymaster ~]# ipa host-del myreplica > ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or > disabled > > How do I clean up the unsuccessful installation - uninstallation of a > replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob From rmeggins at redhat.com Thu Jun 21 20:35:02 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 Jun 2012 14:35:02 -0600 Subject: [Freeipa-users] ipa user-add In-Reply-To: <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <4FE36DFD.8050702@redhat.com> <1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <4FE38576.9000009@redhat.com> On 06/21/2012 01:10 PM, george he wrote: > it's x86_64 2.2.0-1.fc17. rpm -qi 389-ds-base > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* Rich Megginson > *Cc:* george he ; "freeipa-users at redhat.com" > > *Sent:* Thursday, June 21, 2012 2:54 PM > *Subject:* Re: [Freeipa-users] ipa user-add > > Rich Megginson wrote: > > On 06/21/2012 12:25 PM, george he wrote: > >> Hello all, > >> > >> After the server and the client are installed, I run > >> > >> ipa user-add myname > >> > >> to add users. The users are added successfully, but each user > get his > >> own GID, which is the same as his UID, even though "ipa config-show > >> --all" shows > >> Default users group: ipausers > >> > >> How do I put all new users to this ipausers group? If I use > >> --gidnumber=INT, how to find out the GID of the ipausers group? > > It would help to know what version and platform of IPA you are using. > The method differs by version. > > >> > >> I tried to delete a user using "ipa user-del myname", but the > private > >> group myname is left there. So I did the following: > >> > >> # ipa group-del myname > >> ipa: ERROR: Deleting a managed group is not allowed. It must be > >> detached first. > >> # ipa group-detach myname > >> ipa: ERROR: myname: group not found > >> # ipa user-add myname > >> First name: myfirstname > >> Last name: mylastname > >> ipa: ERROR: Unable to create private group. A group 'myname' > already > >> exists. > >> > >> How do I get out of this loop? > > > > What is your platform and 389-ds-base version? > > > > I'm not familiar with group-detach, but you can manually detach and > > remove the private group using ldapsearch and ldapmodify: > > > > assuming you have done kinit admin: > > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn > > This will give you the DN of the group - ignore any entries in the > > compat tree > > > > 2) ldapmodify -Y GSSAPI < > dn: DN of the group from ldapsearch > > changetype: modify > > delete: objectclass > > objectclass: mepManagedEntry > > - > > delete: mepManagedBy > > - > > > > dn: DN of the group from ldapsearch > > changetype: delete > > EOF > > > > This will remove the private group. > >> > >> Thanks, > >> George > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Jun 21 21:06:19 2012 From: jreg2k at gmail.com (James James) Date: Thu, 21 Jun 2012 23:06:19 +0200 Subject: [Freeipa-users] Add attributes to default user schema Message-ID: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jun 21 21:17:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 21 Jun 2012 17:17:18 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: Message-ID: <4FE38F5E.7040907@redhat.com> On 06/21/2012 05:06 PM, James James wrote: > Hi everybody, > > Is it possible to have a procedure to add new attributes like > mailAlternateAddress in the default user schema ? Any specific reason for this specific attribute. See some old DS discussion here http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00205.html Can you use some other attribute that already exists in the schema for the same purpose? > Regards > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Jun 21 21:36:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 21 Jun 2012 21:36:07 +0000 Subject: [Freeipa-users] replica installation clean up In-Reply-To: <4FE3857E.5000008@redhat.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com>, <4FE3857E.5000008@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD3AC5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Could we get the admin guide updated with such procedures? because the admin guide really reads more like a multi-coloured man page at times. Its al there (well mostly) but its a bit of a failure if you dont know you have to do a whole sequence of steps to get where you want to end up. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><-------- > > How do I clean up the unsuccessful installation - uninstallation of a > replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sbingram at gmail.com Thu Jun 21 21:44:47 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 21 Jun 2012 14:44:47 -0700 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: Message-ID: On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: > Hi everybody, > > Is it possible to have a procedure to add new attributes like > mailAlternateAddress in the default user schema ? That particular attribute is included in the schema (objectclass=mailRecipient) so it is easy to add using the ipa user-mod --addattr command. I then followed Adam Young's instructions to change the interface such that we could view/edit the new attribute in the UI: 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to include the new field 2. Add an entry to /usr/share/ipa/ui/user.js for the new value 3. Don't forget to restart httpd and refresh your browser cache to pick up the new fields We needed that instead of using the multi-valued mail attribute because there are circumstances where we need to differentiate between the "master" email address and aliases. It's easy to add though and works great. I certainly wouldn't want to be in the position of adding lots of attributes not already included in IPA, but a one or two-off seems pretty reasonable to manage. I don't know if it's still in the I'm sure *very* future plans for IPA, but I remember seeing some application (MTA, mail store) support mentioned at one time. These sorts of attributes might be nice to have if and when that happens. Steve From dpal at redhat.com Thu Jun 21 22:22:55 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 21 Jun 2012 18:22:55 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: Message-ID: <4FE39EBF.7080704@redhat.com> On 06/21/2012 05:44 PM, Stephen Ingram wrote: > On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >> Hi everybody, >> >> Is it possible to have a procedure to add new attributes like >> mailAlternateAddress in the default user schema ? > > That particular attribute is included in the schema > (objectclass=mailRecipient) so it is easy to add using the ipa > user-mod --addattr command. I then followed Adam Young's instructions > to change the interface such that we could view/edit the new attribute > in the UI: > > 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to > include the new field > 2. Add an entry to /usr/share/ipa/ui/user.js for the new value > 3. Don't forget to restart httpd and refresh your browser cache to > pick up the new fields > > We needed that instead of using the multi-valued mail attribute > because there are circumstances where we need to differentiate between > the "master" email address and aliases. It's easy to add though and > works great. I certainly wouldn't want to be in the position of adding > lots of attributes not already included in IPA, but a one or two-off > seems pretty reasonable to manage. > > I don't know if it's still in the I'm sure *very* future plans for > IPA, but I remember seeing some application (MTA, mail store) support > mentioned at one time. These sorts of attributes might be nice to have > if and when that happens. > > Steve Is there any chance you can submit what you have done in the form of a ticket with attached patches? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From george_he7 at yahoo.com Fri Jun 22 02:28:28 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 19:28:28 -0700 (PDT) Subject: [Freeipa-users] replica installation clean up In-Reply-To: <4FE3857E.5000008@redhat.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> <4FE3857E.5000008@redhat.com> Message-ID: <1340332108.47760.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hello, I used --force to delete myreplica from mymaster. And then runipa-replica-install on the myreplica again. This time everything seems ok until it comes to the end: Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server creation of replica failed: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. And this is the error message at the end of /var/log/ipareplica-install.log: 2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl status' for details. 2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 ? File "/sbin/ipa-replica-install", line 494, in ??? main() ? File "/sbin/ipa-replica-install", line 488, in main ??? ipaservices.knownservices.ipa.enable() ? File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line 101, in enable ??? self.restart(instance_name) ? File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line 85, in restart ??? ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) ? File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 304, in run ??? raise CalledProcessError(p.returncode, args) Should I run ipa-server-install --uninstall on myreplica now? Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Thursday, June 21, 2012 4:35 PM >Subject: Re: [Freeipa-users] replica installation clean up > >george he wrote: >> Hi, >> >> after ipa-replica-install and ipa-replica-install --uninstall, now I get >> >> [root at myreplica ~]# ipa-replica-install --setup-ca >> /var/lib/ipa/replica-info.gpg >> . >> . >> . >> Connection check OK >> The host myreplica already exists on the master server. Depending on >> your configuration, you may perform the following: >> >> Remove the replication agreement, if any: >> % ipa-replica-manage del myreplica >> Remove the host entry: >> % ipa host-del myreplica >> >> If I run this on myreplica: >> [root at myreplica ~]# ipa-replica-manage del myreplica >> IPA is not configured on this system. >> [root at myreplica ~]# ipa host-del myreplica >> ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may >> provide more information', 851968)/('Cannot find KDC for requested >> realm', -1765328230) >> >> If I un this on mymaster: >> [root at mymaster ~]# ipa-replica-manage del myreplica >> Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"} >> [root at mymaster ~]# ipa host-del myreplica >> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or >> disabled >> >> How do I clean up the unsuccessful installation - uninstallation of a >> replica? > >Ideally you remove the agreement before deleting the replica, hence the >LDAP error. Add the --force flag: > ># ipa-replica-manage del myreplica.fqdn --force > >Then you should be able to delete the host entry. > >rob > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Fri Jun 22 03:11:17 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 21 Jun 2012 20:11:17 -0700 (PDT) Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE36B47.2030905@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> Message-ID: <1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello Rich, Thanks for the help. This does remove the group so I can add the user back. But when I try to ssh, as that user, to the machines that the user logged on before "ipa user-del", I get "permission denied". I removed the user's home directory because it still belongs to the deleted UID:GID. After that I still get "permission denied". Any suggestions? Thanks again, George >________________________________ > From: Rich Megginson >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Thursday, June 21, 2012 2:43 PM >Subject: Re: [Freeipa-users] ipa user-add > > >On 06/21/2012 12:25 PM, george he wrote: >Hello all, >> >> >>After the server and the client are installed, I run >> >> >>ipa user-add myname >> >> >> >>to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though "ipa config-show --all" shows >> >>? Default users group: ipausers >> >> >> >>How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? >> >> >>I tried to delete a user using "ipa user-del myname", but the private group myname is left there. So I did the following: >> >> >> >># ipa group-del myname >>ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. >># ipa group-detach myname >>ipa: ERROR: myname: group not found >> >># ipa user-add myname >>First name: myfirstname >>Last name: mylastname >>ipa: ERROR: Unable to create private group. A group 'myname' already exists. >> >> >>How do I get out of this loop? >What is your platform and 389-ds-base version? > >I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: > >assuming you have done kinit admin: >1) ldapsearch -LLL -Y GSSAPI cn=myname dn >This will give you the DN of the group - ignore any entries in the compat tree > >2) ldapmodify -Y GSSAPI <dn: DN of the group from ldapsearch >changetype: modify >delete: objectclass >objectclass: mepManagedEntry >- >delete: mepManagedBy >- > >dn: DN of the group from ldapsearch >changetype: delete >EOF > >This will remove the private group. > > >> >>Thanks, >>George >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Fri Jun 22 05:57:53 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 21 Jun 2012 22:57:53 -0700 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: <4FE39EBF.7080704@redhat.com> References: <4FE39EBF.7080704@redhat.com> Message-ID: On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: > On 06/21/2012 05:44 PM, Stephen Ingram wrote: >> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >>> Hi everybody, >>> >>> Is it possible to have a procedure to add new attributes like >>> mailAlternateAddress in the default user schema ? >> >> That particular attribute is included in the schema >> (objectclass=mailRecipient) so it is easy to add using the ipa >> user-mod --addattr command. I then followed Adam Young's instructions >> to change the interface such that we could view/edit the new attribute >> in the UI: >> >> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to >> include the new field >> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >> 3. Don't forget to restart httpd and refresh your browser cache to >> pick up the new fields >> >> We needed that instead of using the multi-valued mail attribute >> because there are circumstances where we need to differentiate between >> the "master" email address and aliases. It's easy to add though and >> works great. I certainly wouldn't want to be in the position of adding >> lots of attributes not already included in IPA, but a one or two-off >> seems pretty reasonable to manage. >> >> I don't know if it's still in the I'm sure *very* future plans for >> IPA, but I remember seeing some application (MTA, mail store) support >> mentioned at one time. These sorts of attributes might be nice to have >> if and when that happens. >> >> Steve > Is there any chance you can submit what you have done in the form of a > ticket with attached patches? As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket is 2863. Steve From dpal at redhat.com Fri Jun 22 13:25:05 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Jun 2012 09:25:05 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: <4FE39EBF.7080704@redhat.com> Message-ID: <4FE47231.20503@redhat.com> On 06/22/2012 01:57 AM, Stephen Ingram wrote: > On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: >> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >>>> Hi everybody, >>>> >>>> Is it possible to have a procedure to add new attributes like >>>> mailAlternateAddress in the default user schema ? >>> That particular attribute is included in the schema >>> (objectclass=mailRecipient) so it is easy to add using the ipa >>> user-mod --addattr command. I then followed Adam Young's instructions >>> to change the interface such that we could view/edit the new attribute >>> in the UI: >>> >>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to >>> include the new field >>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>> 3. Don't forget to restart httpd and refresh your browser cache to >>> pick up the new fields >>> >>> We needed that instead of using the multi-valued mail attribute >>> because there are circumstances where we need to differentiate between >>> the "master" email address and aliases. It's easy to add though and >>> works great. I certainly wouldn't want to be in the position of adding >>> lots of attributes not already included in IPA, but a one or two-off >>> seems pretty reasonable to manage. >>> >>> I don't know if it's still in the I'm sure *very* future plans for >>> IPA, but I remember seeing some application (MTA, mail store) support >>> mentioned at one time. These sorts of attributes might be nice to have >>> if and when that happens. >>> >>> Steve >> Is there any chance you can submit what you have done in the form of a >> ticket with attached patches? > As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket is 2863. > > Steve Thank you for the ticket. I think it would be OK to attach existing patch anyways for now. What are your plans regarding upgrading to 2.2 and rebasing the patches? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Fri Jun 22 13:34:31 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 22 Jun 2012 07:34:31 -0600 Subject: [Freeipa-users] ipa user-add In-Reply-To: <1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <4FE47467.8050700@redhat.com> On 06/21/2012 09:11 PM, george he wrote: > Hello Rich, > Thanks for the help. This does remove the group so I can add the user > back. > But when I try to ssh, as that user, to the machines that the user > logged on before "ipa user-del", I get "permission denied". > I removed the user's home directory because it still belongs to the > deleted UID:GID. After that I still get "permission denied". > Any suggestions? I don't know. I just wanted to make sure you were using 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" private group in the future. > Thanks again, > George > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* george he > *Cc:* "freeipa-users at redhat.com" > *Sent:* Thursday, June 21, 2012 2:43 PM > *Subject:* Re: [Freeipa-users] ipa user-add > > On 06/21/2012 12:25 PM, george he wrote: >> Hello all, >> >> After the server and the client are installed, I run >> >> ipa user-add myname >> >> to add users. The users are added successfully, but each user get >> his own GID, which is the same as his UID, even though "ipa >> config-show --all" shows >> Default users group: ipausers >> >> How do I put all new users to this ipausers group? If I use >> --gidnumber=INT, how to find out the GID of the ipausers group? >> >> I tried to delete a user using "ipa user-del myname", but the >> private group myname is left there. So I did the following: >> >> # ipa group-del myname >> ipa: ERROR: Deleting a managed group is not allowed. It must be >> detached first. >> # ipa group-detach myname >> ipa: ERROR: myname: group not found >> # ipa user-add myname >> First name: myfirstname >> Last name: mylastname >> ipa: ERROR: Unable to create private group. A group 'myname' >> already exists. >> >> How do I get out of this loop? > > What is your platform and 389-ds-base version? > > I'm not familiar with group-detach, but you can manually detach > and remove the private group using ldapsearch and ldapmodify: > > assuming you have done kinit admin: > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn > This will give you the DN of the group - ignore any entries in the > compat tree > > 2) ldapmodify -Y GSSAPI < dn: DN of the group from ldapsearch > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > - > > dn: DN of the group from ldapsearch > changetype: delete > EOF > > This will remove the private group. >> >> Thanks, >> George >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 22 13:43:56 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Jun 2012 09:43:56 -0400 Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE47467.8050700@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com> <4FE47467.8050700@redhat.com> Message-ID: <4FE4769C.1070205@redhat.com> On 06/22/2012 09:34 AM, Rich Megginson wrote: > On 06/21/2012 09:11 PM, george he wrote: >> Hello Rich, >> Thanks for the help. This does remove the group so I can add the user >> back. >> But when I try to ssh, as that user, to the machines that the user >> logged on before "ipa user-del", I get "permission denied". >> I removed the user's home directory because it still belongs to the >> deleted UID:GID. After that I still get "permission denied". >> Any suggestions? > > I don't know. I just wanted to make sure you were using > 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" > private group in the future. > May there will be some other file on the system owned by the deleted user that ssh tries to read? > >> Thanks again, >> George >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* george he >> *Cc:* "freeipa-users at redhat.com" >> *Sent:* Thursday, June 21, 2012 2:43 PM >> *Subject:* Re: [Freeipa-users] ipa user-add >> >> On 06/21/2012 12:25 PM, george he wrote: >>> Hello all, >>> >>> After the server and the client are installed, I run >>> >>> ipa user-add myname >>> >>> to add users. The users are added successfully, but each user >>> get his own GID, which is the same as his UID, even though "ipa >>> config-show --all" shows >>> Default users group: ipausers >>> >>> How do I put all new users to this ipausers group? If I use >>> --gidnumber=INT, how to find out the GID of the ipausers group? >>> >>> I tried to delete a user using "ipa user-del myname", but the >>> private group myname is left there. So I did the following: >>> >>> # ipa group-del myname >>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>> detached first. >>> # ipa group-detach myname >>> ipa: ERROR: myname: group not found >>> # ipa user-add myname >>> First name: myfirstname >>> Last name: mylastname >>> ipa: ERROR: Unable to create private group. A group 'myname' >>> already exists. >>> >>> How do I get out of this loop? >> >> What is your platform and 389-ds-base version? >> >> I'm not familiar with group-detach, but you can manually detach >> and remove the private group using ldapsearch and ldapmodify: >> >> assuming you have done kinit admin: >> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >> This will give you the DN of the group - ignore any entries in >> the compat tree >> >> 2) ldapmodify -Y GSSAPI <> dn: DN of the group from ldapsearch >> changetype: modify >> delete: objectclass >> objectclass: mepManagedEntry >> - >> delete: mepManagedBy >> - >> >> dn: DN of the group from ldapsearch >> changetype: delete >> EOF >> >> This will remove the private group. >>> >>> Thanks, >>> George >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 22 13:51:12 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 09:51:12 -0400 Subject: [Freeipa-users] ipa user-add In-Reply-To: <4FE47467.8050700@redhat.com> References: <1340303117.51986.YahooMailNeo@web120005.mail.ne1.yahoo.com> <4FE36B47.2030905@redhat.com> <1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com> <4FE47467.8050700@redhat.com> Message-ID: <4FE47850.1020901@redhat.com> Rich Megginson wrote: > On 06/21/2012 09:11 PM, george he wrote: >> Hello Rich, >> Thanks for the help. This does remove the group so I can add the user >> back. >> But when I try to ssh, as that user, to the machines that the user >> logged on before "ipa user-del", I get "permission denied". >> I removed the user's home directory because it still belongs to the >> deleted UID:GID. After that I still get "permission denied". >> Any suggestions? > > I don't know. I just wanted to make sure you were using > 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" > private group in the future. I'd check to see what /var/log/secure has to say. rob From sbingram at gmail.com Fri Jun 22 16:28:01 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 22 Jun 2012 09:28:01 -0700 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: <4FE47231.20503@redhat.com> References: <4FE39EBF.7080704@redhat.com> <4FE47231.20503@redhat.com> Message-ID: On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote: > On 06/22/2012 01:57 AM, Stephen Ingram wrote: >> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: >>> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >>>>> Hi everybody, >>>>> >>>>> Is it possible to have a procedure to add new attributes like >>>>> mailAlternateAddress in the default user schema ? >>>> That particular attribute is included in the schema >>>> (objectclass=mailRecipient) so it is easy to add using the ipa >>>> user-mod --addattr command. I then followed Adam Young's instructions >>>> to change the interface such that we could view/edit the new attribute >>>> in the UI: >>>> >>>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to >>>> include the new field >>>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>>> 3. Don't forget to restart httpd and refresh your browser cache to >>>> pick up the new fields >>>> >>>> We needed that instead of using the multi-valued mail attribute >>>> because there are circumstances where we need to differentiate between >>>> the "master" email address and aliases. It's easy to add though and >>>> works great. I certainly wouldn't want to be in the position of adding >>>> lots of attributes not already included in IPA, but a one or two-off >>>> seems pretty reasonable to manage. >>>> >>>> I don't know if it's still in the I'm sure *very* future plans for >>>> IPA, but I remember seeing some application (MTA, mail store) support >>>> mentioned at one time. These sorts of attributes might be nice to have >>>> if and when that happens. >>>> >>>> Steve >>> Is there any chance you can submit what you have done in the form of a >>> ticket with attached patches? >> As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket is 2863. >> >> Steve > Thank you for the ticket. > I think it would be OK to attach existing patch anyways for now. > What are your plans regarding upgrading to 2.2 and rebasing the patches? I see that RHEL 6.3 was released yesterday so we will start testing 2.2 soon. Once we upgrade, I'll rebase patches to 2.2 and attach to existing ticket. Is this something that might be included at some point? Steve From dpal at redhat.com Fri Jun 22 17:53:46 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Jun 2012 13:53:46 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: <4FE39EBF.7080704@redhat.com> <4FE47231.20503@redhat.com> Message-ID: <4FE4B12A.5070002@redhat.com> On 06/22/2012 12:28 PM, Stephen Ingram wrote: > On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote: >> On 06/22/2012 01:57 AM, Stephen Ingram wrote: >>> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: >>>> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>>>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >>>>>> Hi everybody, >>>>>> >>>>>> Is it possible to have a procedure to add new attributes like >>>>>> mailAlternateAddress in the default user schema ? >>>>> That particular attribute is included in the schema >>>>> (objectclass=mailRecipient) so it is easy to add using the ipa >>>>> user-mod --addattr command. I then followed Adam Young's instructions >>>>> to change the interface such that we could view/edit the new attribute >>>>> in the UI: >>>>> >>>>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to >>>>> include the new field >>>>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>>>> 3. Don't forget to restart httpd and refresh your browser cache to >>>>> pick up the new fields >>>>> >>>>> We needed that instead of using the multi-valued mail attribute >>>>> because there are circumstances where we need to differentiate between >>>>> the "master" email address and aliases. It's easy to add though and >>>>> works great. I certainly wouldn't want to be in the position of adding >>>>> lots of attributes not already included in IPA, but a one or two-off >>>>> seems pretty reasonable to manage. >>>>> >>>>> I don't know if it's still in the I'm sure *very* future plans for >>>>> IPA, but I remember seeing some application (MTA, mail store) support >>>>> mentioned at one time. These sorts of attributes might be nice to have >>>>> if and when that happens. >>>>> >>>>> Steve >>>> Is there any chance you can submit what you have done in the form of a >>>> ticket with attached patches? >>> As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket is 2863. >>> >>> Steve >> Thank you for the ticket. >> I think it would be OK to attach existing patch anyways for now. >> What are your plans regarding upgrading to 2.2 and rebasing the patches? > I see that RHEL 6.3 was released yesterday so we will start testing > 2.2 soon. Once we upgrade, I'll rebase patches to 2.2 and attach to > existing ticket. Is this something that might be included at some > point? > > Steve In general yes, but devil is in details. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From george_he7 at yahoo.com Fri Jun 22 18:46:01 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 22 Jun 2012 11:46:01 -0700 (PDT) Subject: [Freeipa-users] replica installation clean up In-Reply-To: <1340332108.47760.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> <4FE3857E.5000008@redhat.com> <1340332108.47760.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1340390761.65178.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello, Since I didn't get any reply on this, I just went ahead and did /ipa-server-install --uninstall to clean up and did ?ipa-replica-manage del myreplica --force on mymaster After these I did ipa-replica-install again but this time I get ipa???????? : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 Any suggestions on this? Thanks, George >________________________________ > From: george he >To: Rob Crittenden >Cc: "freeipa-users at redhat.com" >Sent: Thursday, June 21, 2012 10:28 PM >Subject: Re: [Freeipa-users] replica installation clean up > > >Hello, > > >I used --force to delete myreplica from mymaster. And then runipa-replica-install on the myreplica again. >This time everything seems ok until it comes to the end: > > >Applying LDAP updates >Restarting the directory server >Restarting the KDC >Restarting the web server >creation of replica failed: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 > >Your system may be partly configured. >Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > >And this is the error message at the end of /var/log/ipareplica-install.log: > > >2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl status' for details. > >2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 >? File "/sbin/ipa-replica-install", line 494, in >??? main() > >? File "/sbin/ipa-replica-install", line 488, in main >??? ipaservices.knownservices.ipa.enable() > >? File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line 101, in enable >??? self.restart(instance_name) > >? File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line 85, in restart >??? ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) > >? File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 304, in run >??? raise CalledProcessError(p.returncode, args) > >Should I run ipa-server-install --uninstall on myreplica now? > > >Thanks, >George > > > > >>________________________________ >> From: Rob Crittenden >>To: george he >>Cc: "freeipa-users at redhat.com" >>Sent: Thursday, June 21, 2012 4:35 PM >>Subject: Re: [Freeipa-users] replica installation clean up >> >>george he wrote: >>> Hi, >>> >>> after ipa-replica-install and ipa-replica-install --uninstall, now I get >>> >>> [root at myreplica ~]# ipa-replica-install --setup-ca >>> /var/lib/ipa/replica-info.gpg >>> . >>> . >>> . >>> Connection check OK >>> The host myreplica already exists on the master server. Depending on >>> your configuration, you may perform the following: >>> >>> Remove the replication agreement, if any: >>> % ipa-replica-manage del myreplica >>> Remove the host entry: >>> % ipa host-del myreplica >>> >>> If I run this on myreplica: >>> [root at myreplica ~]# ipa-replica-manage del myreplica >>> IPA is not configured on this system. >>> [root at myreplica ~]# ipa host-del myreplica >>> ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may >>> provide more information', 851968)/('Cannot find KDC for requested >>> realm', -1765328230) >>> >>> If I un this on mymaster: >>> [root at mymaster ~]# ipa-replica-manage del myreplica >>> Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"} >>> [root at mymaster ~]# ipa host-del myreplica >>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or >>> disabled >>> >>> How do I clean up the unsuccessful installation - uninstallation of a >>> replica? >> >>Ideally you remove the agreement before deleting the replica, hence the >>LDAP error. Add the --force flag: >> >># ipa-replica-manage del myreplica.fqdn --force >> >>Then you should be able to delete the host entry. >> >>rob >> >> >> >> >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 22 20:23:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 16:23:50 -0400 Subject: [Freeipa-users] replica installation clean up In-Reply-To: <1340390761.65178.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> <4FE3857E.5000008@redhat.com> <1340332108.47760.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340390761.65178.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FE4D456.6050409@redhat.com> george he wrote: > Hello, > > Since I didn't get any reply on this, I just went ahead and did > /ipa-server-install --uninstall > to clean up and did > ipa-replica-manage del myreplica --force > on mymaster > After these I did ipa-replica-install again but this time I get > > ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command > '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D > cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 > > Any suggestions on this? It depends on why it failed. When there is an installation error I recommend you start by looking at /var/log/ipa-server-install.log or /var/log/ipareplica-install.log as needed. This error would suggest that something was not removed from LDAP when the last replica was deleted. This may ok. You'll need to use ldapsearch to verify that cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX and dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX has a memberPrincipal for the service principal of your replica. something like: ldapsearch -LLL -x -b cn=s4u2proxy,cn=etc,dc=example,d=com rob From rcritten at redhat.com Fri Jun 22 20:37:08 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jun 2012 16:37:08 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: <4FE4B12A.5070002@redhat.com> References: <4FE39EBF.7080704@redhat.com> <4FE47231.20503@redhat.com> <4FE4B12A.5070002@redhat.com> Message-ID: <4FE4D774.7010102@redhat.com> Dmitri Pal wrote: > On 06/22/2012 12:28 PM, Stephen Ingram wrote: >> On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote: >>> On 06/22/2012 01:57 AM, Stephen Ingram wrote: >>>> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: >>>>> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>>>>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: >>>>>>> Hi everybody, >>>>>>> >>>>>>> Is it possible to have a procedure to add new attributes like >>>>>>> mailAlternateAddress in the default user schema ? >>>>>> That particular attribute is included in the schema >>>>>> (objectclass=mailRecipient) so it is easy to add using the ipa >>>>>> user-mod --addattr command. I then followed Adam Young's instructions >>>>>> to change the interface such that we could view/edit the new attribute >>>>>> in the UI: >>>>>> >>>>>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to >>>>>> include the new field >>>>>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>>>>> 3. Don't forget to restart httpd and refresh your browser cache to >>>>>> pick up the new fields >>>>>> >>>>>> We needed that instead of using the multi-valued mail attribute >>>>>> because there are circumstances where we need to differentiate between >>>>>> the "master" email address and aliases. It's easy to add though and >>>>>> works great. I certainly wouldn't want to be in the position of adding >>>>>> lots of attributes not already included in IPA, but a one or two-off >>>>>> seems pretty reasonable to manage. >>>>>> >>>>>> I don't know if it's still in the I'm sure *very* future plans for >>>>>> IPA, but I remember seeing some application (MTA, mail store) support >>>>>> mentioned at one time. These sorts of attributes might be nice to have >>>>>> if and when that happens. >>>>>> >>>>>> Steve >>>>> Is there any chance you can submit what you have done in the form of a >>>>> ticket with attached patches? >>>> As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket is 2863. >>>> >>>> Steve >>> Thank you for the ticket. >>> I think it would be OK to attach existing patch anyways for now. >>> What are your plans regarding upgrading to 2.2 and rebasing the patches? >> I see that RHEL 6.3 was released yesterday so we will start testing >> 2.2 soon. Once we upgrade, I'll rebase patches to 2.2 and attach to >> existing ticket. Is this something that might be included at some >> point? >> >> Steve > In general yes, but devil is in details. > It should be pretty straightforward to rebase these. I wonder about the objectclass. It would also be possible to add it on-the-fly by adding a bit of code to the pre_callback() of user_mod and user_add. The basic idea would be: user_add::pre_callback() if 'mailalternateaddress' in entry_attrs: entry_attrs['objectclass'] = list(set(entry_attrs['objectclass'].append('mailRecipient'))) I do the list/set bit in case anyone adds mailRecipient to the default list :-) Something similar in user_mod, there is similar code to do this for 'ipasshpubkey'. Might be worthwhile to make this into its own function. rob From jreg2k at gmail.com Sat Jun 23 08:11:42 2012 From: jreg2k at gmail.com (James James) Date: Sat, 23 Jun 2012 10:11:42 +0200 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: Message-ID: Hi, I have just followed the Stephen's help and I was able to add the mailAlternateAddress to the ipa default user schema. I don't know if this is the better way to do this btw it works great. Thanks again guys. 2012/6/21 Stephen Ingram > On Thu, Jun 21, 2012 at 2:06 PM, James James wrote: > > Hi everybody, > > > > Is it possible to have a procedure to add new attributes like > > mailAlternateAddress in the default user schema ? > > > That particular attribute is included in the schema > (objectclass=mailRecipient) so it is easy to add using the ipa > user-mod --addattr command. I then followed Adam Young's instructions > to change the interface such that we could view/edit the new attribute > in the UI: > > 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to > include the new field > 2. Add an entry to /usr/share/ipa/ui/user.js for the new value > 3. Don't forget to restart httpd and refresh your browser cache to > pick up the new fields > > We needed that instead of using the multi-valued mail attribute > because there are circumstances where we need to differentiate between > the "master" email address and aliases. It's easy to add though and > works great. I certainly wouldn't want to be in the position of adding > lots of attributes not already included in IPA, but a one or two-off > seems pretty reasonable to manage. > > I don't know if it's still in the I'm sure *very* future plans for > IPA, but I remember seeing some application (MTA, mail store) support > mentioned at one time. These sorts of attributes might be nice to have > if and when that happens. > > Steve > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Sat Jun 23 17:54:57 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Sat, 23 Jun 2012 10:54:57 -0700 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: <4FE4D774.7010102@redhat.com> References: <4FE39EBF.7080704@redhat.com> <4FE47231.20503@redhat.com> <4FE4B12A.5070002@redhat.com> <4FE4D774.7010102@redhat.com> Message-ID: On Fri, Jun 22, 2012 at 1:37 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> On 06/22/2012 12:28 PM, Stephen Ingram wrote: >>> >>> On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal ?wrote: >>>> >>>> On 06/22/2012 01:57 AM, Stephen Ingram wrote: >>>>> >>>>> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal ?wrote: >>>>>> >>>>>> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>>>>>> >>>>>>> On Thu, Jun 21, 2012 at 2:06 PM, James James >>>>>>> ?wrote: >>>>>>>> >>>>>>>> Hi everybody, >>>>>>>> >>>>>>>> Is it possible to have a procedure to add new attributes like >>>>>>>> mailAlternateAddress in the default user schema ? >>>>>>> >>>>>>> That particular attribute is included in the schema >>>>>>> (objectclass=mailRecipient) so it is easy to add using the ipa >>>>>>> user-mod --addattr command. I then followed Adam Young's instructions >>>>>>> to change the interface such that we could view/edit the new >>>>>>> attribute >>>>>>> in the UI: >>>>>>> >>>>>>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py >>>>>>> to >>>>>>> include the new field >>>>>>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>>>>>> 3. Don't forget to restart httpd and refresh your browser cache to >>>>>>> pick up the new fields >>>>>>> >>>>>>> We needed that instead of using the multi-valued mail attribute >>>>>>> because there are circumstances where we need to differentiate >>>>>>> between >>>>>>> the "master" email address and aliases. It's easy to add though and >>>>>>> works great. I certainly wouldn't want to be in the position of >>>>>>> adding >>>>>>> lots of attributes not already included in IPA, but a one or two-off >>>>>>> seems pretty reasonable to manage. >>>>>>> >>>>>>> I don't know if it's still in the I'm sure *very* future plans for >>>>>>> IPA, but I remember seeing some application (MTA, mail store) support >>>>>>> mentioned at one time. These sorts of attributes might be nice to >>>>>>> have >>>>>>> if and when that happens. >>>>>>> >>>>>>> Steve >>>>>> >>>>>> Is there any chance you can submit what you have done in the form of a >>>>>> ticket with attached patches? >>>>> >>>>> As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket >>>>> is 2863. >>>>> >>>>> Steve >>>> >>>> Thank you for the ticket. >>>> I think it would be OK to attach existing patch anyways for now. >>>> What are your plans regarding upgrading to 2.2 and rebasing the patches? >>> >>> I see that RHEL 6.3 was released yesterday so we will start testing >>> 2.2 soon. Once we upgrade, I'll rebase patches to 2.2 and attach to >>> existing ticket. Is this something that might be included at some >>> point? >>> >>> Steve >> >> In general yes, but devil is in details. >> > > It should be pretty straightforward to rebase these. > > I wonder about the objectclass. It would also be possible to add it > on-the-fly by adding a bit of code to the pre_callback() of user_mod and > user_add. > > The basic idea would be: > > user_add::pre_callback() > > if 'mailalternateaddress' in entry_attrs: > ? ?entry_attrs['objectclass'] = > list(set(entry_attrs['objectclass'].append('mailRecipient'))) > > I do the list/set bit in case anyone adds mailRecipient to the default list > :-) > > Something similar in user_mod, there is similar code to do this for > 'ipasshpubkey'. Might be worthwhile to make this into its own function. This sounds really neat! It sounds like you are adding the mailRecipient objectclass if you find mailalternateaddress? Is this so if you add this attribute with the CLI, that objectclass will also be added? I'm curious because I had to actually add the mailRecipient objectclass just to be able to add mailAlternateAddress as I don't believe it is in any of the default objectclasses. I was OK with that because not all of our entries require this so I actually base my directory queries on whether or not mailRecipient exists. Steve From jlinoff at tabula.com Sun Jun 24 18:30:12 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Sun, 24 Jun 2012 11:30:12 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP Message-ID: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mareynol at redhat.com Sun Jun 24 19:49:25 2012 From: mareynol at redhat.com (Mark Reynolds) Date: Sun, 24 Jun 2012 15:49:25 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> Message-ID: <4FE76F45.5080406@redhat.com> Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy & paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: > > Hi Everybody: > > We have a legacy web based application (CakePHP) that stores user data > in a DB and I would like to transfer that information to a FreeIPA > Identity Management Server without requiring the users to re-enter > their passwords (if possible). > > How would I do that? > > I know that the DB stores the password as a SHA-1 hash with a salt. I > was hoping that there was a way for the administrator to directly copy > the SHA-1 password hash from the DB into the Free-IPA LDAP for the > user but I don't even know if that is a reasonable expectation. > > Any help would be greatly appreciated. > > Thanks, > > Joe > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreynolds at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Sun Jun 24 21:42:44 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Sun, 24 Jun 2012 14:42:44 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <4FE76F45.5080406@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010062CD@mantaray.tabula.com> Hi Mark: Thank you, that is really helpful. Regards, Joe From: Mark Reynolds [mailto:mareynol at redhat.com] Sent: Sunday, June 24, 2012 12:49 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy & paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreynolds at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Sun Jun 24 22:10:43 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Sun, 24 Jun 2012 15:10:43 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <8AD4194C251EC74CB897E261038F4478010062CD@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <8AD4194C251EC74CB897E261038F4478010062CD@mantaray.tabula.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010062CE@mantaray.tabula.com> Hi Mark: I did not find any entries related to passwords in the LDAP record. There were some entries that looked as though they were related to Kerberos which might be useful. % ldapseach -LLL -x -b "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb krbPwdPolicyReference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= krbPrincipalName: bigbob at EXAMPLE.COM krbLastPwdChange: 20120530170153Z krbPasswordExpiration: 20120828170153Z krbExtraData:: AAgBAA== krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A krbLastSuccessfulAuth: 20120621180658Z krbLastFailedAuth: 20120620013218Z krbLoginFailedCount: 0 Unfortunately, I am new to IPA so I don't yet understand the internals for password management. Can you suggest any documentation I can read? I am fairly familiar with LDAP and Kerberos. Thanks, Joe From: Joe Linoff Sent: Sunday, June 24, 2012 2:43 PM To: Mark Reynolds Cc: freeipa-users at redhat.com; Joe Linoff Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Mark: Thank you, that is really helpful. Regards, Joe From: Mark Reynolds [mailto:mareynol at redhat.com] Sent: Sunday, June 24, 2012 12:49 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy & paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreynolds at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 25 09:00:30 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jun 2012 11:00:30 +0200 Subject: [Freeipa-users] Non IPA Connected Slave DNS Server ? In-Reply-To: <4FE1C148.2070501@dageek.co.uk> References: <4FE1C148.2070501@dageek.co.uk> Message-ID: <4FE828AE.6010306@redhat.com> Hello, sorry for a big delay. On 06/20/2012 02:25 PM, Gavin Spurgeon wrote: > Hi All, > > Just have a quick question re: $subject > > I have seen some BZ's about this, but just wanted to check with the list > to see what people have to say about this. > > I have an IPA Domain (example.com) and it is running as it should be. > > I also have 2 Public DNS Servers that run all of my non IPA Zones (in > the 100s) I want these to DNS Serves to act as Standard Bind Slave > Servers for my IPA Domain (i.e. to do a simple AXFR from the IPA Master) Current IPA (with bind-dyndb-ldap driver) supports AXFR itself. Problem lies in SOA serial number update - it is not maintained for changes done via WebUI or CLI. If you do any change through WebUI or CLI, you need to manually bump the SOA serial number. Any change via DNS dynamic update mechanism (nsupdate) will bump the SOA serial automatically. > a, No adding the Public DNS Servers to IPA is not an option... > b, Is this possible *now* You can "hack" current IPA and bump SOA serial number e.g. each hour (from cron). In that case zone will be transferred each hour to slave server, but you will waste some bandwidth. > c, does any one have any other suggestions, on how to get my desired goal ? You have to set idnsAllowTransfer attribute in relevant zones, see http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=blob;f=README > d, if not, when will this be possible ? Automatic SOA serial number update is on the roadmap for 3.0, stay tuned. Petr^2 Spacek > Gavin Spurgeon. > AKA Da Geek From pspacek at redhat.com Mon Jun 25 11:02:41 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jun 2012 13:02:41 +0200 Subject: [Freeipa-users] Replication problems with having more than one replica? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCCC01C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCCA5D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90C30.2020302@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CCCA661@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4FD90F6B.2090009@redhat.com> , <833D8E48405E064EBC54C84EC6B36E404CCCA689@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CCCA6B3@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1339637672.8230.652.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA7D3@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1339639318.8230.658.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCA813@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1339674620.8230.672.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CCCC01C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FE84551.9060007@redhat.com> On 06/15/2012 12:12 AM, Steven Jones wrote: > I have the forward zone (ods.vuw.ac.nz) setup in IPA but the reverse zone(s) is meant to be slaved back to the MS AD masters (vuw.ac.nz) and 10/8 and (130.195./16). > > What should the reverse/ PTR zone setup look like? ie if I had a flat file aka bind and named.conf its straightforward I can just look at the file(s), and that a reverse zone file is created on the salve however I have no screenhots or anything to indicate if I have setup that reverse function correctly. For instance there is nothing in /var/named/slaves, I have assumed that the slave data from the AD masters is actually held in the LDAP.....so how do I prove that? AFAIK there is no special requirement. Any host name for IPA server should translate to IP addresses. PTR records for those IP addresses should point back to A/AAAA records used during original name->IP translation. (PTR should point to A records, not CNAME records.) Actually it doesn't matter where records are stored, as long as DNS translation via servers configured in /etc/resolv.conf is functional. > Also I notice when I create a zone using the dns ui it creates a file called 0.3.70.10, but when I add a replica it creates another zone file 3.70.10 and populates it....which it shouldnt as the MS AD is the master.....yet I used --no-reverse in the replica command... I'm not sure if I understood it correctly. Where are the files created? Can you post them to the list? Petr^2 Spacek > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Thursday, 14 June 2012 11:50 p.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users > Subject: RE: [Freeipa-users] Replication problems with having more than one replica? > > On Thu, 2012-06-14 at 03:00 +0000, Steven Jones wrote: >> Hi, >> >> 3 log sets from /var/log/dirsrv/slapd > > Looking at the first server's error log it looks like one of your > replicas has a wrong PTR record and GSSAPI cannot therefore find the > right ticket. > > Make sure your DNS is properly set up (or /etc/hosts entries) for all > the servers. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Mon Jun 25 11:15:31 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jun 2012 13:15:31 +0200 Subject: [Freeipa-users] ipa installation problem In-Reply-To: <1340118089.48863.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340058371.42787.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE07F82.9070008@redhat.com> <1340113836.48273.YahooMailNeo@web120001.mail.ne1.yahoo.com> <4FE0901E.6010406@redhat.com> <1340118089.48863.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <4FE84853.6080100@redhat.com> On 06/19/2012 05:01 PM, george he wrote: > Hello Rob, > netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things > like this: > httpd 4206 apache 5u IPv6 846355 TCP *:http (LISTEN) > is the IPv6 here a problem? > Thanks, > George "No route to host" can mean "No route to host" (= no record in ARP table) OR "there is a firewall rule blocking this traffic" (caused by received ICMP packet). "Connection refused" really means "Connection refused" :-) It can also point to DNS resolution problem - name could be resolved to wrong IP, so connection is refused by other machine than you think. Don't forget to check /etc/resolv.conf and /etc/hosts. Best way to debug network problems is wireshark and netcat. I recommend to run wireshark on both ends and then do end-to-end tests with netcat. Start netcat on single side and try to connect to it from other side. root at server # nc -l 443 user at client # nc server.hostname.example 443 Type some garbage in and check if it arrives to other end. Check output from wireshark in case of problems. Check if MAC addresses have expected values. Petr^2 Spacek > > ------------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* "freeipa-users at redhat.com" > *Sent:* Tuesday, June 19, 2012 10:43 AM > *Subject:* Re: [Freeipa-users] ipa installation problem > > george he wrote: > > Hello Rob, > > Can it be that the httpd service is not running properly? > > On all servers, I can only run wget on the server itself successfully... > > At least on fc15, the client was able to contact the server, but the > > connection was refused. > > maybe the configuration part of httpd? > > On other machines in the same lab, I have set up two web servers in the > > "usual" way and they both run with no problem. > > I don't know what to tell you. This problem is independent of IPA. It > means that the client doesn't know how to get to the server (no route to > host) > > Connection refused would suggest that the server isn't accepting > connections. You could use netstat to confirm that it is listening on > ports 80 and 443, I think you'll find it is. > > IPA doesn't do anything particularly clever with the web server, just > configures it to use mod_nss as an SSL listener. Since wget is using > port 80 you aren't even using any changes made by IPA. And no route to > host suggests it isn't even getting that far. > > You might try shutting down iptables on the server and client and try that. > > rob > > > Thanks, > > George > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > > *To:* george he > > > *Cc:* "freeipa-users at redhat.com " > > > > *Sent:* Tuesday, June 19, 2012 9:32 AM > > *Subject:* Re: [Freeipa-users] ipa installation problem > > > > george he wrote: > > > Hello all, > > > While waiting for more suggestions on my thread "is not an IPA v2 > > > Server", I tried to install ipa server on other machines running fc16 > > > and fc15. > > > When server is on fc16, I get the same error as when it's on > > fc17, wget > > > failed: No route to host. > > > when server is on fc15, wget still failed, but the reason was > > > "Connection refused". > > > Seems to me there's something else to do after running > > > ipa-server-install on the server. > > > > This is unrelated to IPA. We do no network configuration changes, > > only start services. > > > > The client is doing a simple wget which just issues an HTTP request. > > The network stack is saying it can't talk to the IPA server so I'd > > start there. wireshark might be helpful. > > > > rob From sgallagh at redhat.com Mon Jun 25 11:20:14 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 07:20:14 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <8AD4194C251EC74CB897E261038F4478010062CE@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <8AD4194C251EC74CB897E261038F4478010062CD@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010062CE@mantaray.tabula.com> Message-ID: <1340623214.2774.1.camel@sgallagh520.sgallagh.bos.redhat.com> On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote: > Hi Mark: > > > > I did not find any entries related to passwords in the LDAP record. > There were some entries that looked as though they were related to > Kerberos which might be useful. > > % ldapseach -LLL -x -b > "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb > > krbPwdPolicyReference: > cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= > > krbPrincipalName: bigbob at EXAMPLE.COM > > krbLastPwdChange: 20120530170153Z > > krbPasswordExpiration: 20120828170153Z > > krbExtraData:: AAgBAA== > > krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A > > krbLastSuccessfulAuth: 20120621180658Z > > krbLastFailedAuth: 20120620013218Z > > krbLoginFailedCount: 0 > > > > Unfortunately, I am new to IPA so I don?t yet understand the internals > for password management. Can you suggest any documentation I can read? > I am fairly familiar with LDAP and Kerberos. You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Mon Jun 25 11:50:22 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 07:50:22 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <4FE76F45.5080406@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> Message-ID: <1340625022.32038.443.camel@willson.li.ssimo.org> On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote: > Hi Joe, > > I'm not really an IPA guy, but IPA uses 389 directory server as its > backend. You would need to convert the your DB entries to LDAP > entries, but 389 supports your password type, so it should not be a > problem if you copy & paste the password hashes. LDAP expects the > password to be something like: > > userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== > Mark Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password. However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it. Simo. -- Simo Sorce * Red Hat, Inc * New York From jlinoff at tabula.com Mon Jun 25 12:51:36 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 25 Jun 2012 05:51:36 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <1340623214.2774.1.camel@sgallagh520.sgallagh.bos.redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <8AD4194C251EC74CB897E261038F4478010062CD@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010062CE@mantaray.tabula.com> <1340623214.2774.1.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010062D6@mantaray.tabula.com> > You do not need to populate the Kerberos password fields directly. Once you migrate your DB > users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a > user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch > the plaintext password and use it to populate the Kerberos password fields automatically. Thank you, that makes sense but my problem is doing the initial migration. How do I get the existing user data into LDAP using the hashed password from the old database? Regards, Joe -----Original Message----- From: Stephen Gallagher [mailto:sgallagh at redhat.com] Sent: Monday, June 25, 2012 4:20 AM To: Joe Linoff Cc: Mark Reynolds; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote: > Hi Mark: > > > > I did not find any entries related to passwords in the LDAP record. > There were some entries that looked as though they were related to > Kerberos which might be useful. > > % ldapseach -LLL -x -b > "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb > > krbPwdPolicyReference: > cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= > > krbPrincipalName: bigbob at EXAMPLE.COM > > krbLastPwdChange: 20120530170153Z > > krbPasswordExpiration: 20120828170153Z > > krbExtraData:: AAgBAA== > > krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A > > krbLastSuccessfulAuth: 20120621180658Z > > krbLastFailedAuth: 20120620013218Z > > krbLoginFailedCount: 0 > > > > Unfortunately, I am new to IPA so I don?t yet understand the internals > for password management. Can you suggest any documentation I can read? > I am fairly familiar with LDAP and Kerberos. You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically. From jlinoff at tabula.com Mon Jun 25 12:57:13 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 25 Jun 2012 05:57:13 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <1340625022.32038.443.camel@willson.li.ssimo.org> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> Message-ID: <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> Hi Simo: > Normally this is not actually allowed, the reason is that kerberos needs keys generated, > and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword > and reject any attempt that does not involve a clear text password. That makes sense. Thank you for clearing that up. > However if you enable the migration mode we do allow to set the hash, what we expect then > is to have either users or some application to authenticate via an ldap bind that sends a > clear text password. While in migration mode, a bind will check if the password is valid, > and if it is it will generate the kerberos keys out of it. That also makes sense and it is a great way to transfer users from an existing LDAP to FreeIPA. Unfortunately, the problem I have is that I have the user data and the hashed password in a standalone database and I want to move it into FreeIPA without requiring the users to re-authenticate. I do not have a plaintext password and I do not have an LDAP DB. From what you and Mark have said, I need to find a way to emulate migration mode for my setup or, if possible, insert the existing hash directly in Kerberos. Does that make sense? Regards, Joe -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Monday, June 25, 2012 4:50 AM To: Mark Reynolds Cc: Joe Linoff; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote: > Hi Joe, > > I'm not really an IPA guy, but IPA uses 389 directory server as its > backend. You would need to convert the your DB entries to LDAP > entries, but 389 supports your password type, so it should not be a > problem if you copy & paste the password hashes. LDAP expects the > password to be something like: > > userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== > Mark Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password. However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Jun 25 13:06:56 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 09:06:56 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> Message-ID: <1340629616.32038.455.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote: > Unfortunately, the problem I have is that I have the user data and the > hashed password in a standalone database and I want to move it into > FreeIPA without requiring the users to re-authenticate. I do not have > a plaintext password and I do not have an LDAP DB. From what you and > Mark have said, I need to find a way to emulate migration mode for my > setup or, if possible, insert the existing hash directly in Kerberos. > Does that make sense? Not really. A few questions: - how do users authenticate to CakePHP at the moment ? - how are passwords stored in your current DB ? If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. However this is a possible solution. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jun 25 13:43:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 09:43:59 -0400 Subject: [Freeipa-users] Add attributes to default user schema In-Reply-To: References: <4FE39EBF.7080704@redhat.com> <4FE47231.20503@redhat.com> <4FE4B12A.5070002@redhat.com> <4FE4D774.7010102@redhat.com> Message-ID: <4FE86B1F.6080001@redhat.com> Stephen Ingram wrote: > On Fri, Jun 22, 2012 at 1:37 PM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> >>> On 06/22/2012 12:28 PM, Stephen Ingram wrote: >>>> >>>> On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote: >>>>> >>>>> On 06/22/2012 01:57 AM, Stephen Ingram wrote: >>>>>> >>>>>> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote: >>>>>>> >>>>>>> On 06/21/2012 05:44 PM, Stephen Ingram wrote: >>>>>>>> >>>>>>>> On Thu, Jun 21, 2012 at 2:06 PM, James James >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi everybody, >>>>>>>>> >>>>>>>>> Is it possible to have a procedure to add new attributes like >>>>>>>>> mailAlternateAddress in the default user schema ? >>>>>>>> >>>>>>>> That particular attribute is included in the schema >>>>>>>> (objectclass=mailRecipient) so it is easy to add using the ipa >>>>>>>> user-mod --addattr command. I then followed Adam Young's instructions >>>>>>>> to change the interface such that we could view/edit the new >>>>>>>> attribute >>>>>>>> in the UI: >>>>>>>> >>>>>>>> 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py >>>>>>>> to >>>>>>>> include the new field >>>>>>>> 2. Add an entry to /usr/share/ipa/ui/user.js for the new value >>>>>>>> 3. Don't forget to restart httpd and refresh your browser cache to >>>>>>>> pick up the new fields >>>>>>>> >>>>>>>> We needed that instead of using the multi-valued mail attribute >>>>>>>> because there are circumstances where we need to differentiate >>>>>>>> between >>>>>>>> the "master" email address and aliases. It's easy to add though and >>>>>>>> works great. I certainly wouldn't want to be in the position of >>>>>>>> adding >>>>>>>> lots of attributes not already included in IPA, but a one or two-off >>>>>>>> seems pretty reasonable to manage. >>>>>>>> >>>>>>>> I don't know if it's still in the I'm sure *very* future plans for >>>>>>>> IPA, but I remember seeing some application (MTA, mail store) support >>>>>>>> mentioned at one time. These sorts of attributes might be nice to >>>>>>>> have >>>>>>>> if and when that happens. >>>>>>>> >>>>>>>> Steve >>>>>>> >>>>>>> Is there any chance you can submit what you have done in the form of a >>>>>>> ticket with attached patches? >>>>>> >>>>>> As I have not upgraded to 2.2 yet, I had to patch against 2.1.4. Ticket >>>>>> is 2863. >>>>>> >>>>>> Steve >>>>> >>>>> Thank you for the ticket. >>>>> I think it would be OK to attach existing patch anyways for now. >>>>> What are your plans regarding upgrading to 2.2 and rebasing the patches? >>>> >>>> I see that RHEL 6.3 was released yesterday so we will start testing >>>> 2.2 soon. Once we upgrade, I'll rebase patches to 2.2 and attach to >>>> existing ticket. Is this something that might be included at some >>>> point? >>>> >>>> Steve >>> >>> In general yes, but devil is in details. >>> >> >> It should be pretty straightforward to rebase these. >> >> I wonder about the objectclass. It would also be possible to add it >> on-the-fly by adding a bit of code to the pre_callback() of user_mod and >> user_add. >> >> The basic idea would be: >> >> user_add::pre_callback() >> >> if 'mailalternateaddress' in entry_attrs: >> entry_attrs['objectclass'] = >> list(set(entry_attrs['objectclass'].append('mailRecipient'))) >> >> I do the list/set bit in case anyone adds mailRecipient to the default list >> :-) >> >> Something similar in user_mod, there is similar code to do this for >> 'ipasshpubkey'. Might be worthwhile to make this into its own function. > > This sounds really neat! It sounds like you are adding the > mailRecipient objectclass if you find mailalternateaddress? Is this so > if you add this attribute with the CLI, that objectclass will also be > added? I'm curious because I had to actually add the mailRecipient > objectclass just to be able to add mailAlternateAddress as I don't > believe it is in any of the default objectclasses. I was OK with that > because not all of our entries require this so I actually base my > directory queries on whether or not mailRecipient exists. > > Steve Right, this makes it more automatic so you don't also have to use --addattr objectclass=mailRecipient or some other mechanism to add the objectclass too. rob From james.hogarth at gmail.com Mon Jun 25 14:11:21 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Mon, 25 Jun 2012 15:11:21 +0100 Subject: [Freeipa-users] Request for comments - Libvirt (KVM) with VNC via IPA with kerberos authentication Message-ID: Hi all, As mentioned on IRC today I've finished my write up of using libvirt (kvm virtualization) with VNC consoles and kerberos authentication with an IPA backend.... I'd be interested in any feedback: http://freeipa.org/page/Libvirt_with_VNC_Consoles Kind regards, James From jlinoff at tabula.com Mon Jun 25 16:08:47 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 25 Jun 2012 09:08:47 -0700 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <1340629616.32038.455.camel@willson.li.ssimo.org> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> Message-ID: <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> Hi Simo: I really appreciate your help. >> If users authenticate by passing in a username/password combo you have various >> options, in the sense you should be able to modify the cakePHP application to >> recalculate a valid SHA hash and dump it into a file. That would be great. >> If the app db already contains a good hash that is suppoted by 389ds then you >> can simply grab the hashes from there. I believe that it does. I perused the CakePHP code and found that it used this algorithm to create the password: // PHP $salt = Configure::read('Security.salt'); $phpPasswd = sha1( $salt + $plaintext ); // Same as Security::hash($plaintext, 'sha1', true); Here is the same algorithm in python along with an LDAP encoding using SHA. They are embedding the salt along with the password so it is not SSHA. # python import hashlib from base64 import urlsafe_b64encode as encode from base64 import urlsafe_b64decode as decode salt = constantValueFromConfigFile() # SHA1 hash h = hashlib.sha1(salt + plaintext) # PHP password string phpPasswd = h.hexdigest() # LDAP password - this won't work for the userPassword field. ldapPasswd = '{SHA}'+encode(h.digest()) # OpenLDAP format # LDAP userPassword attribute format is the base64 MIME encoded version of above. # This is what you see when you run a command like: # ldapsearch -LLL -x -w -D 'cn=Directory Manager' -b 'cn=user,cn=accounts,dc=example,dc=com' userpassword userPasswd = encode(ldapPasswd) >> Once you have hashes you can create a script that lists users in cakePHP and for each of >> them create a new freeipa users via ipa user-add Ok. That sounds straightforward. >> Then you switch to migration mode and you can use another script to store the hashes you >> collected in each user's userPassword field. That would be perfect but how do I switch to migration mode? Can I simply bind as the "Directory Manager" and update the userPassword field using something like ldapmodify or is there a better way? Is there an example of script like this that I can look at? >> Finally change your cakePHP app to make an ldap bind to authenticate users instead >> of checkign it's own database. Yup. >> This procedure requires some advanced scripting ability, and minor segues into firing >> a few ldapmodify commands with a very simple template ldif and a couple substitutions. >> However this is a possible solution. Yup, I really like it. I am going to give it a try. Should I use the ipalib/plugins/migration.py as a starting point or is there a more relevant module? Thanks, Joe -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Monday, June 25, 2012 6:07 AM To: Joe Linoff Cc: Mark Reynolds; freeipa-users at redhat.com Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote: > Unfortunately, the problem I have is that I have the user data and the > hashed password in a standalone database and I want to move it into > FreeIPA without requiring the users to re-authenticate. I do not have > a plaintext password and I do not have an LDAP DB. From what you and > Mark have said, I need to find a way to emulate migration mode for my > setup or, if possible, insert the existing hash directly in Kerberos. > Does that make sense? Not really. A few questions: - how do users authenticate to CakePHP at the moment ? - how are passwords stored in your current DB ? If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. However this is a possible solution. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Mon Jun 25 16:52:50 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 09:52:50 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm Message-ID: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hello, I have a server and a few client set up. I can ssh to the server or clients. But there's no entry on the console gdm for ipa user, and I cannot login by choosing "others" either. What do I need to set up for gdm log on? I searched the docs but didn't find any... Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Jun 25 17:07:27 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 13:07:27 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 09:52 -0700, george he wrote: > Hello, > I have a server and a few client set up. I can ssh to the server or > clients. But there's no entry on the console gdm for ipa user, and I > cannot login by choosing "others" either. > What do I need to set up for gdm log on? I searched the docs but > didn't find any... Entries do not appear on the GDM login until you have logged in at least once by choosing "others". I'm concerned that this is not working, however. Can you do 'tail -n0 -f /var/log/secure' in a root shell while attempting to log in through GDM and then show us what it says? Also, please tell us what version of SSSD is installed on your system (you can find out with 'rpm -q sssd') -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From george_he7 at yahoo.com Mon Jun 25 17:25:39 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 10:25:39 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello Stephen, this is what in the log file: Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=? user=jhe Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=jhe and this is the sssd version: sssd-1.8.4-13.fc17.x86_64 Thanks, George >________________________________ > From: Stephen Gallagher >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 25, 2012 1:07 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 09:52 -0700, george he wrote: >> Hello, >> I have a server and a few client set up. I can ssh to the server or >> clients. But there's no entry on the console gdm for ipa user, and I >> cannot login by choosing "others" either. >> What do I need to set up for gdm log on? I searched the docs but >> didn't find any... > > >Entries do not appear on the GDM login until you have logged in at least >once by choosing "others". I'm concerned that this is not working, >however. > >Can you do >'tail -n0 -f /var/log/secure' in a root shell while attempting to log in >through GDM and then show us what it says? > >Also, please tell us what version of SSSD is installed on your system >(you can find out with 'rpm -q sssd') > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Jun 25 17:30:59 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 13:30:59 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 10:25 -0700, george he wrote: > Hello Stephen, > > > this is what in the log file: > > Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): > authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= > rhost= user=jhe > Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): > authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= > rhost= user=jhe According to that, SSSD successfully authenticated the user, but you still didn't get logged in? I'll bet that means you don't have your system set up to create home directories on first login automatically. If you run ipa-client-install with the --mkhomedir option when configuring the client, it will set this up for you. If you want to change it after the fact, do this: authconfig --update --enable-mkhomedir That should do the trick. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From george_he7 at yahoo.com Mon Jun 25 17:41:53 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 10:41:53 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hi Stephen, I already have a home directory which was created the first time I ssh in. Now when I click on "sign in", nothing happens... Thanks, George >________________________________ > From: Stephen Gallagher >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 25, 2012 1:30 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:25 -0700, george he wrote: >> Hello Stephen, >> >> >> this is what in the log file: >> >> Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): >> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= >> rhost=? user=jhe >> Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): >> authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= >> rhost= user=jhe > > >According to that, SSSD successfully authenticated the user, but you >still didn't get logged in? I'll bet that means you don't have your >system set up to create home directories on first login automatically. > >If you run ipa-client-install with the --mkhomedir option when >configuring the client, it will set this up for you. If you want to >change it after the fact, do this: > >authconfig --update --enable-mkhomedir > >That should do the trick. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Jun 25 17:42:58 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 13:42:58 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 10:41 -0700, george he wrote: > Hi Stephen, > > > I already have a home directory which was created the first time I ssh > in. > Now when I click on "sign in", nothing happens... > Just to experiment, try 'setenforce 0' as root and then try to log in. SELinux could be denying you. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Mon Jun 25 17:51:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jun 2012 13:51:18 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> Message-ID: <4FE8A516.5080208@redhat.com> On 06/25/2012 12:08 PM, Joe Linoff wrote: > Hi Simo: > > I really appreciate your help. > >>> If users authenticate by passing in a username/password combo you have various >>> options, in the sense you should be able to modify the cakePHP application to >>> recalculate a valid SHA hash and dump it into a file. > That would be great. > >>> If the app db already contains a good hash that is suppoted by 389ds then you >>> can simply grab the hashes from there. > I believe that it does. I perused the CakePHP code and found that it used this algorithm to create the password: > > // PHP > $salt = Configure::read('Security.salt'); > $phpPasswd = sha1( $salt + $plaintext ); // Same as Security::hash($plaintext, 'sha1', true); > > Here is the same algorithm in python along with an LDAP encoding using SHA. They are embedding the salt along with the password so it is not SSHA. > > # python > import hashlib > from base64 import urlsafe_b64encode as encode > from base64 import urlsafe_b64decode as decode > > salt = constantValueFromConfigFile() > > # SHA1 hash > h = hashlib.sha1(salt + plaintext) > > # PHP password string > phpPasswd = h.hexdigest() > > # LDAP password - this won't work for the userPassword field. > ldapPasswd = '{SHA}'+encode(h.digest()) # OpenLDAP format > > # LDAP userPassword attribute format is the base64 MIME encoded version of above. > # This is what you see when you run a command like: > # ldapsearch -LLL -x -w -D 'cn=Directory Manager' -b 'cn=user,cn=accounts,dc=example,dc=com' userpassword > userPasswd = encode(ldapPasswd) > >>> Once you have hashes you can create a script that lists users in cakePHP and for each of >>> them create a new freeipa users via ipa user-add > Ok. That sounds straightforward. > >>> Then you switch to migration mode and you can use another script to store the hashes you >>> collected in each user's userPassword field. > That would be perfect but how do I switch to migration mode? > > Can I simply bind as the "Directory Manager" and update the userPassword field using something like ldapmodify or is there a better way? > > Is there an example of script like this that I can look at? > >>> Finally change your cakePHP app to make an ldap bind to authenticate users instead >>> of checkign it's own database. > Yup. > >>> This procedure requires some advanced scripting ability, and minor segues into firing >>> a few ldapmodify commands with a very simple template ldif and a couple substitutions. >>> However this is a possible solution. > Yup, I really like it. I am going to give it a try. Should I use the ipalib/plugins/migration.py as a starting point or is there a more relevant module? > > Thanks, > > Joe > > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Monday, June 25, 2012 6:07 AM > To: Joe Linoff > Cc: Mark Reynolds; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP > > On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote: >> Unfortunately, the problem I have is that I have the user data and the >> hashed password in a standalone database and I want to move it into >> FreeIPA without requiring the users to re-authenticate. I do not have >> a plaintext password and I do not have an LDAP DB. From what you and >> Mark have said, I need to find a way to emulate migration mode for my >> setup or, if possible, insert the existing hash directly in Kerberos. >> Does that make sense? > Not really. > A few questions: > - how do users authenticate to CakePHP at the moment ? > - how are passwords stored in your current DB ? > > If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. > Why is it needed if the same hash is already in the database? > If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. AFAIU this is the case. > Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add > Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. Please see: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#Migrating_from_a_Directory_Server_to_IPA Specific command is # ipa config-mod --enable-migration=TRUE > Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. Or use PAM via SSSD. In this case the SSSD will do the trick. See the documentation about it. Simo are you sure simple bind is enough? I thought that it should be a bind over SSL with some specific ext op. Do I recall it wrong? > This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. > > However this is a possible solution. > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From george_he7 at yahoo.com Mon Jun 25 17:55:07 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 10:55:07 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340646907.64510.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hi Stephen, selinux was set to permissive before I installed the client. ( I modified the file /etc/sysconfig/selinex) So It cannot be the reason. Thanks, George >________________________________ > From: Stephen Gallagher >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 25, 2012 1:42 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:41 -0700, george he wrote: >> Hi Stephen, >> >> >> I already have a home directory which was created the first time I ssh >> in. >> Now when I click on "sign in", nothing happens... >> > >Just to experiment, try 'setenforce 0' as root and then try to log in. >SELinux could be denying you. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Jun 25 17:58:54 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 13:58:54 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340646907.64510.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646907.64510.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <1340647134.27656.5.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 10:55 -0700, george he wrote: > Hi Stephen, > selinux was set to permissive before I installed the client. ( I > modified the file /etc/sysconfig/selinex) Modifying that file without a reboot does not change the current state. That only tells the kernel whether to boot with SELinux enabled. I suggest looking at /var/log/messages for other possible failures as well. From /var/log/secure, SSSD is authenticating successfully, so the failure is happening in GDM somewhere. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From george_he7 at yahoo.com Mon Jun 25 18:09:20 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 11:09:20 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340647134.27656.5.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646907.64510.YahooMailNeo@web120002.mail.ne1.yahoo.com> <1340647134.27656.5.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340647760.72298.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hi Stephen, Here are the lines from /var/log/messages. it seems there's some info, but I don't understand it... Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus-daemon[775]: Launching FprintObject Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: entering main loop Jun 25 13:54:08 mz dbus-daemon[775]: ** Message: No devices in use, exit Jun 25 14:03:53 mz dbus-daemon[775]: dbus[775]: [system] Rejected send message, 2 matched rules; type="method_return", sender=":1.0" (uid=0 pid=728 comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f ") Jun 25 14:03:53 mz dbus[775]: [system] Rejected send message, 2 matched rules; type="method_return", sender=":1.0" (uid=0 pid=728 comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f ") Your help is appreciated. George >________________________________ > From: Stephen Gallagher >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Monday, June 25, 2012 1:58 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:55 -0700, george he wrote: >> Hi Stephen, >> selinux was set to permissive before I installed the client. ( I >> modified the file /etc/sysconfig/selinex) > > >Modifying that file without a reboot does not change the current state. >That only tells the kernel whether to boot with SELinux enabled. > >I suggest looking at /var/log/messages for other possible failures as >well. From /var/log/secure, SSSD is authenticating successfully, so the >failure is happening in GDM somewhere. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Jun 25 18:12:43 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 14:12:43 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340647760.72298.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340646178.27656.3.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646907.64510.YahooMailNeo@web120002.mail.ne1.yahoo.com> <1340647134.27656.5.camel@sgallagh520.sgallagh.bos.redhat.com> <1340647760.72298.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <1340647963.27656.6.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 11:09 -0700, george he wrote: > Hi Stephen, > > > Here are the lines from /var/log/messages. it seems there's some info, > but I don't understand it... ... > Jun 25 14:03:53 mz dbus-daemon[775]: dbus[775]: [system] Rejected send > message, 2 matched rules; type="method_return", sender=":1.0" (uid=0 > pid=728 comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" > member="(unset)" error name="(unset)" requested_reply="0" > destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f > ") > Jun 25 14:03:53 mz dbus[775]: [system] Rejected send message, 2 > matched rules; type="method_return", sender=":1.0" (uid=0 pid=728 > comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" > member="(unset)" error name="(unset)" requested_reply="0" > destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f > ") This is probably the cause of the issue, but I don't know why it's happening. Someone who understands GDM and systemd better than I do would have to step in here. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Mon Jun 25 18:20:20 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 14:20:20 -0400 Subject: [Freeipa-users] Request for comments - Libvirt (KVM) with VNC via IPA with kerberos authentication In-Reply-To: References: Message-ID: <1340648420.32038.478.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 15:11 +0100, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using libvirt > (kvm virtualization) > with VNC consoles and kerberos authentication with an IPA backend.... > > I'd be interested in any feedback: > > http://freeipa.org/page/Libvirt_with_VNC_Consoles > > Kind regards, James, excellent write up. Thanks a lot! Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Mon Jun 25 18:35:07 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Mon, 25 Jun 2012 19:35:07 +0100 Subject: [Freeipa-users] unable to add service principle from F17 Message-ID: <4FE8AF5B.7040907@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root at proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM [root at proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root at proxy02 ~]# Nothing appears in the logs apart from ==> /var/log/messages <== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6K9ZAAoJEAJsWS61tB+qMjcP/1nuNhaYFgOvL6P7RdumhDBQ j4nHJTwZIzOOMiL6xzfLkngO5K1Qdx3KYfphWG991yzi9vWA8uE1QUdrV654QTIW 5HAjMNnOyIxX6Tib0EoAox/Kphr96gyM2YJNpazx1SnrHllcX8bCv5I9Gb1wR7d3 oYbZqknyzp5RplDlDvjWRU9OQqe6M0+cp7s0IeIfgSivjT14Zsbwval6H/WfldsL uIhht9i4HCAwRiUaycMkleIHTNXW9U/uMOjAx4NYqXqaPslVA9EysZ7WrcAqNbXL +mXjRTv7gfrKMowrZjIUdPjHzoKk5YD0DfkL8RuP+tjRyknoebyCXxJNVj8hy3RT nmSaBUMmxvv1gt6WzdpV/O60ww2tBI47oYrruYkzs416UoQZfwvMbJnx1mhkMaHa OaivQiNeszBxOmgYpZDiDFxkjeQ2zntwppQEcT3boWSuFXlnRjp9K2Jzm7MXetcP H7jPGOO8FjH5wfQV47eddtFK/pXGiU18WSGCzrCY3Tfh4dIh/ZqsG6/YLUrGlhg3 dSt00pSMhY8W9/LUU5uiN70JukXAHNu03w2CzWgax4wMFt6T7B/DIOHdDt0Yzmy0 kFeO6RskexKH2Sm70fs2Wn5uEmxKWXYJ2rZrPHR4gOX0yJbhmYw0sOYfL/2VSKst rQgDniI9AjkxZg5sPG1m =iGUe -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Mon Jun 25 18:36:56 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 14:36:56 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <4FE8A516.5080208@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> <4FE8A516.5080208@redhat.com> Message-ID: <1340649416.32038.482.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote: > > Simo are you sure simple bind is enough? I thought that it should be a > bind over SSL with some specific ext op. Do I recall it wrong? A bind over SSL is still called a "simple bind" and simply mean a bind that users a plain text password, the other option is a "SASL bind". We use SASL binds when using Krb credentials for example to do a SASL/GSSAPI/Krb5 bind. We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS with SASL/PLAIN, there should be a ticket somewhere. But it is not important, SASL/PLAIN is almost never used. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Jun 25 18:39:44 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 14:39:44 -0400 Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <1340649584.32038.484.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 10:41 -0700, george he wrote: > Hi Stephen, > > > I already have a home directory which was created the first time I ssh > in. > Now when I click on "sign in", nothing happens... > I've encountered this recently as well, apparently GDM uses some service that misbehaves when nsswitch.conf is changed. It used to be simple to fix that by forcing a restart of GDM (I used to ctrl+alt+backspace once after install of sssd/ipa), but on my recent F17 it didn't work. I suspect soem stuff has been moved to a helper that is not restarted when gdm restart. A reboot fixed it for me. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Mon Jun 25 18:45:16 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 25 Jun 2012 11:45:16 -0700 (PDT) Subject: [Freeipa-users] freeipa and gdm In-Reply-To: <1340649584.32038.484.camel@willson.li.ssimo.org> References: <1340643170.56051.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1340644047.2774.48.camel@sgallagh520.sgallagh.bos.redhat.com> <1340645139.5639.YahooMailNeo@web120003.mail.ne1.yahoo.com> <1340645459.27656.2.camel@sgallagh520.sgallagh.bos.redhat.com> <1340646113.22951.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340649584.32038.484.camel@willson.li.ssimo.org> Message-ID: <1340649916.230.YahooMailNeo@web120004.mail.ne1.yahoo.com> Yes! reboot works. Thanks a lot. George >________________________________ > From: Simo Sorce >To: george he >Cc: Stephen Gallagher ; "freeipa-users at redhat.com" >Sent: Monday, June 25, 2012 2:39 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:41 -0700, george he wrote: >> Hi Stephen, >> >> >> I already have a home directory which was created the first time I ssh >> in. >> Now when I click on "sign in", nothing happens... >> > >I've encountered this recently as well, apparently GDM uses some service >that misbehaves when nsswitch.conf is changed. >It used to be simple to fix that by forcing a restart of GDM (I used to >ctrl+alt+backspace once after install of sssd/ipa), but on my recent F17 >it didn't work. >I suspect soem stuff has been moved to a helper that is not restarted >when gdm restart. >A reboot fixed it for me. > >Simo. > > >-- >Simo Sorce * Red Hat, Inc * New York > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 25 18:53:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 14:53:42 -0400 Subject: [Freeipa-users] unable to add service principle from F17 In-Reply-To: <4FE8AF5B.7040907@themacartneyclan.com> References: <4FE8AF5B.7040907@themacartneyclan.com> Message-ID: <4FE8B3B6.6040305@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all > > I have a RHEL 6.2 ipa domain and I am running through one of my known > working kickstarts for kerberised squid but instead of using RHEL i'm > setting it up on Fedora 17. > > I get the following error on the fedora system which has > freeipa-admintools installed > > [root at proxy02 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM > [root at proxy02 ~]# ipa service-add HTTP/$(hostname) > ipa: ERROR: did not receive Kerberos credentials > [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com > ipa: ERROR: did not receive Kerberos credentials > [root at proxy02 ~]# > > > > Nothing appears in the logs apart from > > ==> /var/log/messages<== > Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 > winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found > Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 > winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found > Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 > winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found > Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 > winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found > > > Any ideas? > > This doesn't block me from what I am trying to achieve as I can add the > service principle from the IPA server. Just thought I might ask the > question. What version of client and server? rob From dpal at redhat.com Mon Jun 25 19:39:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jun 2012 15:39:34 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <1340649416.32038.482.camel@willson.li.ssimo.org> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> <4FE8A516.5080208@redhat.com> <1340649416.32038.482.camel@willson.li.ssimo.org> Message-ID: <4FE8BE76.7050907@redhat.com> On 06/25/2012 02:36 PM, Simo Sorce wrote: > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote: >> Simo are you sure simple bind is enough? I thought that it should be a >> bind over SSL with some specific ext op. Do I recall it wrong? > A bind over SSL is still called a "simple bind" and simply mean a bind > that users a plain text password, the other option is a "SASL bind". > > We use SASL binds when using Krb credentials for example to do a > SASL/GSSAPI/Krb5 bind. > > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS > with SASL/PLAIN, there should be a ticket somewhere. But it is not > important, SASL/PLAIN is almost never used. > > Simo. > I know that it is called a simple bind. But it is not just a simple bind. It needs to be a bind over SSL and I recall some ext op being required too but I am not sure and this is what I was asking about. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Jun 25 19:44:16 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jun 2012 15:44:16 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <4FE8BE76.7050907@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> <4FE8A516.5080208@redhat.com> <1340649416.32038.482.camel@willson.li.ssimo.org> <4FE8BE76.7050907@redhat.com> Message-ID: <1340653456.32038.486.camel@willson.li.ssimo.org> On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote: > On 06/25/2012 02:36 PM, Simo Sorce wrote: > > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote: > >> Simo are you sure simple bind is enough? I thought that it should be a > >> bind over SSL with some specific ext op. Do I recall it wrong? > > A bind over SSL is still called a "simple bind" and simply mean a bind > > that users a plain text password, the other option is a "SASL bind". > > > > We use SASL binds when using Krb credentials for example to do a > > SASL/GSSAPI/Krb5 bind. > > > > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS > > with SASL/PLAIN, there should be a ticket somewhere. But it is not > > important, SASL/PLAIN is almost never used. > > > > Simo. > > > I know that it is called a simple bind. But it is not just a simple > bind. It needs to be a bind over SSL and I recall some ext op being > required too but I am not sure and this is what I was asking about. We do require SSL for simple binds as well as for any password change whether it is done via ldappasswd extended operation or a ldapmodify. Of course using SASL/GSSAPI instead of SSL to protect the connection for password changes is also ok. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Jun 25 19:52:26 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 25 Jun 2012 15:52:26 -0400 Subject: [Freeipa-users] Transfer user database to FreeIPA LDAP In-Reply-To: <4FE8BE76.7050907@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010062C7@mantaray.tabula.com> <4FE76F45.5080406@redhat.com> <1340625022.32038.443.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062D7@mantaray.tabula.com> <1340629616.32038.455.camel@willson.li.ssimo.org> <8AD4194C251EC74CB897E261038F4478010062E8@mantaray.tabula.com> <4FE8A516.5080208@redhat.com> <1340649416.32038.482.camel@willson.li.ssimo.org> <4FE8BE76.7050907@redhat.com> Message-ID: <1340653946.27656.14.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote: > On 06/25/2012 02:36 PM, Simo Sorce wrote: > > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote: > >> Simo are you sure simple bind is enough? I thought that it should be a > >> bind over SSL with some specific ext op. Do I recall it wrong? > > A bind over SSL is still called a "simple bind" and simply mean a bind > > that users a plain text password, the other option is a "SASL bind". > > > > We use SASL binds when using Krb credentials for example to do a > > SASL/GSSAPI/Krb5 bind. > > > > We could also use a SASL/PLAIN bind, but I think there is a bug in 389DS > > with SASL/PLAIN, there should be a ticket somewhere. But it is not > > important, SASL/PLAIN is almost never used. > > > > Simo. > > > I know that it is called a simple bind. But it is not just a simple > bind. It needs to be a bind over SSL and I recall some ext op being > required too but I am not sure and this is what I was asking about. > This is incorrect. The migration is handled as a plugin on the DS side. So when a simple bind occurs, it checks to see if the user binding has kerberos entries. If not, it takes the plaintext and creates the entry. If migration mode is enabled on the server, it will do this automatically (If the user does not already have kerberos hashes). The presence or absence of SSL is irrelevant, but it is always wise to use SSL, since the LDAP protocol transmits the simple bind password in plaintext over the wire, making it trivial to snoop without TLS/SSL in place. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dale at themacartneyclan.com Mon Jun 25 21:27:56 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Mon, 25 Jun 2012 22:27:56 +0100 Subject: [Freeipa-users] unable to add service principle from F17 In-Reply-To: <4FE8B3B6.6040305@redhat.com> References: <4FE8AF5B.7040907@themacartneyclan.com> <4FE8B3B6.6040305@redhat.com> Message-ID: <4FE8D7DC.1050801@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/06/12 19:53, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi all >> >> I have a RHEL 6.2 ipa domain and I am running through one of my known >> working kickstarts for kerberised squid but instead of using RHEL i'm >> setting it up on Fedora 17. >> >> I get the following error on the fedora system which has >> freeipa-admintools installed >> >> [root at proxy02 ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> [root at proxy02 ~]# ipa service-add HTTP/$(hostname) >> ipa: ERROR: did not receive Kerberos credentials >> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com >> ipa: ERROR: did not receive Kerberos credentials >> [root at proxy02 ~]# >> >> >> >> Nothing appears in the logs apart from >> >> ==> /var/log/messages<== >> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> >> >> Any ideas? >> >> This doesn't block me from what I am trying to achieve as I can add the >> service principle from the IPA server. Just thought I might ask the >> question. > > What version of client and server? > > rob Server details [root at ds01 ~]# yum info ipa-server Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Installed Packages Name : ipa-server Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 3.2 M Repo : installed - From repo : Red Hat Enterprise Linux Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Client details [root at proxy02 ~]# yum info freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-client Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 239 k Repo : installed - From repo : fedora Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. [root at proxy02 ~]# yum info freeipa-admintools Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-admintools Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 43 k Repo : installed - From repo : fedora Summary : IPA administrative tools URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). This package provides command-line tools for : IPA administrators. [root at proxy02 ~]# -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6NfaAAoJEAJsWS61tB+qe4gP/jTFZn1FKat8psw+Zkhnv6Rw mqw13SvcpndaXYqS0e0pikV7EVophHgxZ2Y+APg3sk3xIOLMDxtv6AdU1RyMyFHT tg15vxZ83mSSwMYiFjw6UWJp2Q6em4CC+e/8uZBziAtl5sz4XX8+HAQkYUZfaOcu uYoP8S7dIAvRxUp7h53Cfxy4XcRdVNSELymY2wcFGXb/xQJ3IDZ03Y26nlFLrSXL xg88TgwZlBtnJINlcsAA0c7QjilVB9ei619W+YRf+81Hs9ld4s72Zll5Sv7r9yHh 3CVQFvwNJl5tHGWr+5Ja7dZwgeJlWBLyeN6bYovycQL0+USV+sEl6HL3Cd1Z8SEM e+t2siH6eSNjY93pY3YO/emagPOufcAdJQ5jlzTJIHBuHfb2k7VY5qP4t0hQuUrJ Gjx7GGLgtoQOmK0fMwuFQP7cyajVo03BGHPiGpJRNrz6Rcs4CVd4CmPMtsHkyRtb GshYFTgHusOP++vuBmRmz6ILM+nhCSKGvvFvmoIvNJIlKBGuWSdZgx7x6lQKfEjJ NrVN/cKUi/Vf+IchHVeI1lxKHJx1b/ZLG7Fdc6q6Dbpo9ePTLurkKCb1kSvMrgEX C90GW4ueBobn1HGOtPyVLZMDqeqhRv/y8vW3neVzrlSLE/5deRK2SBB1MkXfs+lF ivewv9fQS46acnBok8do =ZAc2 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 25 21:37:20 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jun 2012 17:37:20 -0400 Subject: [Freeipa-users] unable to add service principle from F17 In-Reply-To: <4FE8D7DC.1050801@themacartneyclan.com> References: <4FE8AF5B.7040907@themacartneyclan.com> <4FE8B3B6.6040305@redhat.com> <4FE8D7DC.1050801@themacartneyclan.com> Message-ID: <4FE8DA10.50300@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 25/06/12 19:53, Rob Crittenden wrote: >> Dale Macartney wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi all >>> >>> I have a RHEL 6.2 ipa domain and I am running through one of my known >>> working kickstarts for kerberised squid but instead of using RHEL i'm >>> setting it up on Fedora 17. >>> >>> I get the following error on the fedora system which has >>> freeipa-admintools installed >>> >>> [root at proxy02 ~]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at EXAMPLE.COM >>> >>> Valid starting Expires Service principal >>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> [root at proxy02 ~]# ipa service-add HTTP/$(hostname) >>> ipa: ERROR: did not receive Kerberos credentials >>> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com >>> ipa: ERROR: did not receive Kerberos credentials >>> [root at proxy02 ~]# >>> >>> >>> >>> Nothing appears in the logs apart from >>> >>> ==> /var/log/messages<== >>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 >>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 >>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 >>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>> >>> >>> Any ideas? >>> >>> This doesn't block me from what I am trying to achieve as I can add the >>> service principle from the IPA server. Just thought I might ask the >>> question. >> >> What version of client and server? >> >> rob > > Server details > > [root at ds01 ~]# yum info ipa-server > Loaded plugins: product-id, security, subscription-manager > Updating certificate-based repositories. > Installed Packages > Name : ipa-server > Arch : x86_64 > Version : 2.1.3 > Release : 9.el6 > Size : 3.2 M > Repo : installed > - From repo : Red Hat Enterprise Linux > Summary : The IPA authentication server > URL : http://www.freeipa.org/ > License : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). If you are installing an IPA > server you need > : to install this package (in other words, most people > should NOT install > : this package). > > > Client details > > [root at proxy02 ~]# yum info freeipa-client > Loaded plugins: langpacks, presto, refresh-packagekit > Installed Packages > Name : freeipa-client > Arch : x86_64 > Version : 2.2.0 > Release : 1.fc17 > Size : 239 k > Repo : installed > - From repo : fedora > Summary : IPA authentication for use on clients > URL : http://www.freeipa.org/ > Licence : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). If your network uses IPA for > authentication, > : this package should be installed on every client machine. > > [root at proxy02 ~]# yum info freeipa-admintools > Loaded plugins: langpacks, presto, refresh-packagekit > Installed Packages > Name : freeipa-admintools > Arch : x86_64 > Version : 2.2.0 > Release : 1.fc17 > Size : 43 k > Repo : installed > - From repo : fedora > Summary : IPA administrative tools > URL : http://www.freeipa.org/ > Licence : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). This package provides > command-line tools for > : IPA administrators. > > [root at proxy02 ~]# Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. # ipa --delegate service-add HTTP/$(hostname) rob From danieljamesscott at gmail.com Mon Jun 25 21:37:26 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 25 Jun 2012 17:37:26 -0400 Subject: [Freeipa-users] IPA replica install "A CA is already configured on this system." Message-ID: Hi, I'm trying to install a new Fedora 17 replica of my existing Fedora 16 FreeIPA servers as part of my migration process. I first attempted the installation using an old replica file, but ran into some issues so I uninstalled and generated a new replica file. Now, when I run the command, I get: Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. A CA is already configured on this system. I've tried running "ipa-server-install --uninstall" multiple times, but nothing changes. Can someone help? Dan From pspacek at redhat.com Tue Jun 26 10:14:52 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 26 Jun 2012 12:14:52 +0200 Subject: [Freeipa-users] Non IPA Connected Slave DNS Server ? In-Reply-To: <4FE828AE.6010306@redhat.com> References: <4FE1C148.2070501@dageek.co.uk> <4FE828AE.6010306@redhat.com> Message-ID: <4FE98B9C.9010500@redhat.com> On 06/25/2012 11:00 AM, Petr Spacek wrote: > Hello, > > sorry for a big delay. > > On 06/20/2012 02:25 PM, Gavin Spurgeon wrote: >> Hi All, >> >> Just have a quick question re: $subject >> >> I have seen some BZ's about this, but just wanted to check with the list >> to see what people have to say about this. >> >> I have an IPA Domain (example.com) and it is running as it should be. >> >> I also have 2 Public DNS Servers that run all of my non IPA Zones (in >> the 100s) I want these to DNS Serves to act as Standard Bind Slave >> Servers for my IPA Domain (i.e. to do a simple AXFR from the IPA Master) > Current IPA (with bind-dyndb-ldap driver) supports AXFR itself. Problem lies > in SOA serial number update - it is not maintained for changes done via WebUI > or CLI. If you do any change through WebUI or CLI, you need to manually bump > the SOA serial number. > Any change via DNS dynamic update mechanism (nsupdate) will bump the SOA > serial automatically. > >> a, No adding the Public DNS Servers to IPA is not an option... >> b, Is this possible *now* > You can "hack" current IPA and bump SOA serial number e.g. each hour (from > cron). In that case zone will be transferred each hour to slave server, but > you will waste some bandwidth. > >> c, does any one have any other suggestions, on how to get my desired goal ? > You have to set idnsAllowTransfer attribute in relevant zones, see > http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=blob;f=README > >> d, if not, when will this be possible ? > Automatic SOA serial number update is on the roadmap for 3.0, stay tuned. You can read recent discussion about this feature in archive: https://www.redhat.com/archives/freeipa-devel/2012-May/msg00047.html IPA environment is multi-mastered and we are seeking for a best trade-off. The last proposed approach is "local SOA serial" - each BIND server will manage own SOA serial number. Please read thread above and post your opinion. Petr^2 Spacek >> Gavin Spurgeon. >> AKA Da Geek From dale at themacartneyclan.com Tue Jun 26 10:25:53 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Tue, 26 Jun 2012 11:25:53 +0100 Subject: [Freeipa-users] unable to add service principle from F17 In-Reply-To: <4FE8DA10.50300@redhat.com> References: <4FE8AF5B.7040907@themacartneyclan.com> <4FE8B3B6.6040305@redhat.com> <4FE8D7DC.1050801@themacartneyclan.com> <4FE8DA10.50300@redhat.com> Message-ID: <4FE98E31.5070004@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/06/12 22:37, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 25/06/12 19:53, Rob Crittenden wrote: >>> Dale Macartney wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hi all >>>> >>>> I have a RHEL 6.2 ipa domain and I am running through one of my known >>>> working kickstarts for kerberised squid but instead of using RHEL i'm >>>> setting it up on Fedora 17. >>>> >>>> I get the following error on the fedora system which has >>>> freeipa-admintools installed >>>> >>>> [root at proxy02 ~]# klist >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: admin at EXAMPLE.COM >>>> >>>> Valid starting Expires Service principal >>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>> [root at proxy02 ~]# ipa service-add HTTP/$(hostname) >>>> ipa: ERROR: did not receive Kerberos credentials >>>> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com >>>> ipa: ERROR: did not receive Kerberos credentials >>>> [root at proxy02 ~]# >>>> >>>> >>>> >>>> Nothing appears in the logs apart from >>>> >>>> ==> /var/log/messages<== >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> >>>> >>>> Any ideas? >>>> >>>> This doesn't block me from what I am trying to achieve as I can add the >>>> service principle from the IPA server. Just thought I might ask the >>>> question. >>> >>> What version of client and server? >>> >>> rob >> >> Server details >> >> [root at ds01 ~]# yum info ipa-server >> Loaded plugins: product-id, security, subscription-manager >> Updating certificate-based repositories. >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 2.1.3 >> Release : 9.el6 >> Size : 3.2 M >> Repo : installed >> - From repo : Red Hat Enterprise Linux >> Summary : The IPA authentication server >> URL : http://www.freeipa.org/ >> License : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If you are installing an IPA >> server you need >> : to install this package (in other words, most people >> should NOT install >> : this package). >> >> >> Client details >> >> [root at proxy02 ~]# yum info freeipa-client >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-client >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 239 k >> Repo : installed >> - From repo : fedora >> Summary : IPA authentication for use on clients >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If your network uses IPA for >> authentication, >> : this package should be installed on every client machine. >> >> [root at proxy02 ~]# yum info freeipa-admintools >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-admintools >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 43 k >> Repo : installed >> - From repo : fedora >> Summary : IPA administrative tools >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). This package provides >> command-line tools for >> : IPA administrators. >> >> [root at proxy02 ~]# > > Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. > > # ipa --delegate service-add HTTP/$(hostname) > > rob > ah.. good to know. thanks for the info. it does get past the tgt aspect, now its just a version conflict. may or may not be a work around for that. [root at proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com ipa: ERROR: 2.34 client incompatible with 2.13 server at u'https://ds01.example.com/ipa/xml' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6Y4vAAoJEAJsWS61tB+qwf8P/A2wIGjoUcrMIEdXxdsFv0AL kSyd/4X7f3wKwzfPWwsCNs2vQT+LgIV/alqbCUSPAXgfJVvMmJa8yQ7WRXQUdNoZ agTzZN5DeGet3AYA9bA3fXE/YNy4qteNg9KiNJ2QDXGJ3cP9YCvjzWyrDxgEd7bS IAWW7FFaeSpfB1w+VC+rLTmfQjgS+LdAUu2tR8kobZwsdIYedABV3px9wga/rOWo V3gf/RR2b/3eRxZulKSVh+djOiiinjSP5uc0tO5uZuxrb9hC/swKMGq4eJu/fhQz BXqeIx/IcjxutHx5p68vS7Z4bX9D3uxoVAI1nQX72FZsvG+PYuNtAvY6z3c29wfx TWa6qOoqX5MztSs1diVqB1pjAKOL453oeLIvU0ir49Uh5hRQ+9zH6dCb2i3ywS1J //Rbe6fXSYX+W2rU4jtpCeyPaP6TgBJsLcoZYbAVk55grR3RWIi3h/DF6WCToFGC nNaJgQ4pT4C8YNItJxdQ1eHEDWWuKR6wF/WF4wR4iO/TK5KaGPE0i7tyr0Pcy9/1 Su3nzU/C79lyP0x/8ijSUO+11VFEgn5ULlY8FPIxZJnLY2amhVyA1zY5eyaVUlnF RBHD+50lr5LQlGCWBxUSzjTxFJzC6MpnscCHtOz9XG2P2d1x0qCiPFt0eeNGknTY 4J+0tISKb7cc1JMDzEOl =I6M5 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 26 11:06:28 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 26 Jun 2012 13:06:28 +0200 Subject: [Freeipa-users] IPA replica install "A CA is already configured on this system." In-Reply-To: References: Message-ID: <4FE997B4.2060507@redhat.com> On 06/25/2012 11:37 PM, Dan Scott wrote: > Hi, > > I'm trying to install a new Fedora 17 replica of my existing Fedora 16 > FreeIPA servers as part of my migration process. > > I first attempted the installation using an old replica file, but ran > into some issues so I uninstalled and generated a new replica file. > > Now, when I run the command, I get: > > Connection from master to replica is OK. > > Connection check OK > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > A CA is already configured on this system. > > I've tried running "ipa-server-install --uninstall" multiple times, > but nothing changes. > > Can someone help? > > Dan > Hello, It seems that PKI CA is still configured in /var/lib/pki-ca. You may try to force IPA CA removal with this command: # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Martin From natxo.asenjo at gmail.com Tue Jun 26 13:02:06 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 26 Jun 2012 15:02:06 +0200 Subject: [Freeipa-users] rfe: ldap for dhcp Message-ID: hi, recently it was brought to my attendtion that isp-dhcpd version 4.2 supports getting its database information from ldap. Earlier versions support it as well with a patch. It would be awesome if this could be integrated in IPA. I am aware you guys have your hands full with plenty of stuff, but if this could get integrated IPA would be even further than AD (that as far as I know cannot do this). -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Tue Jun 26 13:13:01 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 Jun 2012 09:13:01 -0400 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: References: Message-ID: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: > hi, > > recently it was brought to my attendtion that isp-dhcpd version 4.2 > supports getting its database information from ldap. Earlier versions > support it as well with a patch. > > It would be awesome if this could be integrated in IPA. > > I am aware you guys have your hands full with plenty of stuff, but if > this could get integrated IPA would be even further than AD (that as > far as I know cannot do this). Natxo, would you be interested in contributing this functionality? If you are familiar with Python, an excellent primer on FreeIPA development can be found at http://abbra.fedorapeople.org/guide.html The core FreeIPA team has a lot on their plate right now, so any major new features like this would probably need to be contributed from wider community or else deferred until the current crop of functionality is complete. We'd be happy to help you along if you (or anyone else on this mailing list) wants to take this feature on. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From natxo.asenjo at gmail.com Tue Jun 26 13:54:37 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 26 Jun 2012 15:54:37 +0200 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher wrote: > On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: > > hi, > > > > recently it was brought to my attendtion that isp-dhcpd version 4.2 > > supports getting its database information from ldap. Earlier versions > > support it as well with a patch. > > > > It would be awesome if this could be integrated in IPA. > > > > I am aware you guys have your hands full with plenty of stuff, but if > > this could get integrated IPA would be even further than AD (that as > > far as I know cannot do this). > > Natxo, would you be interested in contributing this functionality? If > you are familiar with Python, an excellent primer on FreeIPA development > can be found at http://abbra.fedorapeople.org/guidnatxoe.html > > The core FreeIPA team has a lot on their plate right now, so any major > new features like this would probably need to be contributed from wider > community or else deferred until the current crop of functionality is > complete. > > We'd be happy to help you along if you (or anyone else on this mailing > list) wants to take this feature on. > Not familiar with Python (Perl guy, basic), but I can always try stuff. I am just a sysadmin :-) I have read the link you posted, and I think I would need a *lot* of hand holding to get it in the web-ui. What I can try is see if it works outside of the web ui. Importing the dhcp schema in the directory and filling in the dhcp objects. Then get it to work with a dhcp server. If that works, then we can see how we get from there. I already appreciate you take this seriously. Thanks! -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Jun 26 14:02:33 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 26 Jun 2012 07:02:33 -0700 (PDT) Subject: [Freeipa-users] replica installation clean up In-Reply-To: <4FE4D456.6050409@redhat.com> References: <1340309492.98185.YahooMailNeo@web120002.mail.ne1.yahoo.com> <4FE3857E.5000008@redhat.com> <1340332108.47760.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1340390761.65178.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FE4D456.6050409@redhat.com> Message-ID: <1340719353.47569.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello, I think it might be easier to just re-install FC17 on my machine since it's brand new and I won't loss any data. Now I want to backup a few folders where some files are changed during ipa installation, so that if I mess up again, I only need to copy the original folder over. For this purpose, is the following list sufficient? /boot /etc /home /root /usr /var I think I probably don't need /boot /home /root either, but these are small. Thanks for your advice. George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 22, 2012 4:23 PM >Subject: Re: [Freeipa-users] replica installation clean up > >george he wrote: >> Hello, >> >> Since I didn't get any reply on this, I just went ahead and did >> /ipa-server-install --uninstall >> to clean up and did >> ipa-replica-manage del myreplica --force >> on mymaster >> After these I did ipa-replica-install again but this time I get >> >> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command >> '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D >> cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 >> >> Any suggestions on this? > >It depends on why it failed. When there is an installation error I recommend you start by looking at /var/log/ipa-server-install.log or /var/log/ipareplica-install.log as needed. > >This error would suggest that something was not removed from LDAP when the last replica was deleted. This may ok. You'll need to use ldapsearch to verify that cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX and dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX has a memberPrincipal for the service principal of your replica. > >something like: > >ldapsearch -LLL -x -b cn=s4u2proxy,cn=etc,dc=example,d=com > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jun 26 14:28:07 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jun 2012 10:28:07 -0400 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: References: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4FE9C6F7.6010408@redhat.com> On 06/26/2012 09:54 AM, Natxo Asenjo wrote: > On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher > > wrote: > > On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: > > hi, > > > > recently it was brought to my attendtion that isp-dhcpd version 4.2 > > supports getting its database information from ldap. Earlier > versions > > support it as well with a patch. > > > > It would be awesome if this could be integrated in IPA. > > > > I am aware you guys have your hands full with plenty of stuff, > but if > > this could get integrated IPA would be even further than AD (that as > > far as I know cannot do this). > > Natxo, would you be interested in contributing this functionality? If > you are familiar with Python, an excellent primer on FreeIPA > development > can be found at http://abbra.fedorapeople.org/guidnatxoe.html > > > The core FreeIPA team has a lot on their plate right now, so any major > new features like this would probably need to be contributed from > wider > community or else deferred until the current crop of functionality is > complete. > > We'd be happy to help you along if you (or anyone else on this mailing > list) wants to take this feature on. > > > Not familiar with Python (Perl guy, basic), but I can always try > stuff. I am just a sysadmin :-) > > I have read the link you posted, and I think I would need a *lot* of > hand holding to get it in the web-ui. > > What I can try is see if it works outside of the web ui. Importing the > dhcp schema in the directory and filling in the dhcp objects. Then get > it to work with a dhcp server. > > If that works, then we can see how we get from there. > > I already appreciate you take this seriously. Thanks! > We do. You are not the first person to ask. But we have to put it off as our hands are full. Any help will be appreciated. > -- > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jun 26 14:44:18 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 26 Jun 2012 10:44:18 -0400 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: References: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1340721858.1765.2.camel@willson.li.ssimo.org> On Tue, 2012-06-26 at 15:54 +0200, Natxo Asenjo wrote: > On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher > wrote: > On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: > > hi, > > > > recently it was brought to my attendtion that isp-dhcpd > version 4.2 > > supports getting its database information from ldap. Earlier > versions > > support it as well with a patch. > > > > It would be awesome if this could be integrated in IPA. > > > > I am aware you guys have your hands full with plenty of > stuff, but if > > this could get integrated IPA would be even further than AD > (that as > > far as I know cannot do this). > > > Natxo, would you be interested in contributing this > functionality? If > you are familiar with Python, an excellent primer on FreeIPA > development > can be found at http://abbra.fedorapeople.org/guidnatxoe.html > > The core FreeIPA team has a lot on their plate right now, so > any major > new features like this would probably need to be contributed > from wider > community or else deferred until the current crop of > functionality is > complete. > > We'd be happy to help you along if you (or anyone else on this > mailing > list) wants to take this feature on. > > Not familiar with Python (Perl guy, basic), but I can always try > stuff. I am just a sysadmin :-) > > I have read the link you posted, and I think I would need a *lot* of > hand holding to get it in the web-ui. > > What I can try is see if it works outside of the web ui. Importing the > dhcp schema in the directory and filling in the dhcp objects. Then get > it to work with a dhcp server. > > If that works, then we can see how we get from there. > > I already appreciate you take this seriously. Thanks! Hi Naxto, take a look at the freeipa-devel list, William Brown is working on basic integration and has sent a few mails, where he points at a git tree with some work. Maybe you can coordinate to do some testing, that would be useful. I'm CCing him. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Tue Jun 26 21:46:12 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 26 Jun 2012 14:46:12 -0700 (PDT) Subject: [Freeipa-users] replica re-install Message-ID: <1340747172.17102.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hello, I re-installed fedora 17 on my machine, did "yum update", and then tried to install ipa-replica on myreplica.? I got the same error message as before: # ipa-replica-install --setup-ca /var/lib/ipa/replica-info-myreplica.gpg [24/30]: enabling S4U2Proxy delegation ipa???????? : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpj3jpOC -x -D cn=Directory Manager -y /tmp/tmpXfgq7D' returned non-zero exit status 1 ? [25/30]: initializing group membership ? [26/30]: adding master entry ipa???????? : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpjAXJjq -x -D cn=Directory Manager -y /tmp/tmpHEZmhv' returned non-zero exit status 1 ? [27/30]: configuring Posix uid/gid generation creation of replica failed: entry=dn: cn=CA,cn=my.replica.edu,cn=masters,cn=ipa,cn=etc,dc=my,dc=replica,dc=edu cn: CA ipaconfigstring: enabledService ipaconfigstring: startOrder 50 objectclass: nsContainer objectclass: ipaConfigObject Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. The same error message was displayed after running /usr/sbin/ipa-server-install --uninstall and then re-run the installation. Here is what at the end of /var/log/ipareplica-install.log: ? File "/sbin/ipa-replica-install", line 494, in ??? main() ? File "/sbin/ipa-replica-install", line 437, in main ??? util.realm_to_suffix(config.realm_name)) ? File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 311, in ldap_enable ??? self.admin_conn.addEntry(entry) ? File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 496, in addEntry ??? self.__handle_errors(e, arg_desc=arg_desc) ? File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 312, in __handle_errors ??? raise errors.NotFound(reason=arg_desc) Any suggestions? Thanks, George an -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Tue Jun 26 22:03:37 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Tue, 26 Jun 2012 15:03:37 -0700 Subject: [Freeipa-users] What is the best way to make batch changes to the LDAP? Message-ID: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using "ipa user-mod" in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jun 26 22:43:35 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 26 Jun 2012 22:43:35 +0000 Subject: [Freeipa-users] Setting up a Linux Client Through Kickstart Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD79F4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks for that feature. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Tue Jun 26 23:56:38 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Tue, 26 Jun 2012 16:56:38 -0700 Subject: [Freeipa-users] What is the best way to make batch changes to the LDAP? In-Reply-To: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010063E9@mantaray.tabula.com> Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # # Emulate the ipa command line interface in a script so that # to batch some updates. # import sys import shlex from ipalib import api, cli # ================================================================ # bootstrap # ================================================================ def bootstrap(): """ Bootstrap the script. I hope that all of this stuff is re-entrant. Also, api is defined in __init__.py. """ api.bootstrap_with_global_options(context='cli') for klass in cli.cli_plugins: api.register(klass) api.load_plugins() api.finalize() if not 'config_loaded' in api.env: raise NotConfiguredError() # ================================================================ # cmd # ================================================================ def cmd(cmd): """ Execute an IPA command. The command is entered as a string. I use shlex.split to break it into an args list. @param cmd The command to execute (as a string). """ print print '# %s' % ('='*64) print '# CMD: %s' % (cmd) print '# %s' % ('='*64) args=shlex.split(cmd) api.Backend.cli.run(args) if __name__ == '__main__': bootstrap() # Some test calls. cmd('help') cmd('help user') cmd('help user-mod') # Update the fields. users=['bob', 'carol', 'ted', 'alice'] mod='--street="123 Main Street" --city="Anytown" --state="AK" --postalcode="12345"' for user in users: cmd('user-mod %s %s' % (user, mod)) Regards, Joe From: Joe Linoff Sent: Tuesday, June 26, 2012 3:04 PM To: freeipa-users at redhat.com Cc: Joe Linoff Subject: What is the best way to make batch changes to the LDAP? Hi Everybody: I need to change the mailing address information for a group of employees in the FreeIPA LDAP and would like to do it in a script. I know that I can do it using "ipa user-mod" in a shell script but I was wondering whether I could use python. Does using python make sense? If so, are there any examples that I can look at? It seems that I could import ipalib and go from there but I am not sure if there is a simple interface for doing user modifications. Any help would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jun 27 06:34:11 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jun 2012 08:34:11 +0200 Subject: [Freeipa-users] What is the best way to make batch changes to the LDAP? In-Reply-To: <8AD4194C251EC74CB897E261038F4478010063E9@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010063E9@mantaray.tabula.com> Message-ID: <4FEAA963.2010303@redhat.com> On 06/27/2012 01:56 AM, Joe Linoff wrote: > Hi Everybody: > > > > Here is a python approach that I am experimenting with based on reading the > source code. It seems to work but it is re-entrant? Does this make sense? Is > there a better way (like ldapmodify)? > > > > #!/usr/bin/env python > > # > > # Emulate the ipa command line interface in a script so that > > # to batch some updates. > > # > > import sys > > import shlex > > from ipalib import api, cli > > > > # ================================================================ > > # bootstrap > > # ================================================================ > > def bootstrap(): > > """ > > Bootstrap the script. > > I hope that all of this stuff is re-entrant. > > Also, api is defined in __init__.py. > > """ > > api.bootstrap_with_global_options(context='cli') > > for klass in cli.cli_plugins: > > api.register(klass) > > api.load_plugins() > > api.finalize() > > if not 'config_loaded' in api.env: > > raise NotConfiguredError() > > > > # ================================================================ > > # cmd > > # ================================================================ > > def cmd(cmd): > > """ > > Execute an IPA command. > > The command is entered as a string. I use shlex.split > > to break it into an args list. > > @param cmd The command to execute (as a string). > > """ > > print > > print '# %s' % ('='*64) > > print '# CMD: %s' % (cmd) > > print '# %s' % ('='*64) > > args=shlex.split(cmd) > > api.Backend.cli.run(args) > > > > if __name__ == '__main__': > > bootstrap() > > > > # Some test calls. > > cmd('help') > > cmd('help user') > > cmd('help user-mod') > > > > # Update the fields. > > users=['bob', 'carol', 'ted', 'alice'] > > mod='--street="123 Main Street" --city="Anytown" --state="AK" > --postalcode="12345"' > > for user in users: > > cmd('user-mod %s %s' % (user, mod)) > > > > Regards, > > > > Joe > > > > *From:*Joe Linoff > *Sent:* Tuesday, June 26, 2012 3:04 PM > *To:* freeipa-users at redhat.com > *Cc:* Joe Linoff > *Subject:* What is the best way to make batch changes to the LDAP? > > > > Hi Everybody: > > > > I need to change the mailing address information for a group of employees in > the FreeIPA LDAP and would like to do it in a script. I know that I can do it > using ?ipa user-mod? in a shell script but I was wondering whether I could use > python. > > > > Does using python make sense? > > > > If so, are there any examples that I can look at? It seems that I could import > ipalib and go from there but I am not sure if there is a simple interface for > doing user modifications. > > > > Any help would be greatly appreciated. > > > > Thanks, > > > > Joe > Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: # python >>> from ipalib import api >>> api.bootstrap_with_global_options(context='cli') >>> api.finalize() >>> api.Backend.xmlclient.connect() # Lets see custom user "fbar" >>> api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: >>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user "fbar"'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command attributes). Besides that, you can check: http://www.freeipa.org/page/DocumentationPortal There are several doc guides, including "Extending IPA" guide which should provide you with more info about additional extensions of FreeIPA. HTH, Martin From dale at themacartneyclan.com Wed Jun 27 11:27:15 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 27 Jun 2012 12:27:15 +0100 Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! Message-ID: <4FEAEE13.2080809@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is "how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 27 13:01:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jun 2012 09:01:30 -0400 Subject: [Freeipa-users] replica re-install In-Reply-To: <1340747172.17102.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1340747172.17102.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <4FEB042A.7090501@redhat.com> george he wrote: > Hello, > I re-installed fedora 17 on my machine, did "yum update", and then tried > to install ipa-replica on myreplica. I got the same error message as > before: > > # ipa-replica-install --setup-ca /var/lib/ipa/replica-info-myreplica.gpg > [24/30]: enabling S4U2Proxy delegation > ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command > '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpj3jpOC -x -D > cn=Directory Manager -y /tmp/tmpXfgq7D' returned non-zero exit status 1 > [25/30]: initializing group membership > [26/30]: adding master entry > ipa : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpjAXJjq -x -D > cn=Directory Manager -y /tmp/tmpHEZmhv' returned non-zero exit status 1 > [27/30]: configuring Posix uid/gid generation > > creation of replica failed: entry=dn: > cn=CA,cn=my.replica.edu,cn=masters,cn=ipa,cn=etc,dc=my,dc=replica,dc=edu > cn: CA > ipaconfigstring: enabledService > ipaconfigstring: startOrder 50 > objectclass: nsContainer > objectclass: ipaConfigObject > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > The same error message was displayed after running > /usr/sbin/ipa-server-install --uninstall > and then re-run the installation. Here is what at the end of > /var/log/ipareplica-install.log: > > File "/sbin/ipa-replica-install", line 494, in > main() > > File "/sbin/ipa-replica-install", line 437, in main > util.realm_to_suffix(config.realm_name)) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 311, in ldap_enable > self.admin_conn.addEntry(entry) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 496, in addEntry > self.__handle_errors(e, arg_desc=arg_desc) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 312, in __handle_errors > raise errors.NotFound(reason=arg_desc) > > Any suggestions? It would appear the previous uninstall didn't remove the CA. Did you have to run pkiremove in order to get the CA to install the second go-around? What I would do is do the uninstall again. Do an ldapsearch on cn=my.replica.edu,cn=masters,cn=ipa,cn=etc,dc=my,dc=replica,dc=edu on another master and confirm that it is empty. If it isn't then use ldapdelete to remove that entry and its children. Then verify that the CA is gone, see if /var/lib/pki-ca exists. If it does use pkiremove to delete the instance. I think the next install will work. I believe the replica-s4u2proxy failure can be ignored, we have a ticket open on that. rob From rcritten at redhat.com Wed Jun 27 13:28:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jun 2012 09:28:35 -0400 Subject: [Freeipa-users] unable to add service principle from F17 In-Reply-To: <4FE98E31.5070004@themacartneyclan.com> References: <4FE8AF5B.7040907@themacartneyclan.com> <4FE8B3B6.6040305@redhat.com> <4FE8D7DC.1050801@themacartneyclan.com> <4FE8DA10.50300@redhat.com> <4FE98E31.5070004@themacartneyclan.com> Message-ID: <4FEB0A83.4060100@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 25/06/12 22:37, Rob Crittenden wrote: >> Dale Macartney wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> On 25/06/12 19:53, Rob Crittenden wrote: >>>> Dale Macartney wrote: >>>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Hi all >>>>> >>>>> I have a RHEL 6.2 ipa domain and I am running through one of my known >>>>> working kickstarts for kerberised squid but instead of using RHEL i'm >>>>> setting it up on Fedora 17. >>>>> >>>>> I get the following error on the fedora system which has >>>>> freeipa-admintools installed >>>>> >>>>> [root at proxy02 ~]# klist >>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>> Default principal: admin at EXAMPLE.COM >>>>> >>>>> Valid starting Expires Service principal >>>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>>> [root at proxy02 ~]# ipa service-add HTTP/$(hostname) >>>>> ipa: ERROR: did not receive Kerberos credentials >>>>> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com >>>>> ipa: ERROR: did not receive Kerberos credentials >>>>> [root at proxy02 ~]# >>>>> >>>>> >>>>> >>>>> Nothing appears in the logs apart from >>>>> >>>>> ==> /var/log/messages<== >>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 >>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 >>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 >>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>>> >>>>> >>>>> Any ideas? >>>>> >>>>> This doesn't block me from what I am trying to achieve as I can add the >>>>> service principle from the IPA server. Just thought I might ask the >>>>> question. >>>> >>>> What version of client and server? >>>> >>>> rob >>> >>> Server details >>> >>> [root at ds01 ~]# yum info ipa-server >>> Loaded plugins: product-id, security, subscription-manager >>> Updating certificate-based repositories. >>> Installed Packages >>> Name : ipa-server >>> Arch : x86_64 >>> Version : 2.1.3 >>> Release : 9.el6 >>> Size : 3.2 M >>> Repo : installed >>> - From repo : Red Hat Enterprise Linux >>> Summary : The IPA authentication server >>> URL : http://www.freeipa.org/ >>> License : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). If you are installing an IPA >>> server you need >>> : to install this package (in other words, most people >>> should NOT install >>> : this package). >>> >>> >>> Client details >>> >>> [root at proxy02 ~]# yum info freeipa-client >>> Loaded plugins: langpacks, presto, refresh-packagekit >>> Installed Packages >>> Name : freeipa-client >>> Arch : x86_64 >>> Version : 2.2.0 >>> Release : 1.fc17 >>> Size : 239 k >>> Repo : installed >>> - From repo : fedora >>> Summary : IPA authentication for use on clients >>> URL : http://www.freeipa.org/ >>> Licence : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). If your network uses IPA for >>> authentication, >>> : this package should be installed on every client machine. >>> >>> [root at proxy02 ~]# yum info freeipa-admintools >>> Loaded plugins: langpacks, presto, refresh-packagekit >>> Installed Packages >>> Name : freeipa-admintools >>> Arch : x86_64 >>> Version : 2.2.0 >>> Release : 1.fc17 >>> Size : 43 k >>> Repo : installed >>> - From repo : fedora >>> Summary : IPA administrative tools >>> URL : http://www.freeipa.org/ >>> Licence : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). This package provides >>> command-line tools for >>> : IPA administrators. >>> >>> [root at proxy02 ~]# >> >> Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy > so sending the TGT is no longer required as it was pre 2.2. >> >> # ipa --delegate service-add HTTP/$(hostname) >> >> rob >> > ah.. good to know. thanks for the info. > > it does get past the tgt aspect, now its just a version conflict. may or > may not be a work around for that. > > [root at proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com > ipa: ERROR: 2.34 client incompatible with 2.13 server at > u'https://ds01.example.com/ipa/xml' Oh, right, sorry I didn't mention this yesterday. You can generally talk with an older client with a newer server, but not the other way around. We don't have per-command versioning (yet), which would make this possible. rob From william at firstyear.id.au Tue Jun 26 23:50:09 2012 From: william at firstyear.id.au (William Brown) Date: Wed, 27 Jun 2012 09:20:09 +0930 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: <1340721858.1765.2.camel@willson.li.ssimo.org> References: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> <1340721858.1765.2.camel@willson.li.ssimo.org> Message-ID: <4FEA4AB1.9050302@firstyear.id.au> On 06/27/2012 12:14 AM, Simo Sorce wrote: > On Tue, 2012-06-26 at 15:54 +0200, Natxo Asenjo wrote: >> On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher >> wrote: >> On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: >> > hi, >> > >> > recently it was brought to my attendtion that isp-dhcpd >> version 4.2 >> > supports getting its database information from ldap. Earlier >> versions >> > support it as well with a patch. >> > >> > It would be awesome if this could be integrated in IPA. >> > >> > I am aware you guys have your hands full with plenty of >> stuff, but if >> > this could get integrated IPA would be even further than AD >> (that as >> > far as I know cannot do this). >> >> >> Natxo, would you be interested in contributing this >> functionality? If >> you are familiar with Python, an excellent primer on FreeIPA >> development >> can be found at http://abbra.fedorapeople.org/guidnatxoe.html >> >> The core FreeIPA team has a lot on their plate right now, so >> any major >> new features like this would probably need to be contributed >> from wider >> community or else deferred until the current crop of >> functionality is >> complete. >> >> We'd be happy to help you along if you (or anyone else on this >> mailing >> list) wants to take this feature on. >> >> Not familiar with Python (Perl guy, basic), but I can always try >> stuff. I am just a sysadmin :-) >> >> I have read the link you posted, and I think I would need a *lot* of >> hand holding to get it in the web-ui. >> >> What I can try is see if it works outside of the web ui. Importing the >> dhcp schema in the directory and filling in the dhcp objects. Then get >> it to work with a dhcp server. >> >> If that works, then we can see how we get from there. >> >> I already appreciate you take this seriously. Thanks! > > Hi Naxto, > take a look at the freeipa-devel list, > William Brown is working on basic integration and has sent a few mails, > where he points at a git tree with some work. > Maybe you can coordinate to do some testing, that would be useful. > > I'm CCing him. > > Simo. > Hi all, Find my work here : https://bitbucket.org/Firstyear/freeipa-dhcp I currently have a large set of changes sitting on my laptop awaiting push / formation of a patch for review. I'll try to send this in at some stage today. Take a look at https://bitbucket.org/Firstyear/freeipa-dhcp/src/f63a7e505705/TODO.DHCP for my "todo" list, and at http://www.freeipa.org/page/DHCP_Integration_Design for some of my planning about this integration. Both are subject to change in the near future however. At this stage, if you just pull my changes, the Schema for isc-dhcp is included and will work in a default install of FreeIPA if you feel like manually adding in your objects. However, the risk is that in the future the work I am doing will clobber the efforts you make in setting this up by hand. If you are still interested in doing a setup by hand, look at the file /usr/share/doc/dhcp-4.2.4/ldap/README.ldap from the dhcp package on fedora. I'm still a way from being able to run the "ipa-dhcp-install" command, or even testing this, but once I get to that point, I'll let you know so you can test this out. My first goal is getting the command line tools to be "solid" then turning my attention to the WebUI. Feel free to chat to me about this more, on the FreeIPA-devel list, or the #freeipa irc channel. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 940 bytes Desc: OpenPGP digital signature URL: From jlinoff at tabula.com Wed Jun 27 18:01:50 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 27 Jun 2012 11:01:50 -0700 Subject: [Freeipa-users] What is the best way to make batch changes to the LDAP? In-Reply-To: <4FEAA963.2010303@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010063E9@mantaray.tabula.com> <4FEAA963.2010303@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801006450@mantaray.tabula.com> Hi Martin: Excellent! Thank you. Regards, Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: > Hi Everybody: > > > > Here is a python approach that I am experimenting with based on > reading the source code. It seems to work but it is re-entrant? Does > this make sense? Is there a better way (like ldapmodify)? > > > > #!/usr/bin/env python > > # > > # Emulate the ipa command line interface in a script so that > > # to batch some updates. > > # > > import sys > > import shlex > > from ipalib import api, cli > > > > # ================================================================ > > # bootstrap > > # ================================================================ > > def bootstrap(): > > """ > > Bootstrap the script. > > I hope that all of this stuff is re-entrant. > > Also, api is defined in __init__.py. > > """ > > api.bootstrap_with_global_options(context='cli') > > for klass in cli.cli_plugins: > > api.register(klass) > > api.load_plugins() > > api.finalize() > > if not 'config_loaded' in api.env: > > raise NotConfiguredError() > > > > # ================================================================ > > # cmd > > # ================================================================ > > def cmd(cmd): > > """ > > Execute an IPA command. > > The command is entered as a string. I use shlex.split > > to break it into an args list. > > @param cmd The command to execute (as a string). > > """ > > print > > print '# %s' % ('='*64) > > print '# CMD: %s' % (cmd) > > print '# %s' % ('='*64) > > args=shlex.split(cmd) > > api.Backend.cli.run(args) > > > > if __name__ == '__main__': > > bootstrap() > > > > # Some test calls. > > cmd('help') > > cmd('help user') > > cmd('help user-mod') > > > > # Update the fields. > > users=['bob', 'carol', 'ted', 'alice'] > > mod='--street="123 Main Street" --city="Anytown" --state="AK" > --postalcode="12345"' > > for user in users: > > cmd('user-mod %s %s' % (user, mod)) > > > > Regards, > > > > Joe > > > > *From:*Joe Linoff > *Sent:* Tuesday, June 26, 2012 3:04 PM > *To:* freeipa-users at redhat.com > *Cc:* Joe Linoff > *Subject:* What is the best way to make batch changes to the LDAP? > > > > Hi Everybody: > > > > I need to change the mailing address information for a group of > employees in the FreeIPA LDAP and would like to do it in a script. I > know that I can do it using "ipa user-mod" in a shell script but I was > wondering whether I could use python. > > > > Does using python make sense? > > > > If so, are there any examples that I can look at? It seems that I > could import ipalib and go from there but I am not sure if there is a > simple interface for doing user modifications. > > > > Any help would be greatly appreciated. > > > > Thanks, > > > > Joe > Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: # python >>> from ipalib import api >>> api.bootstrap_with_global_options(context='cli') >>> api.finalize() >>> api.Backend.xmlclient.connect() # Lets see custom user "fbar" >>> api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: >>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street', >>> l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user "fbar"'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command attributes). Besides that, you can check: http://www.freeipa.org/page/DocumentationPortal There are several doc guides, including "Extending IPA" guide which should provide you with more info about additional extensions of FreeIPA. HTH, Martin From Steven.Jones at vuw.ac.nz Wed Jun 27 21:25:06 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jun 2012 21:25:06 +0000 Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! In-Reply-To: <4FEAEE13.2080809@themacartneyclan.com> References: <4FEAEE13.2080809@themacartneyclan.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD7E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the master....so it seems pretty robust. In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.....electronics might as well.....in which case swapping one half (I assume you have a raid1) to a new box and syncing it might work....then drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water.... 1 to 4 looks OK to me....something I want to fully try. There are some interesting tech like gluster which give you a distributed raid1....Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gb....not much disk use....use kvm and gluster might work well. The second machine could be a reasonable spec'd desktop....like <$2k should be good enough.... I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expense....so 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's "disk". Another way might be rsyncing the ldif over ssh to a remote site......maybe even email it to say google....it shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dale Macartney [dale at themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is "how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -----END PGP SIGNATURE----- From dale at themacartneyclan.com Wed Jun 27 21:35:00 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 27 Jun 2012 22:35:00 +0100 Subject: [Freeipa-users] strange gss failures in RHEL 6.3 Message-ID: <4FEB7C84.9010201@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Evening all I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and installed a new ipa server in a test network. I get the following errors now despite having a valid tgt. This worked perfectly a few hours ago (before I updated the repos) [root at ds01 ~]# date Wed Jun 27 22:31:01 BST 2012 [root at ds01 ~]# kinit admin Password for admin at EXAMPLE.COM: [root at ds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/EXAMPLE.COM at EXAMPLE.COM [root at ds01 ~]# date Wed Jun 27 22:31:10 BST 2012 [root at ds01 ~]# [root at ds01 ~]# [root at ds01 ~]# ipa user-find ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) [root at ds01 ~]# Has something changes from 6.2 to 6.3 that would cause this by any chance? thanks Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP63x5AAoJEAJsWS61tB+qQfAQAI8uUnPqculxBQvFI8vvCeXF 9rH59lAuhXw6a4lo9Fs+oSwYC0+s78ONRfp9SxhdLFQ1P1lEUffNq5EpO76RQlBT IbT0+UOZwmLzZPOFCPhB/CFhVnnM27yNSp0QzskP/hjkkapJt5T1bszd7b/LTbXp F/Y3RnzXsW7iR7ccAPdj8iEAQOO2lBDYfMx35xuE6LQmvpjcvK1kltuFQWnHRTqf pHKnZHcsUw53WbqpGmBQElBzQ4hCdsXAEuMaxj87FmHgubIo4Tv/886260yIrWpr IHzUfrvTwhC1hMNeeXPhaFIUb0PGJLPkaOOLMKwFSdXMYTlpU4ZZma9Qo2XuMXEY BmJO3ae8vU7i4SdkJP9qq5HpYMyo31PtPN+axjc7f8rXNX7GUrCLe3gekanCimH4 xzAC0bPTPRPH5GOPbSxw60KrGBXr3Ed0LyTpu2Ajg9h6AgJOKzEcezMnGNHyp6sv DXPL/AU1LWioiOR6kQ7ZqHuziSCj6vIRAEybljCwo8hKXeKcrTkExtCQgtCAVH9x cZlFT9vc5Hz4W2v4O2YCUPiZTQb1Ua+diq3RtzTb3oICZ/AxKfwJ7CsS5yZhOxRU kt0hbkkyDstO8M9zS0tvyKtXIMdIwAtthesOkQO2YGUsFBxQI0juPYlfWKY0/mKU tyCxmUcN3SEpKF2UTRFj =bxPG -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From dale at themacartneyclan.com Wed Jun 27 21:45:15 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 27 Jun 2012 22:45:15 +0100 Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD7E20@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4FEAEE13.2080809@themacartneyclan.com> <833D8E48405E064EBC54C84EC6B36E404CCD7E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FEB7EEB.4040302@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: > Hi, > > I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the master....so it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) > > In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.....electronics might as well.....in which case swapping one half (I assume you have a raid1) to a new box and syncing it might work....then drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water.... I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale > > 1 to 4 looks OK to me....something I want to fully try. > > There are some interesting tech like gluster which give you a distributed raid1....Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gb....not much disk use....use kvm and gluster might work well. The second machine could be a reasonable spec'd desktop....like <$2k should be good enough.... > > I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expense....so 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's "disk". Another way might be rsyncing the ldif over ssh to a remote site......maybe even email it to say google....it shouldnt be very big, ours is 400k at the moment. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dale Macartney [dale at themacartneyclan.com] > Sent: Wednesday, 27 June 2012 11:27 p.m. > To: > Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! > > Howdy all > > We have had quite alot of discussions on the list about this process but > I'd like to get some documentation together so we are all speaking the > same language. > > So last night I wrote a script to backup IPA based on the below article. > > https://access.redhat.com/knowledge/solutions/67800 > > This is fine and dandy. I have an easy way where I end up with a config > tarball, an LDIF export of Dogtag and an LDIF export of LDAP. > > > Now my question is "how on earth am I meant to restore it? > > > My test scenario is as follows. And you'll have to humour me a bit with > my imagination. > > Background: Customer has a very small environment. Single IPA server > installation on a physical server. Several member servers and clients > all pointing to that one server for IPA / CA and DNS. > > Incident: A very unhappy employee has just been fired for being a > naughty boy and decided, for revenge to test how water tight the server > was by filling the chassis with 5 litres of water. > > Result: Server is no longer happy either. A new server deployment is > required to replace old server. > > Thoughts for restoration: > > My thinking was, to build a replacement server with all dependency > packages and then: > > 1. restore config files in order to start IPA services > 2. restore LDAP ldif file to ensure LDAP data was correct > 3. restore Dogtag ldig file to ensure Dogtag data was correct. > 4. restart IPA services to bring things back online smoothly. > > Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to > co-operate. > > I'm trying to get to a stage, where we have a method or procedure for > simple restoration. Once we have the ability to restore everything, then > we can move beyond that, and restore individual components. E.g OU / > User / Group Data. > > Any takers for this one? Will be on IRC today if anyone fancies having a > bun fight for bouncing ideas. > > Dale > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP637pAAoJEAJsWS61tB+qKBMQAJ8zHCH6ysobN3R13QtrNzso 7RxyhnLF3KG2zpEkICTAYwuwT1uGoqjqc7z5z2ypV/77k7VvMu3ejDWm3i8RvD8A n0g43bcY4rA6Jk2Z/JVYc/aPIQqqRdbgx80eK3R8Hi1g0xv0NWVRw3yHiwwKEY27 PpH6zXzjAhsSc/QAlZ6Z9C9jOc4Juxy4KD0N93fcApJAEM5RRJ48+MoXeB1OdkwR Z6Ze+xU8IYM0DSlbgV/VOji7BVGv8adnoLToGuD0DQ//w5JiaY6Zn8Rk7iMtW1f3 yZ/dkILzaMhspzUKUoBSVKSsUebLsdKo8BxbPZS7IhF2KzClwjntxAU22O0kcaZ5 y7jXr9Pr4hpYY5BQxsvnTlLmZ41yD47LzhENmzTwdHfzNaeYC63YjsAgF9FOuZ8K 4h6F8D80bBH0hyHLGFlWw/tUql5U69H0UiC6fkzyuteeAk+ADI95e161s0uhFNM4 dzIVH16OIEcn+n1Bgwd4jL2ZyYi86o/XFNlv3Ui0vs9ovXPuZM2m1Q6l6oRJhjZW iXiXAliNKBf6MlpuWa8e9kBHIpRrxgFl0MjgWTpeRtscx7KfHjIBOvTysfz56jlY +KqRPWQBeZCIsZe5i80opRnWqG9uHckbVf30AIl1yUO7CNBvQkFWvX6R1e9Y1W1d oMqlcQYYwnhmkPsmRFpK =lZXt -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Wed Jun 27 21:53:53 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jun 2012 21:53:53 +0000 Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! In-Reply-To: <4FEB7EEB.4040302@themacartneyclan.com> References: <4FEAEE13.2080809@themacartneyclan.com> <833D8E48405E064EBC54C84EC6B36E404CCD7E20@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FEB7EEB.4040302@themacartneyclan.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD7FF0@STAWINCOX10MBX1.staff.vuw.ac.nz> I can join now as its 10am Thursday here...as I dont know when tomorrow is for you.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dale Macartney [dale at themacartneyclan.com] Sent: Thursday, 28 June 2012 9:45 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: > Hi, > > I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the master....so it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) > > In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.....electronics might as well.....in which case swapping one half (I assume you have a raid1) to a new box and syncing it might work....then drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water.... I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale > > 1 to 4 looks OK to me....something I want to fully try. > > There are some interesting tech like gluster which give you a distributed raid1....Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gb....not much disk use....use kvm and gluster might work well. The second machine could be a reasonable spec'd desktop....like <$2k should be good enough.... > > I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expense....so 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's "disk". Another way might be rsyncing the ldif over ssh to a remote site......maybe even email it to say google....it shouldnt be very big, ours is 400k at the moment. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dale Macartney [dale at themacartneyclan.com] > Sent: Wednesday, 27 June 2012 11:27 p.m. > To: > Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! > > Howdy all > > We have had quite alot of discussions on the list about this process but > I'd like to get some documentation together so we are all speaking the > same language. > > So last night I wrote a script to backup IPA based on the below article. > > https://access.redhat.com/knowledge/solutions/67800 > > This is fine and dandy. I have an easy way where I end up with a config > tarball, an LDIF export of Dogtag and an LDIF export of LDAP. > > > Now my question is "how on earth am I meant to restore it? > > > My test scenario is as follows. And you'll have to humour me a bit with > my imagination. > > Background: Customer has a very small environment. Single IPA server > installation on a physical server. Several member servers and clients > all pointing to that one server for IPA / CA and DNS. > > Incident: A very unhappy employee has just been fired for being a > naughty boy and decided, for revenge to test how water tight the server > was by filling the chassis with 5 litres of water. > > Result: Server is no longer happy either. A new server deployment is > required to replace old server. > > Thoughts for restoration: > > My thinking was, to build a replacement server with all dependency > packages and then: > > 1. restore config files in order to start IPA services > 2. restore LDAP ldif file to ensure LDAP data was correct > 3. restore Dogtag ldig file to ensure Dogtag data was correct. > 4. restart IPA services to bring things back online smoothly. > > Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to > co-operate. > > I'm trying to get to a stage, where we have a method or procedure for > simple restoration. Once we have the ability to restore everything, then > we can move beyond that, and restore individual components. E.g OU / > User / Group Data. > > Any takers for this one? Will be on IRC today if anyone fancies having a > bun fight for bouncing ideas. > > Dale > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP637pAAoJEAJsWS61tB+qKBMQAJ8zHCH6ysobN3R13QtrNzso 7RxyhnLF3KG2zpEkICTAYwuwT1uGoqjqc7z5z2ypV/77k7VvMu3ejDWm3i8RvD8A n0g43bcY4rA6Jk2Z/JVYc/aPIQqqRdbgx80eK3R8Hi1g0xv0NWVRw3yHiwwKEY27 PpH6zXzjAhsSc/QAlZ6Z9C9jOc4Juxy4KD0N93fcApJAEM5RRJ48+MoXeB1OdkwR Z6Ze+xU8IYM0DSlbgV/VOji7BVGv8adnoLToGuD0DQ//w5JiaY6Zn8Rk7iMtW1f3 yZ/dkILzaMhspzUKUoBSVKSsUebLsdKo8BxbPZS7IhF2KzClwjntxAU22O0kcaZ5 y7jXr9Pr4hpYY5BQxsvnTlLmZ41yD47LzhENmzTwdHfzNaeYC63YjsAgF9FOuZ8K 4h6F8D80bBH0hyHLGFlWw/tUql5U69H0UiC6fkzyuteeAk+ADI95e161s0uhFNM4 dzIVH16OIEcn+n1Bgwd4jL2ZyYi86o/XFNlv3Ui0vs9ovXPuZM2m1Q6l6oRJhjZW iXiXAliNKBf6MlpuWa8e9kBHIpRrxgFl0MjgWTpeRtscx7KfHjIBOvTysfz56jlY +KqRPWQBeZCIsZe5i80opRnWqG9uHckbVf30AIl1yUO7CNBvQkFWvX6R1e9Y1W1d oMqlcQYYwnhmkPsmRFpK =lZXt -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Thu Jun 28 01:07:55 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 27 Jun 2012 18:07:55 -0700 Subject: [Freeipa-users] What is the best way to make batch changes to the LDAP? In-Reply-To: <8AD4194C251EC74CB897E261038F447801006450@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010063CD@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010063E9@mantaray.tabula.com> <4FEAA963.2010303@redhat.com> <8AD4194C251EC74CB897E261038F447801006450@mantaray.tabula.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010064B2@mantaray.tabula.com> Hi Martin: Just a quick follow up: your suggestion worked great. Here is a little code fragment that emulates the "ipa user-find --all" operation. I am including it in the hopes that it will help someone else. <> #!/usr/bin/env python # # Demonstrate how to get the contents of the command # "ipa user-find --all" in python data structures based on the # insights provided by Martin Kosek on the freeipa-users at redhat.com # mailing list. # # It also demonstrates how to iterate over the list and grab # individual fields. # import pprint from ipalib import api # Bootstrap. api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Load the records. recs = api.Command['user_find'](all=True) # Dump the whole data structure -- with nice formatting. pprint.PrettyPrinter(indent=4).pprint( recs ) # Print out the uid and email information. # Note that the gratuitous conversion from unicode to UTF8 and the use # of a lambda function instead of an if/then were only for fun. print '---' for i in range(recs['count']): result = recs['result'][i] uid = result['uid' ][0].encode('utf8') # Email can be NULL. email = (lambda f: result[f][0].encode('utf8') if f in result is not None else str('None'))('mail') print '%-20s %s' % (uid,email) <> Thanks, Joe -----Original Message----- From: Joe Linoff Sent: Wednesday, June 27, 2012 11:02 AM To: Martin Kosek Cc: freeipa-users at redhat.com; Joe Linoff Subject: RE: [Freeipa-users] What is the best way to make batch changes to the LDAP? Hi Martin: Excellent! Thank you. Regards, Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Tuesday, June 26, 2012 11:34 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] What is the best way to make batch changes to the LDAP? On 06/27/2012 01:56 AM, Joe Linoff wrote: > Hi Everybody: > > > > Here is a python approach that I am experimenting with based on > reading the source code. It seems to work but it is re-entrant? Does > this make sense? Is there a better way (like ldapmodify)? > > > > #!/usr/bin/env python > > # > > # Emulate the ipa command line interface in a script so that > > # to batch some updates. > > # > > import sys > > import shlex > > from ipalib import api, cli > > > > # ================================================================ > > # bootstrap > > # ================================================================ > > def bootstrap(): > > """ > > Bootstrap the script. > > I hope that all of this stuff is re-entrant. > > Also, api is defined in __init__.py. > > """ > > api.bootstrap_with_global_options(context='cli') > > for klass in cli.cli_plugins: > > api.register(klass) > > api.load_plugins() > > api.finalize() > > if not 'config_loaded' in api.env: > > raise NotConfiguredError() > > > > # ================================================================ > > # cmd > > # ================================================================ > > def cmd(cmd): > > """ > > Execute an IPA command. > > The command is entered as a string. I use shlex.split > > to break it into an args list. > > @param cmd The command to execute (as a string). > > """ > > print > > print '# %s' % ('='*64) > > print '# CMD: %s' % (cmd) > > print '# %s' % ('='*64) > > args=shlex.split(cmd) > > api.Backend.cli.run(args) > > > > if __name__ == '__main__': > > bootstrap() > > > > # Some test calls. > > cmd('help') > > cmd('help user') > > cmd('help user-mod') > > > > # Update the fields. > > users=['bob', 'carol', 'ted', 'alice'] > > mod='--street="123 Main Street" --city="Anytown" --state="AK" > --postalcode="12345"' > > for user in users: > > cmd('user-mod %s %s' % (user, mod)) > > > > Regards, > > > > Joe > > > > *From:*Joe Linoff > *Sent:* Tuesday, June 26, 2012 3:04 PM > *To:* freeipa-users at redhat.com > *Cc:* Joe Linoff > *Subject:* What is the best way to make batch changes to the LDAP? > > > > Hi Everybody: > > > > I need to change the mailing address information for a group of > employees in the FreeIPA LDAP and would like to do it in a script. I > know that I can do it using "ipa user-mod" in a shell script but I was > wondering whether I could use python. > > > > Does using python make sense? > > > > If so, are there any examples that I can look at? It seems that I > could import ipalib and go from there but I am not sure if there is a > simple interface for doing user modifications. > > > > Any help would be greatly appreciated. > > > > Thanks, > > > > Joe > Hello Joe, This is a very good start. But it can be made even easier, without any command line option parsing. Please see the following example to simply modify users in Python: # kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: # python >>> from ipalib import api >>> api.bootstrap_with_global_options(context='cli') >>> api.finalize() >>> api.Backend.xmlclient.connect() # Lets see custom user "fbar" >>> api.Command['user_show'](u'admin') {'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',), 'memberof_group': (u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',), 'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin', 'summary': None} # See that result is a native Python dictionary, i.e. very easy to manipulate later # Now lets try to modify user's address: >>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street', >>> l=u'London', st=u'UK', postalcode=u'NW1 6XE') {'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid': (u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',), 'l': (u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',), 'memberof_group': (u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory': (u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',), 'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary': u'Modified user "fbar"'} The user is now modified, I can verify it with standard CLI command: # ipa user-show fbar --all dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar ... Street address: 221B Baker Street City: London State/Province: UK ZIP: NW1 6XE ... Our source code is a good source of information (I used it to find out exact names of the command attributes). Besides that, you can check: http://www.freeipa.org/page/DocumentationPortal There are several doc guides, including "Extending IPA" guide which should provide you with more info about additional extensions of FreeIPA. HTH, Martin From jlinoff at tabula.com Thu Jun 28 01:34:19 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 27 Jun 2012 18:34:19 -0700 Subject: [Freeipa-users] How can I change my password from a python script? Message-ID: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=bbob at BigBobsEmporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' <<-EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." cmd += " --first=Bob --last=Bigg --password " cmd += "--setattr=description='The sales guy.'" rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Jun 28 05:52:36 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 Jun 2012 07:52:36 +0200 Subject: [Freeipa-users] strange gss failures in RHEL 6.3 In-Reply-To: <4FEB7C84.9010201@themacartneyclan.com> References: <4FEB7C84.9010201@themacartneyclan.com> Message-ID: <20120628055236.GM29454@localhost.localdomain> On Wed, Jun 27, 2012 at 10:35:00PM +0100, Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Evening all > > I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and > installed a new ipa server in a test network. > > I get the following errors now despite having a valid tgt. This worked > perfectly a few hours ago (before I updated the repos) > > [root at ds01 ~]# date > Wed Jun 27 22:31:01 BST 2012 > [root at ds01 ~]# kinit admin > Password for admin at EXAMPLE.COM: > [root at ds01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/EXAMPLE.COM at EXAMPLE.COM > [root at ds01 ~]# date > Wed Jun 27 22:31:10 BST 2012 > [root at ds01 ~]# > [root at ds01 ~]# > [root at ds01 ~]# ipa user-find > ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Ticket not yet valid) > [root at ds01 ~]# Please check if there are some old tickets which might bestill used by apache. Run find /tmp/systemd-namespace-* -name krb5cc_48 (assuming your apache user has uid 48), delete the files listed here and try ipa user-find again. HTH bye, Sumit > > > Has something changes from 6.2 to 6.3 that would cause this by any chance? > > thanks > > Dale > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJP63x5AAoJEAJsWS61tB+qQfAQAI8uUnPqculxBQvFI8vvCeXF > 9rH59lAuhXw6a4lo9Fs+oSwYC0+s78ONRfp9SxhdLFQ1P1lEUffNq5EpO76RQlBT > IbT0+UOZwmLzZPOFCPhB/CFhVnnM27yNSp0QzskP/hjkkapJt5T1bszd7b/LTbXp > F/Y3RnzXsW7iR7ccAPdj8iEAQOO2lBDYfMx35xuE6LQmvpjcvK1kltuFQWnHRTqf > pHKnZHcsUw53WbqpGmBQElBzQ4hCdsXAEuMaxj87FmHgubIo4Tv/886260yIrWpr > IHzUfrvTwhC1hMNeeXPhaFIUb0PGJLPkaOOLMKwFSdXMYTlpU4ZZma9Qo2XuMXEY > BmJO3ae8vU7i4SdkJP9qq5HpYMyo31PtPN+axjc7f8rXNX7GUrCLe3gekanCimH4 > xzAC0bPTPRPH5GOPbSxw60KrGBXr3Ed0LyTpu2Ajg9h6AgJOKzEcezMnGNHyp6sv > DXPL/AU1LWioiOR6kQ7ZqHuziSCj6vIRAEybljCwo8hKXeKcrTkExtCQgtCAVH9x > cZlFT9vc5Hz4W2v4O2YCUPiZTQb1Ua+diq3RtzTb3oICZ/AxKfwJ7CsS5yZhOxRU > kt0hbkkyDstO8M9zS0tvyKtXIMdIwAtthesOkQO2YGUsFBxQI0juPYlfWKY0/mKU > tyCxmUcN3SEpKF2UTRFj > =bxPG > -----END PGP SIGNATURE----- > > pub 4096R/B5B41FAA 2010-11-27 Dale Macartney > uid Dale Macartney > uid Dale Macartney > sub 4096R/CF50A682 2010-11-27 [verf?llt: 2012-11-26] > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Thu Jun 28 07:59:30 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 28 Jun 2012 09:59:30 +0200 Subject: [Freeipa-users] rfe: ldap for dhcp In-Reply-To: <4FEA4AB1.9050302@firstyear.id.au> References: <1340716381.2533.20.camel@sgallagh520.sgallagh.bos.redhat.com> <1340721858.1765.2.camel@willson.li.ssimo.org> <4FEA4AB1.9050302@firstyear.id.au> Message-ID: <4FEC0EE2.30902@redhat.com> Hello, On 06/27/2012 01:50 AM, William Brown wrote: > Take a look at > https://bitbucket.org/Firstyear/freeipa-dhcp/src/f63a7e505705/TODO.DHCP > for my "todo" list, and at > http://www.freeipa.org/page/DHCP_Integration_Design for some of my > planning about this integration. Both are subject to change in the near > future however. Document "DHCP_Integration_Design" mentions GSSAPI support which is missing in ISC DHCP. I recommend to look into SASL rather than plain GSSAPI. Implementation should be simpler than with GSSAPI. You can look into code from https://fedorahosted.org/bind-dyndb-ldap/ . File src/krb5_helper.c contains minimal code necessary to support Kerberos 5. src/ldap_helper.c contains bits necessary for SASL setup. Interesting parts are mostly in new_ldap_instance() and ldap_sasl_interact() functions. Petr^2 Spacek From dale at themacartneyclan.com Thu Jun 28 08:18:02 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Thu, 28 Jun 2012 09:18:02 +0100 Subject: [Freeipa-users] strange gss failures in RHEL 6.3 In-Reply-To: <20120628055236.GM29454@localhost.localdomain> References: <4FEB7C84.9010201@themacartneyclan.com> <20120628055236.GM29454@localhost.localdomain> Message-ID: <4FEC133A.5020601@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/06/12 06:52, Sumit Bose wrote: > On Wed, Jun 27, 2012 at 10:35:00PM +0100, Dale Macartney wrote: >> > Evening all > > I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and > installed a new ipa server in a test network. > > I get the following errors now despite having a valid tgt. This worked > perfectly a few hours ago (before I updated the repos) > > [root at ds01 ~]# date > Wed Jun 27 22:31:01 BST 2012 > [root at ds01 ~]# kinit admin > Password for admin at EXAMPLE.COM: > [root at ds01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/EXAMPLE.COM at EXAMPLE.COM > [root at ds01 ~]# date > Wed Jun 27 22:31:10 BST 2012 > [root at ds01 ~]# > [root at ds01 ~]# > [root at ds01 ~]# ipa user-find > ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Ticket not yet valid) > [root at ds01 ~]# > > > Please check if there are some old tickets which might bestill used by > > apache. Run > > > find /tmp/systemd-namespace-* -name krb5cc_48 > > > (assuming your apache user has uid 48), delete the files listed here and > > try ipa user-find again. > > > HTH > > > bye, > > Sumit > > Thanks Sumit, Despite having this issue for a good while last night. I finished up for the night and it is no longer present this morning. I'll give your suggestion a try if the problem comes back. Dale > > Has something changes from 6.2 to 6.3 that would cause this by any chance? > > thanks > > Dale > > >> > >> pub 4096R/B5B41FAA 2010-11-27 Dale Macartney >> uid Dale Macartney >> uid Dale Macartney >> sub 4096R/CF50A682 2010-11-27 [verf?llt: 2012-11-26] > > >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7BM4AAoJEAJsWS61tB+qWUUP/iQHr2cdgnYMbQOkwP5u4Ddy CinIb8sWtKbBDdcNAULJqTfsD+juncGI+Hf/9Mig8hQ/OTsq6fjGBQN804TTQHPL ALkoUoeX7KHKsU40D5H1OltELv/z5/8L9cd3RXHel+1n7TcSSpCDVgVmOVK/mgBh Bxc5DkJ/FwEdkD9zzAZuhRmtCCcXluPtwtwegz8I31jxUN+BOH1c4OzYRnOhkPe8 O9onckphtJ0UsB29DYxuj0TNVfYOmw7xRIW+otUYmva7V5UZhRTjaBTt284Cnq2S 6ZV9fikOkzBEbD+CSHT7lzAsP68vgmoSJVLDD9CwTN4hgmCe8T5vbN+ZblfC5+08 rt/rkbLWBwcf/iptYAOkAW080/HnX0gA4SAfEIESw+bqIO36XyFmRSDucnUACX/R wU2X3adYeUDBy4xSOU8Fls25X0JKbpCShS9nsYcjMtRjXB6AcRwWq2RtozEN0vnK 0Ba3BgFoMZfRVvTdMCXc/HdqnokjGav4igKOkMu6RMi5hBqPYkwr9So1yTTVObro bwjDVwyYb0DgZm6UVnPq0/ih0T7PcXxEnlKnU58x2nJy9TMWGJocPbQSwbbhpmy5 4Gf7zB5MafzOF82xuVFYUOhN1jWIJ5uhDzO2UPAxcViCucnKwV++0zfskRWOEvzE IJ5DTfLgE/gSf39DVRIx =u4eN -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 28 08:32:20 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jun 2012 10:32:20 +0200 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> Message-ID: <4FEC1694.2080109@redhat.com> On 06/28/2012 03:34 AM, Joe Linoff wrote: > Hi Everybody: > > > > I need to add a lot of users to an LDAP system for testing and I would > like to do it in batch mode. For my small tests have been doing > something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'fbar at foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'jdoe at foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ "method": 'user_add', "params": [ [], { "givenname": firstname, "sn": surname, "mail": email, "userpassword": psw, "setattr": "description='"+desc+"'" }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) > > > > #!/bin/bash > > # Script to create a new user. > > ipa user-add bigbob \ > > --email=bbob at BigBobsEmporium.com \ > > --first=Bob \ > > --last=Bigg \ > > --password \ > > --setattr=description='The sales guy.'<<-EOF > > b1gB0bsTmpPwd > > b1gB0bsTmpPwd > > EOF > > > > However, I am python guy and would like to use it instead. I am sure > that I can do a similar thing using pexpect in python. Probably > something like this: > > > > # This code has not been tested. It is only for a thought experiment. > > # Add a user and enter the password using pexpect. > > cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." > > cmd += " --first=Bob --last=Bigg --password " > > cmd += "--setattr=description='The sales guy.'" > > rets = ['Password', 'Enter Password again to verify', pexpect.EOF, > pexpect.TIMEOUT] > > c = pexpect.spawn(cmd,timeout=None) > > i = c.expect(rets) > > if i == 0: # Password > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 1: # Enter Password again to verify > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 2: > > print 'SUCCESS' > > else: > > sys.exit('ERROR: something bad happened #1') > > else: > > sys.exit('ERROR: something bad happened #2') > > else: > > sys.exit('ERROR: something bad happened #3') > > > > But I was wondering whether there was a better using the IPA API. Is > there a way for me to do that? > > > > Any help or insights would be greatly appreciated. > > > Thanks, > > > > Joe > -- Petr Vobornik From mkosek at redhat.com Thu Jun 28 08:45:51 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jun 2012 10:45:51 +0200 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> Message-ID: <4FEC19BF.4060109@redhat.com> On 06/28/2012 03:34 AM, Joe Linoff wrote: > Hi Everybody: > > > > I need to add a lot of users to an LDAP system for testing and I would like to > do it in batch mode. For my small tests have been doing something like this: > > > > #!/bin/bash > > # Script to create a new user. > > ipa user-add bigbob \ > > --email=bbob at BigBobsEmporium.com \ > > --first=Bob \ > > --last=Bigg \ > > --password \ > > --setattr=description='The sales guy.' <<-EOF > > b1gB0bsTmpPwd > > b1gB0bsTmpPwd > > EOF > > > > However, I am python guy and would like to use it instead. I am sure that I can > do a similar thing using pexpect in python. Probably something like this: > > > > # This code has not been tested. It is only for a thought experiment. > > # Add a user and enter the password using pexpect. > > cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." > > cmd += " --first=Bob --last=Bigg --password " > > cmd += "--setattr=description='The sales guy.'" > > rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] > > c = pexpect.spawn(cmd,timeout=None) > > i = c.expect(rets) > > if i == 0: # Password > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 1: # Enter Password again to verify > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 2: > > print 'SUCCESS' > > else: > > sys.exit('ERROR: something bad happened #1') > > else: > > sys.exit('ERROR: something bad happened #2') > > else: > > sys.exit('ERROR: something bad happened #3') > > > > But I was wondering whether there was a better using the IPA API. Is there a > way for me to do that? > > > > Any help or insights would be greatly appreciated. > > > Thanks, > > > > Joe > Hello Joe, if you don't want to use batch command as Petr suggested you can try the following example. It also uses --random option available in recent FreeIPA version to let FreeIPA handle the password generation: # cat add-users.py #!/usr/bin/env python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() for i in xrange(5): login = u'user%d' % i result = api.Command['user_add'](login, givenname=u'Test', \ sn=u'User #%d' % i, random=True) password = result['result']['randompassword'] print "Created user '%s' with password '%s'" % (login, password) When I execute it: # ./add-users.py Created user 'user0' with password 'EvzY+Of5pk at +' Created user 'user1' with password 'kyRHb9RMFzBO' Created user 'user2' with password 'u2mt_oGU_UIX' Created user 'user3' with password 'Lm6ONeErNFgz' Created user 'user4' with password 'AS=EeFozvbE-' HTH, Martin From Duncan.Innes at virginmoney.com Thu Jun 28 10:28:50 2012 From: Duncan.Innes at virginmoney.com (Duncan.Innes at virginmoney.com) Date: Thu, 28 Jun 2012 11:28:50 +0100 Subject: [Freeipa-users] Roadmap Message-ID: Hi folks, Is there any information on what the roadmap might be now that 2.2 is out the door? The current roadmap still references the 2.1 release around a year ago. Thanks Duncan Innes This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money do not accept responsibility for changes made to any e-mail after sending. Virgin Money have swept, and believe this e-mail to be free of viruses and profanity but make no guarantees to this effect. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Registered in England no. 3072766. Entered on the Financial Services Authority's Register http://www.fsa.gov.uk/register/. Register Number 179271. Church House Trust Limited is authorised and regulated by the Financial Services Authority. Registered in England no. 980698. Entered on the Financial Services Authority's Register http://www.fsa.gov.uk/register/. Register Number 204459. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Registered in England no. 3000482. Entered on the Financial Services Authority's Register. Register Number 171748. Virgin Money Limited. Registered in England no. 4232392. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Virgin Money Management Services Limited. Registered in England no. 3072772. Virgin Money Holdings (UK) Limited. Registered in England no. 3087587. All the above companies have their Registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc - Registered in England (Company No. 6952311). Registered Office: Northern Rock House Gosforth Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. All products are open only to residents of the United Kingdom. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.hogarth at gmail.com Thu Jun 28 13:46:42 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Thu, 28 Jun 2012 14:46:42 +0100 Subject: [Freeipa-users] Roadmap In-Reply-To: References: Message-ID: > Is there any information on what the roadmap might be now that 2.2 is out > the door? > > The current roadmap still references the 2.1 release around a year ago. Check out the info here: https://fedorahosted.org/freeipa/roadmap So far as I'm aware the bulk of the 3.0 work is for cross realm (initially only Active Directory?) trusts rather than full syncs of users. There's some 3.1 work slated on there with respect to client certificate management too.... From jlinoff at tabula.com Thu Jun 28 15:09:41 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Thu, 28 Jun 2012 08:09:41 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <4FEC1694.2080109@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010064D2@mantaray.tabula.com> Hi Petr: Thank you. This is perfect. I have to say that the more I learn about FreeIPA, the more impressed I am with it (and I was pretty impressed to begin with). Regards, Joe -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, June 28, 2012 1:32 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: > Hi Everybody: > > > > I need to add a lot of users to an LDAP system for testing and I would > like to do it in batch mode. For my small tests have been doing > something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'fbar at foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'jdoe at foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ "method": 'user_add', "params": [ [], { "givenname": firstname, "sn": surname, "mail": email, "userpassword": psw, "setattr": "description='"+desc+"'" }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) > > > > #!/bin/bash > > # Script to create a new user. > > ipa user-add bigbob \ > > --email=bbob at BigBobsEmporium.com \ > > --first=Bob \ > > --last=Bigg \ > > --password \ > > --setattr=description='The sales guy.'<<-EOF > > b1gB0bsTmpPwd > > b1gB0bsTmpPwd > > EOF > > > > However, I am python guy and would like to use it instead. I am sure > that I can do a similar thing using pexpect in python. Probably > something like this: > > > > # This code has not been tested. It is only for a thought experiment. > > # Add a user and enter the password using pexpect. > > cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." > > cmd += " --first=Bob --last=Bigg --password " > > cmd += "--setattr=description='The sales guy.'" > > rets = ['Password', 'Enter Password again to verify', pexpect.EOF, > pexpect.TIMEOUT] > > c = pexpect.spawn(cmd,timeout=None) > > i = c.expect(rets) > > if i == 0: # Password > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 1: # Enter Password again to verify > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 2: > > print 'SUCCESS' > > else: > > sys.exit('ERROR: something bad happened #1') > > else: > > sys.exit('ERROR: something bad happened #2') > > else: > > sys.exit('ERROR: something bad happened #3') > > > > But I was wondering whether there was a better using the IPA API. Is > there a way for me to do that? > > > > Any help or insights would be greatly appreciated. > > > Thanks, > > > > Joe > -- Petr Vobornik From jlinoff at tabula.com Thu Jun 28 15:10:47 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Thu, 28 Jun 2012 08:10:47 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <4FEC19BF.4060109@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC19BF.4060109@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010064D3@mantaray.tabula.com> Hi Martin: Thank you once again for your excellent insights. I really appreciate your help. FreeIPA is really impressive. Regards, Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Thursday, June 28, 2012 1:46 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: > Hi Everybody: > > > > I need to add a lot of users to an LDAP system for testing and I would > like to do it in batch mode. For my small tests have been doing something like this: > > > > #!/bin/bash > > # Script to create a new user. > > ipa user-add bigbob \ > > --email=bbob at BigBobsEmporium.com > \ > > --first=Bob \ > > --last=Bigg \ > > --password \ > > --setattr=description='The sales guy.' <<-EOF > > b1gB0bsTmpPwd > > b1gB0bsTmpPwd > > EOF > > > > However, I am python guy and would like to use it instead. I am sure > that I can do a similar thing using pexpect in python. Probably something like this: > > > > # This code has not been tested. It is only for a thought experiment. > > # Add a user and enter the password using pexpect. > > cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." > > cmd += " --first=Bob --last=Bigg --password " > > cmd += "--setattr=description='The sales guy.'" > > rets = ['Password', 'Enter Password again to verify', pexpect.EOF, > pexpect.TIMEOUT] > > c = pexpect.spawn(cmd,timeout=None) > > i = c.expect(rets) > > if i == 0: # Password > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 1: # Enter Password again to verify > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 2: > > print 'SUCCESS' > > else: > > sys.exit('ERROR: something bad happened #1') > > else: > > sys.exit('ERROR: something bad happened #2') > > else: > > sys.exit('ERROR: something bad happened #3') > > > > But I was wondering whether there was a better using the IPA API. Is > there a way for me to do that? > > > > Any help or insights would be greatly appreciated. > > > Thanks, > > > > Joe > Hello Joe, if you don't want to use batch command as Petr suggested you can try the following example. It also uses --random option available in recent FreeIPA version to let FreeIPA handle the password generation: # cat add-users.py #!/usr/bin/env python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() for i in xrange(5): login = u'user%d' % i result = api.Command['user_add'](login, givenname=u'Test', \ sn=u'User #%d' % i, random=True) password = result['result']['randompassword'] print "Created user '%s' with password '%s'" % (login, password) When I execute it: # ./add-users.py Created user 'user0' with password 'EvzY+Of5pk at +' Created user 'user1' with password 'kyRHb9RMFzBO' Created user 'user2' with password 'u2mt_oGU_UIX' Created user 'user3' with password 'Lm6ONeErNFgz' Created user 'user4' with password 'AS=EeFozvbE-' HTH, Martin From jlinoff at tabula.com Thu Jun 28 23:42:07 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Thu, 28 Jun 2012 16:42:07 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <4FEC1694.2080109@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5 at cuthbert user5 at cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File "./u1.py", line 35, in result = api.Command['batch'](*add_cmds) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 443, in __call__ self.validate_output(ret) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need ; got : ({'summary': u'Added user "user5"', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'user5 at example.com',), 'krbprincipalname': (u'user5 at EXAMPLE.COM',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) Regards, Joe -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, June 28, 2012 1:32 AM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: > Hi Everybody: > > > > I need to add a lot of users to an LDAP system for testing and I would > like to do it in batch mode. For my small tests have been doing > something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'fbar at foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'jdoe at foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ "method": 'user_add', "params": [ [], { "givenname": firstname, "sn": surname, "mail": email, "userpassword": psw, "setattr": "description='"+desc+"'" }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) > > > > #!/bin/bash > > # Script to create a new user. > > ipa user-add bigbob \ > > --email=bbob at BigBobsEmporium.com \ > > --first=Bob \ > > --last=Bigg \ > > --password \ > > --setattr=description='The sales guy.'<<-EOF > > b1gB0bsTmpPwd > > b1gB0bsTmpPwd > > EOF > > > > However, I am python guy and would like to use it instead. I am sure > that I can do a similar thing using pexpect in python. Probably > something like this: > > > > # This code has not been tested. It is only for a thought experiment. > > # Add a user and enter the password using pexpect. > > cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium." > > cmd += " --first=Bob --last=Bigg --password " > > cmd += "--setattr=description='The sales guy.'" > > rets = ['Password', 'Enter Password again to verify', pexpect.EOF, > pexpect.TIMEOUT] > > c = pexpect.spawn(cmd,timeout=None) > > i = c.expect(rets) > > if i == 0: # Password > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 1: # Enter Password again to verify > > child.sendline('b1gB0bsTmpPwd') > > i = c.expect(rets) > > if i == 2: > > print 'SUCCESS' > > else: > > sys.exit('ERROR: something bad happened #1') > > else: > > sys.exit('ERROR: something bad happened #2') > > else: > > sys.exit('ERROR: something bad happened #3') > > > > But I was wondering whether there was a better using the IPA API. Is > there a way for me to do that? > > > > Any help or insights would be greatly appreciated. > > > Thanks, > > > > Joe > -- Petr Vobornik From Steven.Jones at vuw.ac.nz Thu Jun 28 23:48:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jun 2012 23:48:07 +0000 Subject: [Freeipa-users] what files and info are needed to trace replicatin failures pls? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCD8C10@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have done sosreports and error logs from /var/log/dirsrv/slapdxxxxx/ Just wondering if anything else could be useful. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Thu Jun 28 23:54:37 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 28 Jun 2012 17:54:37 -0600 Subject: [Freeipa-users] what files and info are needed to trace replicatin failures pls? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CCD8C10@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CCD8C10@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FECEEBD.5030508@redhat.com> On 06/28/2012 05:48 PM, Steven Jones wrote: > Hi, > > I have done sosreports and error logs from /var/log/dirsrv/slapdxxxxx/ > > Just wondering if anything else could be useful. Hard to say without investigating the failure. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From mkosek at redhat.com Fri Jun 29 07:06:42 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jun 2012 09:06:42 +0200 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> Message-ID: <1340953602.13966.11.camel@priserak> On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: > Hi Petr: > > I implemented what you suggested and everything worked pretty well but I > ran into three issues that you might be able to help me with. > > ISSUE #1 > The first issue (and the most important) is that the password is only > temporary. I am prompted to reset it the first time that I login. My > goal is to setup a working system quickly to test different > configurations in a batch fashion but having to reset the password for > each user makes that challenging. How can I disable the reset > requirement for my test environment? > > ssh user5 at cuthbert > user5 at cuthbert's password: > Password expired. Change your password now. > Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user user5. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. > > ISSUE #2 > The second issue is really more of a question. I need to add these users > to groups. My guess is that I need to setup a similar call using the > 'group_add' command. Is that right? If so, do you have an example that I > could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group "foogroup"', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} > > ISSUE #3 > The third and final issue is that the I get traceback from what appears > to be the validation in the batch command. How can I correct that? > > Traceback (most recent call last): > File "./u1.py", line 35, in > result = api.Command['batch'](*add_cmds) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 443, in __call__ > self.validate_output(ret) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 903, in validate_output > nice, o.name, o.type, type(value), value) > TypeError: batch.validate_output(): > output['results']: need ; got : > ({'summary': u'Added user "user5"', 'result': {'dn': > u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, > 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': > (u'top', u'person', u'organizationalperson', u'inetorgperson', > u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', > u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': > (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), > 'has_password': True, 'sn': (u'last',), 'homedirectory': > (u'/home/user5',), 'mail': (u'user5 at example.com',), 'krbprincipalname': > (u'user5 at EXAMPLE.COM',), 'givenname': (u'first',), 'cn': (u'first > last',), 'gecos': (u'first last',), 'ipauniqueid': > (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': > None},) You may just have found a bug. Batch command is not normally executed from XML-RPC, there may be an issue. We will investigate it. Meanwhile, I would recommend using simple command, I think its easier to read and code. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: webui-changepw.py Type: text/x-python Size: 1271 bytes Desc: not available URL: From jlinoff at tabula.com Fri Jun 29 07:22:02 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 00:22:02 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <1340953602.13966.11.camel@priserak> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> Message-ID: <8AD4194C251EC74CB897E261038F44780100657D@mantaray.tabula.com> Hi Martin: Thank you. This is very helpful. I am going to try the group functions tomorrow morning (PST). Regards, Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Friday, June 29, 2012 12:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: > Hi Petr: > > I implemented what you suggested and everything worked pretty well but > I ran into three issues that you might be able to help me with. > > ISSUE #1 > The first issue (and the most important) is that the password is only > temporary. I am prompted to reset it the first time that I login. My > goal is to setup a working system quickly to test different > configurations in a batch fashion but having to reset the password for > each user makes that challenging. How can I disable the reset > requirement for my test environment? > > ssh user5 at cuthbert > user5 at cuthbert's password: > Password expired. Change your password now. > Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user user5. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. > > ISSUE #2 > The second issue is really more of a question. I need to add these > users to groups. My guess is that I need to setup a similar call using > the 'group_add' command. Is that right? If so, do you have an example > that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group "foogroup"', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} > > ISSUE #3 > The third and final issue is that the I get traceback from what > appears to be the validation in the batch command. How can I correct that? > > Traceback (most recent call last): > File "./u1.py", line 35, in > result = api.Command['batch'](*add_cmds) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 443, in __call__ > self.validate_output(ret) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 903, in validate_output > nice, o.name, o.type, type(value), value) > TypeError: batch.validate_output(): > output['results']: need ; got : > ({'summary': u'Added user "user5"', 'result': {'dn': > u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': > True, > 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': > (u'top', u'person', u'organizationalperson', u'inetorgperson', > u'inetuser', u'posixaccount', u'krbprincipalaux', > u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': > (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), > 'has_password': True, 'sn': (u'last',), 'homedirectory': > (u'/home/user5',), 'mail': (u'user5 at example.com',), 'krbprincipalname': > (u'user5 at EXAMPLE.COM',), 'givenname': (u'first',), 'cn': (u'first > last',), 'gecos': (u'first last',), 'ipauniqueid': > (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': > None},) You may just have found a bug. Batch command is not normally executed from XML-RPC, there may be an issue. We will investigate it. Meanwhile, I would recommend using simple command, I think its easier to read and code. Martin From abokovoy at redhat.com Fri Jun 29 07:30:57 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 10:30:57 +0300 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <1340953602.13966.11.camel@priserak> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> Message-ID: <20120629073057.GF6687@redhat.com> On Fri, 29 Jun 2012, Martin Kosek wrote: >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: >> Hi Petr: >> >> I implemented what you suggested and everything worked pretty well but I >> ran into three issues that you might be able to help me with. >> >> ISSUE #1 >> The first issue (and the most important) is that the password is only >> temporary. I am prompted to reset it the first time that I login. My >> goal is to setup a working system quickly to test different >> configurations in a batch fashion but having to reset the password for >> each user makes that challenging. How can I disable the reset >> requirement for my test environment? >> >> ssh user5 at cuthbert >> user5 at cuthbert's password: >> Password expired. Change your password now. >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user user5. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> Connection to cuthbert closed. > >Hi Joe, > >This is a security measure, somebody else may correct me, but I don't >think this can be turned off. You can use an attached Python function >which can be used to change (reset) user password via web interface. >Normally, this backend is used by Web UI users with expired password to >be able to reset it. You could you is it for the same purpose from the >script (function) I attached. What you can do is to change the same password as a user -- given that these are test configurations, you can: 0. Change minimum acceptable password lifetime to 0 ipa pwpolicy-mod --minlife=0 1. Add all users, note their passwords 2. For each user: 2.1. kinit 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd 2.3 kdestroy This way you'll get passwords set back as those users. Or use the script that Martin provided. >> >> ISSUE #2 >> The second issue is really more of a question. I need to add these users >> to groups. My guess is that I need to setup a similar call using the >> 'group_add' command. Is that right? If so, do you have an example that I >> could follow? > >You can try this one: > >pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', > 'gidnumber': (u'4800015',), > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), > 'objectclass': (u'top', > u'groupofnames', > u'nestedgroup', > u'ipausergroup', > u'ipaobject', > u'posixgroup')}, > 'summary': u'Added group "foogroup"', > 'value': u'foogroup'} > >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) >{'completed': 1, > 'failed': {'member': {'group': (), 'user': ()}}, > 'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}} > >pprint(api.Command['group_show'](u'foogroup')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}, > 'summary': None, > 'value': u'foogroup'} > >> >> ISSUE #3 >> The third and final issue is that the I get traceback from what appears >> to be the validation in the batch command. How can I correct that? >> >> Traceback (most recent call last): >> File "./u1.py", line 35, in >> result = api.Command['batch'](*add_cmds) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line >> 443, in __call__ >> self.validate_output(ret) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line >> 903, in validate_output >> nice, o.name, o.type, type(value), value) >> TypeError: batch.validate_output(): >> output['results']: need ; got : Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. >You may just have found a bug. Batch command is not normally executed >from XML-RPC, there may be an issue. We will investigate it. Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it is fixed already. -- / Alexander Bokovoy From jlinoff at tabula.com Fri Jun 29 07:33:07 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 00:33:07 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <20120629073057.GF6687@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> <20120629073057.GF6687@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. Regards, Joe -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Friday, June 29, 2012 12:31 AM To: Martin Kosek Cc: Joe Linoff; freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Fri, 29 Jun 2012, Martin Kosek wrote: >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: >> Hi Petr: >> >> I implemented what you suggested and everything worked pretty well >> but I ran into three issues that you might be able to help me with. >> >> ISSUE #1 >> The first issue (and the most important) is that the password is only >> temporary. I am prompted to reset it the first time that I login. My >> goal is to setup a working system quickly to test different >> configurations in a batch fashion but having to reset the password >> for each user makes that challenging. How can I disable the reset >> requirement for my test environment? >> >> ssh user5 at cuthbert >> user5 at cuthbert's password: >> Password expired. Change your password now. >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user user5. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> Connection to cuthbert closed. > >Hi Joe, > >This is a security measure, somebody else may correct me, but I don't >think this can be turned off. You can use an attached Python function >which can be used to change (reset) user password via web interface. >Normally, this backend is used by Web UI users with expired password to >be able to reset it. You could you is it for the same purpose from the >script (function) I attached. What you can do is to change the same password as a user -- given that these are test configurations, you can: 0. Change minimum acceptable password lifetime to 0 ipa pwpolicy-mod --minlife=0 1. Add all users, note their passwords 2. For each user: 2.1. kinit 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd 2.3 kdestroy This way you'll get passwords set back as those users. Or use the script that Martin provided. >> >> ISSUE #2 >> The second issue is really more of a question. I need to add these >> users to groups. My guess is that I need to setup a similar call >> using the 'group_add' command. Is that right? If so, do you have an >> example that I could follow? > >You can try this one: > >pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), > 'objectclass': (u'top', > u'groupofnames', > u'nestedgroup', > u'ipausergroup', > u'ipaobject', > u'posixgroup')}, > 'summary': u'Added group "foogroup"', > 'value': u'foogroup'} > >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) >{'completed': 1, > 'failed': {'member': {'group': (), 'user': ()}}, > 'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}} > >pprint(api.Command['group_show'](u'foogroup')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}, > 'summary': None, > 'value': u'foogroup'} > >> >> ISSUE #3 >> The third and final issue is that the I get traceback from what >> appears to be the validation in the batch command. How can I correct that? >> >> Traceback (most recent call last): >> File "./u1.py", line 35, in >> result = api.Command['batch'](*add_cmds) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", >> line 443, in __call__ >> self.validate_output(ret) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", >> line 903, in validate_output >> nice, o.name, o.type, type(value), value) >> TypeError: batch.validate_output(): >> output['results']: need ; got : Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. >You may just have found a bug. Batch command is not normally executed >from XML-RPC, there may be an issue. We will investigate it. Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it is fixed already. -- / Alexander Bokovoy From mkosek at redhat.com Fri Jun 29 07:37:47 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jun 2012 09:37:47 +0200 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> <20120629073057.GF6687@redhat.com> <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> Message-ID: <1340955467.15622.3.camel@priserak> IMHO, 2.1.3 -> 2.2 upgrade should be safe, although I don't know if something was changed in CentOS compared to RHEL where this should just work. Btw there is one thing I just realized, you will probably have to go with Alexander's approach as the password expiration backend is available in GIT in master branch only, i.e. in future IPA 3.0. Martin On Fri, 2012-06-29 at 00:33 -0700, Joe Linoff wrote: > Hi Alexander: > > Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a > CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. > > Regards, > > Joe > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Friday, June 29, 2012 12:31 AM > To: Martin Kosek > Cc: Joe Linoff; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] How can I change my password from a python > script? > > On Fri, 29 Jun 2012, Martin Kosek wrote: > >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: > >> Hi Petr: > >> > >> I implemented what you suggested and everything worked pretty well > >> but I ran into three issues that you might be able to help me with. > >> > >> ISSUE #1 > >> The first issue (and the most important) is that the password is only > > >> temporary. I am prompted to reset it the first time that I login. My > >> goal is to setup a working system quickly to test different > >> configurations in a batch fashion but having to reset the password > >> for each user makes that challenging. How can I disable the reset > >> requirement for my test environment? > >> > >> ssh user5 at cuthbert > >> user5 at cuthbert's password: > >> Password expired. Change your password now. > >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com > >> WARNING: Your password has expired. > >> You must change your password now and login again! > >> Changing password for user user5. > >> Current Password: > >> New password: > >> Retype new password: > >> passwd: all authentication tokens updated successfully. > >> Connection to cuthbert closed. > > > >Hi Joe, > > > >This is a security measure, somebody else may correct me, but I don't > >think this can be turned off. You can use an attached Python function > >which can be used to change (reset) user password via web interface. > >Normally, this backend is used by Web UI users with expired password to > > >be able to reset it. You could you is it for the same purpose from the > >script (function) I attached. > What you can do is to change the same password as a user -- given that > these are test configurations, you can: > 0. Change minimum acceptable password lifetime to 0 > ipa pwpolicy-mod --minlife=0 > 1. Add all users, note their passwords > 2. For each user: > 2.1. kinit > 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd > 2.3 kdestroy > > This way you'll get passwords set back as those users. Or use the script > that Martin provided. > > > >> > >> ISSUE #2 > >> The second issue is really more of a question. I need to add these > >> users to groups. My guess is that I need to setup a similar call > >> using the 'group_add' command. Is that right? If so, do you have an > >> example that I could follow? > > > >You can try this one: > > > >pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) > >{'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c > om', > > 'gidnumber': (u'4800015',), > > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), > > 'objectclass': (u'top', > > u'groupofnames', > > u'nestedgroup', > > u'ipausergroup', > > u'ipaobject', > > u'posixgroup')}, > > 'summary': u'Added group "foogroup"', > > 'value': u'foogroup'} > > > >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) > >{'completed': 1, > > 'failed': {'member': {'group': (), 'user': ()}}, > > 'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c > om', > > 'gidnumber': (u'4800015',), > > 'member_user': (u'admin',)}} > > > >pprint(api.Command['group_show'](u'foogroup')) > >{'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c > om', > > 'gidnumber': (u'4800015',), > > 'member_user': (u'admin',)}, > > 'summary': None, > > 'value': u'foogroup'} > > > >> > >> ISSUE #3 > >> The third and final issue is that the I get traceback from what > >> appears to be the validation in the batch command. How can I correct > that? > >> > >> Traceback (most recent call last): > >> File "./u1.py", line 35, in > >> result = api.Command['batch'](*add_cmds) > >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", > >> line 443, in __call__ > >> self.validate_output(ret) > >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", > >> line 903, in validate_output > >> nice, o.name, o.type, type(value), value) > >> TypeError: batch.validate_output(): > >> output['results']: need ; got : > Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed > in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. > > >You may just have found a bug. Batch command is not normally executed > >from XML-RPC, there may be an issue. We will investigate it. > Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it > is fixed already. > > > -- > / Alexander Bokovoy From jlinoff at tabula.com Fri Jun 29 07:40:15 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 00:40:15 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <1340955467.15622.3.camel@priserak> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> <20120629073057.GF6687@redhat.com> <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> <1340955467.15622.3.camel@priserak> Message-ID: <8AD4194C251EC74CB897E261038F447801006580@mantaray.tabula.com> > you will probably have to go with Alexander's approach as the password > expiration backend is available in GIT in master branch only, i.e. in > future IPA 3.0. Will do. Thanks. Joe -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Friday, June 29, 2012 12:38 AM To: Joe Linoff Cc: Alexander Bokovoy; freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? IMHO, 2.1.3 -> 2.2 upgrade should be safe, although I don't know if something was changed in CentOS compared to RHEL where this should just work. Btw there is one thing I just realized, you will probably have to go with Alexander's approach as the password expiration backend is available in GIT in master branch only, i.e. in future IPA 3.0. Martin On Fri, 2012-06-29 at 00:33 -0700, Joe Linoff wrote: > Hi Alexander: > > Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on > a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. > > Regards, > > Joe > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Friday, June 29, 2012 12:31 AM > To: Martin Kosek > Cc: Joe Linoff; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] How can I change my password from a > python script? > > On Fri, 29 Jun 2012, Martin Kosek wrote: > >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: > >> Hi Petr: > >> > >> I implemented what you suggested and everything worked pretty well > >> but I ran into three issues that you might be able to help me with. > >> > >> ISSUE #1 > >> The first issue (and the most important) is that the password is > >> only > > >> temporary. I am prompted to reset it the first time that I login. > >> My goal is to setup a working system quickly to test different > >> configurations in a batch fashion but having to reset the password > >> for each user makes that challenging. How can I disable the reset > >> requirement for my test environment? > >> > >> ssh user5 at cuthbert > >> user5 at cuthbert's password: > >> Password expired. Change your password now. > >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com > >> WARNING: Your password has expired. > >> You must change your password now and login again! > >> Changing password for user user5. > >> Current Password: > >> New password: > >> Retype new password: > >> passwd: all authentication tokens updated successfully. > >> Connection to cuthbert closed. > > > >Hi Joe, > > > >This is a security measure, somebody else may correct me, but I don't > >think this can be turned off. You can use an attached Python function > >which can be used to change (reset) user password via web interface. > >Normally, this backend is used by Web UI users with expired password > >to > > >be able to reset it. You could you is it for the same purpose from > >the script (function) I attached. > What you can do is to change the same password as a user -- given that > these are test configurations, you can: > 0. Change minimum acceptable password lifetime to 0 > ipa pwpolicy-mod --minlife=0 > 1. Add all users, note their passwords 2. For each user: > 2.1. kinit > 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd > 2.3 kdestroy > > This way you'll get passwords set back as those users. Or use the > script that Martin provided. > > > >> > >> ISSUE #2 > >> The second issue is really more of a question. I need to add these > >> users to groups. My guess is that I need to setup a similar call > >> using the 'group_add' command. Is that right? If so, do you have an > >> example that I could follow? > > > >You can try this one: > > > >pprint(api.Command['group_add'](u'foogroup', description=u'foo > >group')) > >{'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc > >=c > om', > > 'gidnumber': (u'4800015',), > > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), > > 'objectclass': (u'top', > > u'groupofnames', > > u'nestedgroup', > > u'ipausergroup', > > u'ipaobject', > > u'posixgroup')}, > > 'summary': u'Added group "foogroup"', > > 'value': u'foogroup'} > > > >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) > >{'completed': 1, > > 'failed': {'member': {'group': (), 'user': ()}}, > > 'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc > >=c > om', > > 'gidnumber': (u'4800015',), > > 'member_user': (u'admin',)}} > > > >pprint(api.Command['group_show'](u'foogroup')) > >{'result': {'cn': (u'foogroup',), > > 'description': (u'foo group',), > > 'dn': > >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc > >=c > om', > > 'gidnumber': (u'4800015',), > > 'member_user': (u'admin',)}, > > 'summary': None, > > 'value': u'foogroup'} > > > >> > >> ISSUE #3 > >> The third and final issue is that the I get traceback from what > >> appears to be the validation in the batch command. How can I > >> correct > that? > >> > >> Traceback (most recent call last): > >> File "./u1.py", line 35, in > >> result = api.Command['batch'](*add_cmds) > >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", > >> line 443, in __call__ > >> self.validate_output(ret) > >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", > >> line 903, in validate_output > >> nice, o.name, o.type, type(value), value) > >> TypeError: batch.validate_output(): > >> output['results']: need ; got : > Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed > in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. > > >You may just have found a bug. Batch command is not normally executed > >from XML-RPC, there may be an issue. We will investigate it. > Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it > is fixed already. > > > -- > / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 29 07:55:51 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 10:55:51 +0300 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <1340953602.13966.11.camel@priserak> <20120629073057.GF6687@redhat.com> <8AD4194C251EC74CB897E261038F44780100657E@mantaray.tabula.com> Message-ID: <20120629075551.GG6687@redhat.com> On Fri, 29 Jun 2012, Joe Linoff wrote: >Hi Alexander: > >Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a >CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. I haven't used CentOS 6.2 so I cannot suggest anything on this front. -- / Alexander Bokovoy From natxo.asenjo at gmail.com Fri Jun 29 11:16:02 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 29 Jun 2012 13:16:02 +0200 Subject: [Freeipa-users] kdc on the internet Message-ID: hi, Is it 'safe' to use ipa on the internet? My feeling is its, I mean, kerberos is meant for untrusted networks. What are your thoughts about this? What ports should of the kdc *not* be accessible? -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at tunna.org Fri Jun 29 07:46:48 2012 From: david at tunna.org (David =?iso-8859-1?Q?Sp=E5ngberg?=) Date: Fri, 29 Jun 2012 09:46:48 +0200 (CEST) Subject: [Freeipa-users] replica failed to uninstall cleanly Message-ID: Hello I have a problem similar to the problem George He talked about last week in this mailing list: - http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895 Basically I have a ipa master running and wanted to setup a replica. However the CA installation step failed and the `ipa-replica-install' script informed me to perform a `ipa-server-install --uninstall' which I did. I then ran `ipa-replica-install' without the `--setup-ca' flag thinking I could use `ipa-ca-install' later. I got informed that the host already existed on the master and to run `ipa-replica-manage del' to remove it. If I remember correctly this command failed complaining about not being able to connect to the ldap service. I then tried and failed with the `--force' flag which was discussed in George He:s thread. This is how it looks like for me now: At the replica server: > $ ipa-replica-install /var/lib/ipa/replica-info-ipa2.example.com.gpg > ... > The host ipa2.example.com already exists on the master server. Depending on your configuration, you may perform the following: > > Remove the replication agreement, if any: > % ipa-replica-manage del ipa2.example.com > Remove the host entry: > % ipa host-del ipa2.example.com At the master server: > $ ipa-replica-manage list > ipa2.example.com: master > ipa.example.com: master > $ ipa-replica-manage del ipa2.example.com > 'ipa.example.com' has no replication agreement for 'ipa2.example.com' > $ ipa-replica-manage --force ipa2.example.com > 'ipa.example.com' has no replication agreement for 'ipa2.example.com' > $ ipa host-del ipa2.drutt.com > ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled It seems like `ipa-replica-manage' succeeded to remove just enough entries in the ldap service to fool the `ipa-replica-manage del' command but not enough to really uinstall it. Checking the output of for example `ldapsearch -D "cn=Directory Manager" -w pass -LLL -x cn=ipa-http-delegation' seems to confirm this. Regards, David Sp?ngberg From sysadmin at noboost.org Thu Jun 28 02:48:02 2012 From: sysadmin at noboost.org (sysadmin at noboost.org) Date: Thu, 28 Jun 2012 06:48:02 +0400 Subject: [Freeipa-users] UID 999, not possible? Message-ID: <20120628024802.GA11874@noboost.org> Hi All, Is there a weird restriction to UID 999 in ipa, as IPA keeps changing the UID when I add a user with that number? (I've already checked the UID isn't in use) [root at sysvm-ipa ~]# ipa user-add administrator --uid=999 --gidnumber=132 --first=administrator --last=administrator -------------------------- Added user "administrator" -------------------------- User login: administrator First name: administrator Last name: administrator Full name: administrator administrator Display name: administrator administrator Initials: aa Home directory: /home/administrator GECOS field: administrator administrator Login shell: /bin/bash Kerberos principal: administrator at EXAMPLE.COM UID: 721000062 GID: 132 Keytab: False Password: False cya Craig From abokovoy at redhat.com Fri Jun 29 13:04:37 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 16:04:37 +0300 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <20120628024802.GA11874@noboost.org> References: <20120628024802.GA11874@noboost.org> Message-ID: <20120629130437.GK6687@redhat.com> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >Hi All, > >Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >the UID when I add a user with that number? (I've already checked the >UID isn't in use) We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by an allocated one with the help of the 389-ds plugin http://directory.fedoraproject.org/wiki/DNA_Plugin http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values > >[root at sysvm-ipa ~]# ipa user-add administrator --uid=999 --gidnumber=132 >--first=administrator --last=administrator >-------------------------- >Added user "administrator" >-------------------------- > User login: administrator > First name: administrator > Last name: administrator > Full name: administrator administrator > Display name: administrator administrator > Initials: aa > Home directory: /home/administrator > GECOS field: administrator administrator > Login shell: /bin/bash > Kerberos principal: administrator at EXAMPLE.COM > UID: 721000062 > GID: 132 > Keytab: False > Password: False > > >cya > >Craig > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From pviktori at redhat.com Fri Jun 29 13:25:30 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 29 Jun 2012 15:25:30 +0200 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <20120629130437.GK6687@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> Message-ID: <4FEDACCA.1090401@redhat.com> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: > On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >> Hi All, >> >> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >> the UID when I add a user with that number? (I've already checked the >> UID isn't in use) > We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by > an allocated one with the help of the 389-ds plugin > http://directory.fedoraproject.org/wiki/DNA_Plugin > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values The documentation mentions that the magic value can be a word ("magic"), or it doesn't have to exist at all (it's added for objectClass:posixAccount entries). Is there a reason IPA is using 999 here? If there is, the command should fail instead of silently assigning a different number than asked for. I'll file a bug for this. >> >> [root at sysvm-ipa ~]# ipa user-add administrator --uid=999 --gidnumber=132 >> --first=administrator --last=administrator >> -------------------------- >> Added user "administrator" >> -------------------------- >> User login: administrator >> First name: administrator >> Last name: administrator >> Full name: administrator administrator >> Display name: administrator administrator >> Initials: aa >> Home directory: /home/administrator >> GECOS field: administrator administrator >> Login shell: /bin/bash >> Kerberos principal: administrator at EXAMPLE.COM >> UID: 721000062 >> GID: 132 >> Keytab: False >> Password: False >> >> >> cya >> >> Craig >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Petr? From george_he7 at yahoo.com Fri Jun 29 13:42:41 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 06:42:41 -0700 (PDT) Subject: [Freeipa-users] pam_systemd(sshd:session): Failed to create session Message-ID: <1340977361.30126.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hello all, I'm running out of time to figure out what was wrong with my replica set up, so I just went ahead and installed ipa-client on that machine. It seems the client was installed all right, except when I ssh to the new client from another client, I get this: Could not chdir to home directory /home/ghe: No such file or directory and then I was left at /. I don't remember what I did differently on the other client machines that would create /home/ghe for me the first time I log on. Here is the error message from /var/log/secure on the new client. pam_systemd(sshd:session): Failed to create session: No such file or directory How do I fix this problem? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Fri Jun 29 13:51:16 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 29 Jun 2012 09:51:16 -0400 Subject: [Freeipa-users] pam_systemd(sshd:session): Failed to create session In-Reply-To: <1340977361.30126.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1340977361.30126.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: Hi, I don't know if this is done by the default IPA install, but you need to configure it to auto create home directories: authconfig --update --enablemkhomedir You may need the oddjob-mkhomedir package installed too. Thanks, Dan On Fri, Jun 29, 2012 at 9:42 AM, george he wrote: > Hello all, > > I'm running out of time to figure out what was wrong with my replica set up, > so I just went ahead and installed ipa-client on that machine. > It seems the client was installed all right, except when I ssh to the new > client from another client, I get this: > > Could not chdir to home directory /home/ghe: No such file or directory > > and then I was left at /. I don't remember what I did differently on the > other client machines that would create /home/ghe for me the first time I > log on. > > Here is the error message from /var/log/secure on the new client. > > pam_systemd(sshd:session): Failed to create session: No such file or > directory > > How do I fix this problem? > > Thanks, > George > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From abokovoy at redhat.com Fri Jun 29 13:55:17 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 16:55:17 +0300 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <4FEDACCA.1090401@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> Message-ID: <20120629135517.GL6687@redhat.com> On Fri, 29 Jun 2012, Petr Viktorin wrote: >On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>Hi All, >>> >>>Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >>>the UID when I add a user with that number? (I've already checked the >>>UID isn't in use) >>We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>an allocated one with the help of the 389-ds plugin >>http://directory.fedoraproject.org/wiki/DNA_Plugin >>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values > >The documentation mentions that the magic value can be a word >("magic"), or it doesn't have to exist at all (it's added for >objectClass:posixAccount entries). Is there a reason IPA is using 999 >here? uidNumber and gidNumber field use integer value syntax: OID value: 1.3.6.1.4.1.1466.115.121.1.27 OID description: Values in this syntax are encoded as the decimal representation of their values, with each decimal digit represented by the its character equivalent. So the number 1321 is represented by the character string "1321". So, you can't have string there that does not evaluate to integer. >If there is, the command should fail instead of silently assigning a >different number than asked for. I'll file a bug for this. DNA_MAGIC in user.py is defined to 999 and it is default value to uidNumber and gidNumber options. We have no way to differentiate between default and entered by user but the same value. > >>> >>>[root at sysvm-ipa ~]# ipa user-add administrator --uid=999 --gidnumber=132 >>>--first=administrator --last=administrator >>>-------------------------- >>>Added user "administrator" >>>-------------------------- >>> User login: administrator >>> First name: administrator >>> Last name: administrator >>> Full name: administrator administrator >>> Display name: administrator administrator >>> Initials: aa >>> Home directory: /home/administrator >>> GECOS field: administrator administrator >>> Login shell: /bin/bash >>> Kerberos principal: administrator at EXAMPLE.COM >>> UID: 721000062 >>> GID: 132 >>> Keytab: False >>> Password: False >>> >>> >>>cya >>> >>>Craig >>> >>>_______________________________________________ >>>Freeipa-users mailing list >>>Freeipa-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > >-- >Petr? > > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From george_he7 at yahoo.com Fri Jun 29 14:02:50 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 07:02:50 -0700 (PDT) Subject: [Freeipa-users] pam_systemd(sshd:session): Failed to create session In-Reply-To: References: <1340977361.30126.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <1340978570.45301.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hello Dan, Many thanks. It worked. Now I remember this was done by default on my other clients... don't know why. George >________________________________ > From: Dan Scott >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 29, 2012 9:51 AM >Subject: Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session > >Hi, > >I don't know if this is done by the default IPA install, but you need >to configure it to auto create home directories: > >authconfig --update --enablemkhomedir > >You may need the oddjob-mkhomedir package installed too. > >Thanks, > >Dan > >On Fri, Jun 29, 2012 at 9:42 AM, george he wrote: >> Hello all, >> >> I'm running out of time to figure out what was wrong with my replica set up, >> so I just went ahead and installed ipa-client on that machine. >> It seems the client was installed all right, except when I ssh to the new >> client from another client, I get this: >> >> Could not chdir to home directory /home/ghe: No such file or directory >> >> and then I was left at /. I don't remember what I did differently on the >> other client machines that would create /home/ghe for me the first time I >> log on. >> >> Here is the error message from /var/log/secure on the new client. >> >> pam_systemd(sshd:session): Failed to create session: No such file or >> directory >> >> How do I fix this problem? >> >> Thanks, >> George >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Fri Jun 29 14:10:52 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 29 Jun 2012 16:10:52 +0200 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <20120629135517.GL6687@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> <20120629135517.GL6687@redhat.com> Message-ID: <4FEDB76C.2000603@redhat.com> On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: > On Fri, 29 Jun 2012, Petr Viktorin wrote: >> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>> Hi All, >>>> >>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >>>> the UID when I add a user with that number? (I've already checked the >>>> UID isn't in use) >>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>> an allocated one with the help of the 389-ds plugin >>> http://directory.fedoraproject.org/wiki/DNA_Plugin >>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values >>> >> >> The documentation mentions that the magic value can be a word >> ("magic"), or it doesn't have to exist at all (it's added for >> objectClass:posixAccount entries). Is there a reason IPA is using 999 >> here? > uidNumber and gidNumber field use integer value syntax: > OID value: 1.3.6.1.4.1.1466.115.121.1.27 > > OID description: > Values in this syntax are encoded as the decimal representation of their > values, with each decimal digit represented by the its character > equivalent. So the number 1321 is represented by the character string > "1321". > So, you can't have string there that does not evaluate to integer. That's true, but according to the documentation you linked, uidNumber/gidNumber syntax doesn't matter. The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA plugin sees and modifies the value before it's validated as an integer. >> If there is, the command should fail instead of silently assigning a >> different number than asked for. I'll file a bug for this. > DNA_MAGIC in user.py is defined to 999 and it is default value to > uidNumber and gidNumber options. We have no way to differentiate between > default and entered by user but the same value. Yes, the server would need to verify if the client has been fixed. This means either waiting for the next major API version, or looking at the version/capabilities the client sends us. (See Martin's message from 2012-06-20 in thread "[Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output"). >> >>>> >>>> [root at sysvm-ipa ~]# ipa user-add administrator --uid=999 >>>> --gidnumber=132 >>>> --first=administrator --last=administrator >>>> -------------------------- >>>> Added user "administrator" >>>> -------------------------- >>>> User login: administrator >>>> First name: administrator >>>> Last name: administrator >>>> Full name: administrator administrator >>>> Display name: administrator administrator >>>> Initials: aa >>>> Home directory: /home/administrator >>>> GECOS field: administrator administrator >>>> Login shell: /bin/bash >>>> Kerberos principal: administrator at EXAMPLE.COM >>>> UID: 721000062 >>>> GID: 132 >>>> Keytab: False >>>> Password: False >>>> >>>> >>>> cya >>>> >>>> Craig >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> >> -- >> Petr? >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Petr? From george_he7 at yahoo.com Fri Jun 29 14:18:01 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 07:18:01 -0700 (PDT) Subject: [Freeipa-users] nfs server Message-ID: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello all, Now I have an ipa server and a few ipa clients set up, I need to set up an nfs server on one of the ipa-clients. I'm following the instructions here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html where at 8.c and 8.d, it says scp /tmp/krb5.keytab root at nfs.example.com:/etc/krb5.keytab and scp /tmp/krb5.keytab root at client.example.com:/etc/krb5.keytab But the file /etc/krb5.keytab already exists on both of the ipa-server and the nfs-server. Should I just over-write the existing keytabs? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 29 14:23:24 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jun 2012 17:23:24 +0300 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <4FEDB76C.2000603@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> <20120629135517.GL6687@redhat.com> <4FEDB76C.2000603@redhat.com> Message-ID: <20120629142324.GM6687@redhat.com> On Fri, 29 Jun 2012, Petr Viktorin wrote: >On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: >>On Fri, 29 Jun 2012, Petr Viktorin wrote: >>>On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>>>On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>>>Hi All, >>>>> >>>>>Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >>>>>the UID when I add a user with that number? (I've already checked the >>>>>UID isn't in use) >>>>We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>>>an allocated one with the help of the 389-ds plugin >>>>http://directory.fedoraproject.org/wiki/DNA_Plugin >>>>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values >>>> >>> >>>The documentation mentions that the magic value can be a word >>>("magic"), or it doesn't have to exist at all (it's added for >>>objectClass:posixAccount entries). Is there a reason IPA is using 999 >>>here? >>uidNumber and gidNumber field use integer value syntax: >>OID value: 1.3.6.1.4.1.1466.115.121.1.27 >> >>OID description: >>Values in this syntax are encoded as the decimal representation of their >>values, with each decimal digit represented by the its character >>equivalent. So the number 1321 is represented by the character string >>"1321". >>So, you can't have string there that does not evaluate to integer. > >That's true, but according to the documentation you linked, >uidNumber/gidNumber syntax doesn't matter. >The dnaMagicRegen field is in fact a DirectoryString. I assume the >DNA plugin sees and modifies the value before it's validated as an >integer. Looks like you are right: http://comments.gmane.org/gmane.linux.redhat.fedora.directory.user/10641 We would have issue on our side when using non-integer value as Int() parameter does not support non-integer values. However, we could select some negative value as default one and use the same value for DNA configuration. -- / Alexander Bokovoy From simo at redhat.com Fri Jun 29 14:24:51 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2012 10:24:51 -0400 Subject: [Freeipa-users] nfs server In-Reply-To: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <1340979891.14199.2.camel@willson.li.ssimo.org> On Fri, 2012-06-29 at 07:18 -0700, george he wrote: > Hello all, > > > Now I have an ipa server and a few ipa clients set up, I need to set > up an nfs server on one of the ipa-clients. > I'm following the instructions here > https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > where at 8.c and 8.d, it says > > > scp /tmp/krb5.keytab root at nfs.example.com:/etc/krb5.keytab > > and > > scp /tmp/krb5.keytab root at client.example.com:/etc/krb5.keytab > > > > But the file /etc/krb5.keytab already exists on both of the ipa-server > and the nfs-server. > Should I just over-write the existing keytabs? No, you should not overwrite them if they contain the host keytab. If they are ipa clients and you can install admin tools you can simply run the ipa-getkeytab command on the right machine directly. if you can't for whatever reason you should copy the new keytab to the machine in a temporary (but protected) location like /root/nfs.keytab Then use the ktutil tool to merge the 2 keytab files into /etc/krb5.keytab ktutil is not the most intuitive tool, but the documentation should be good enough to sort out what you need to do. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jun 29 14:27:00 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2012 10:27:00 -0400 Subject: [Freeipa-users] kdc on the internet In-Reply-To: References: Message-ID: <1340980020.14199.5.camel@willson.li.ssimo.org> On Fri, 2012-06-29 at 13:16 +0200, Natxo Asenjo wrote: > hi, > > Is it 'safe' to use ipa on the internet? > > My feeling is its, I mean, kerberos is meant for untrusted networks. That is what it has been built for. > What are your thoughts about this? I think you need to asses your threat model and decide if you are comfortable with it. You may want to have some way to analyze traffic patterns to at least detect potential attacks for better peace of mind. > What ports should of the kdc *not* be accessible? You may decide to not expose the admin interface, but that would also prevent password changes, if that's a limitation you can live with then you could decide to expose only port 88. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Fri Jun 29 14:45:25 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 07:45:25 -0700 (PDT) Subject: [Freeipa-users] nfs server In-Reply-To: <1340979891.14199.2.camel@willson.li.ssimo.org> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> Message-ID: <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU -k /tmp/krb5.keytab on the ipa-server, and ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU-k my.ipaserver.edu:/tmp/krb5.keytab on the nfs-server? where /tmp/krb5.keytab is the key generated on the ipa-server for nfs. Thanks, George >________________________________ > From: Simo Sorce >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 29, 2012 10:24 AM >Subject: Re: [Freeipa-users] nfs server > >On Fri, 2012-06-29 at 07:18 -0700, george he wrote: >> Hello all, >> >> >> Now I have an ipa server and a few ipa clients set up, I need to set >> up an nfs server on one of the ipa-clients. >> I'm following the instructions here >> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >> where at 8.c and 8.d, it says >> >> >> scp /tmp/krb5.keytab root at nfs.example.com:/etc/krb5.keytab >> >> and >> >> scp /tmp/krb5.keytab root at client.example.com:/etc/krb5.keytab >> >> >> >> But the file /etc/krb5.keytab already exists on both of the ipa-server >> and the nfs-server. >> Should I just over-write the existing keytabs? > >No, you should not overwrite them if they contain the host keytab. > >If they are ipa clients and you can install admin tools you can simply >run the ipa-getkeytab command on the right machine directly. > >if you can't for whatever reason you should copy the new keytab to the >machine in a temporary (but protected) location like /root/nfs.keytab > >Then use the ktutil tool to merge the 2 keytab files >into /etc/krb5.keytab > >ktutil is not the most intuitive tool, but the documentation should be >good enough to sort out what you need to do. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jun 29 14:53:04 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2012 10:53:04 -0400 Subject: [Freeipa-users] nfs server In-Reply-To: <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <1340981584.14199.9.camel@willson.li.ssimo.org> On Fri, 2012-06-29 at 07:45 -0700, george he wrote: > Hello Simo, > > > So you mean I should run > > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU > -k /tmp/krb5.keytab > > > on the ipa-server, and You should run the command only once (running more than once will simply invalidate whatever you downloaded in previous runs), preferably on the target server so you avoid the need of transfering keytab files around. > > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU > -k my.ipaserver.edu:/tmp/krb5.keytab > > > on the nfs-server? where /tmp/krb5.keytab is the key generated on the > ipa-server for nfs. If you have ipa-getkeytab on the target server (my.nfsserve.edu) in your case just run it there and point it at /etc/krb5.keytab directly. The ipa-getkeytab command does not rewrite the file it appends the new keys there, which is what you want. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jun 29 14:53:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 10:53:07 -0400 Subject: [Freeipa-users] nfs server In-Reply-To: <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <4FEDC153.2030806@redhat.com> george he wrote: > Hello Simo, > > So you mean I should run > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU -k > /tmp/krb5.keytab > > on the ipa-server, and > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU-k > my.ipaserver.edu:/tmp/krb5.keytab > > on the nfs-server? where /tmp/krb5.keytab is the key generated on the > ipa-server for nfs. No. Run ipa-getkeytab on each machine and point to /etc/krb5.keytab to avoid having to merge using ktutil. On the client you get an nfs service principal for the client, and on the server you get an nfs service principal for the server. In other words, don't put a keytab entry for a different machine into your keytab. rob From rcritten at redhat.com Fri Jun 29 15:00:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 11:00:11 -0400 Subject: [Freeipa-users] replica failed to uninstall cleanly In-Reply-To: References: Message-ID: <4FEDC2FB.4050608@redhat.com> David Sp?ngberg wrote: > Hello > > I have a problem similar to the problem George He talked about last week > in this mailing list: > > - http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895 > > Basically I have a ipa master running and wanted to setup a replica. > However the CA installation step failed and the `ipa-replica-install' > script informed me to perform a `ipa-server-install --uninstall' which I > did. I then ran `ipa-replica-install' without the `--setup-ca' flag > thinking I could use `ipa-ca-install' later. > > I got informed that the host already existed on the master and to run > `ipa-replica-manage del' to remove it. If I remember correctly this > command failed complaining about not being able to connect to the ldap > service. I then tried and failed with the `--force' flag which was > discussed in George He:s thread. This is how it looks like for me now: > > At the replica server: >> $ ipa-replica-install /var/lib/ipa/replica-info-ipa2.example.com.gpg >> ... >> The host ipa2.example.com already exists on the master server. Depending > on your configuration, you may perform the following: >> >> Remove the replication agreement, if any: >> % ipa-replica-manage del ipa2.example.com >> Remove the host entry: >> % ipa host-del ipa2.example.com > > At the master server: >> $ ipa-replica-manage list >> ipa2.example.com: master >> ipa.example.com: master > >> $ ipa-replica-manage del ipa2.example.com >> 'ipa.example.com' has no replication agreement for 'ipa2.example.com' > >> $ ipa-replica-manage --force ipa2.example.com >> 'ipa.example.com' has no replication agreement for 'ipa2.example.com' > >> $ ipa host-del ipa2.drutt.com >> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or > disabled > > It seems like `ipa-replica-manage' succeeded to remove just enough > entries in the ldap service to fool the `ipa-replica-manage del' command > but not enough to really uinstall it. Checking the output of for example > `ldapsearch -D "cn=Directory Manager" -w pass -LLL -x cn=ipa-http-delegation' > seems to confirm this. There is a bug in the installer that if tomcat never starts we don't record the fact that the CA was ever created causing the uninstall to be incomplete. It is unclear whether this is the same problem. This is unrelated to ipa-replica-manage, it never did anything (no replication agreement). You are searching in the wrong location for IPA masters, try this instead: ldapsearch -D "cn=Directory Manager" -w pass -LLL -x -b cn=masters,cn=ipa,cn=etc,dc=example,dc=com My guess is there will be just a CA entry for replica2. Use ldapdelete to remove any entries for replica2 and you should be able to install. Note that trying to install IPA then adding the CA when the previous attempt failed is not likely to succeed either. The underlying reason why the CA install failed needs to be addressed. rob From rcritten at redhat.com Fri Jun 29 15:06:47 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 11:06:47 -0400 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> Message-ID: <4FEDC487.6080209@redhat.com> Joe Linoff wrote: > Hi Petr: > > I implemented what you suggested and everything worked pretty well but I > ran into three issues that you might be able to help me with. > > ISSUE #1 > The first issue (and the most important) is that the password is only > temporary. I am prompted to reset it the first time that I login. My > goal is to setup a working system quickly to test different > configurations in a batch fashion but having to reset the password for > each user makes that challenging. How can I disable the reset > requirement for my test environment? This is so only the end-user knows the password. You can add the DN of the user you are changing passwords with to a list of users who are exempt from password policy. Think carefully about what user you add to this list, you may not want to use the admin user. Add the DN to the passSyncManagersDNs attribute in the entry cn=ipa_pwd_extop,cn=plugins,cn=config rob From george_he7 at yahoo.com Fri Jun 29 15:08:09 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 08:08:09 -0700 (PDT) Subject: [Freeipa-users] nfs server In-Reply-To: <1340981584.14199.9.camel@willson.li.ssimo.org> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> <1340981584.14199.9.camel@willson.li.ssimo.org> Message-ID: <1340982489.4831.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello, do you mean to run only this on the nfs-server? ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU -k /etc/krb5.keytab Rob says to run ipa-getkeytab on each machine... So I guess I should run the above command on the ipa-server before I run it on the nfs-server? Otherwise it seems to me the nfs-server won't know the new keytab in /tmp/ on the ipa-server. Thanks, George >________________________________ > From: Simo Sorce >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 29, 2012 10:53 AM >Subject: Re: [Freeipa-users] nfs server > >On Fri, 2012-06-29 at 07:45 -0700, george he wrote: >> Hello Simo, >> >> >> So you mean I should run >> >> >> ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU >> -k /tmp/krb5.keytab >> >> >> on the ipa-server, and > > >You should run the command only once (running more than once will simply >invalidate whatever you downloaded in previous runs), preferably on the >target server so you avoid the need of transfering keytab files around. >> >> >> ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU >> -k my.ipaserver.edu:/tmp/krb5.keytab >> >> >> on the nfs-server? where /tmp/krb5.keytab is the key generated on the >> ipa-server for nfs. > >If you have ipa-getkeytab on the target server (my.nfsserve.edu) in your >case just run it there and point it at /etc/krb5.keytab directly. > >The ipa-getkeytab command does not rewrite the file it appends the new >keys there, which is what you want. > > >Simo. > > >-- >Simo Sorce * Red Hat, Inc * New York > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Fri Jun 29 15:36:57 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 08:36:57 -0700 Subject: [Freeipa-users] How can I change my password from a python script? In-Reply-To: <4FEDC487.6080209@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010064B7@mantaray.tabula.com> <4FEC1694.2080109@redhat.com> <8AD4194C251EC74CB897E261038F44780100654C@mantaray.tabula.com> <4FEDC487.6080209@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F447801006586@mantaray.tabula.com> Hi Rob: > This is so only the end-user knows the password. That makes good sense. Your suggestions will help me in my test environment. Thanks, Joe -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, June 29, 2012 8:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users at redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? Joe Linoff wrote: > Hi Petr: > > I implemented what you suggested and everything worked pretty well but > I ran into three issues that you might be able to help me with. > > ISSUE #1 > The first issue (and the most important) is that the password is only > temporary. I am prompted to reset it the first time that I login. My > goal is to setup a working system quickly to test different > configurations in a batch fashion but having to reset the password for > each user makes that challenging. How can I disable the reset > requirement for my test environment? This is so only the end-user knows the password. You can add the DN of the user you are changing passwords with to a list of users who are exempt from password policy. Think carefully about what user you add to this list, you may not want to use the admin user. Add the DN to the passSyncManagersDNs attribute in the entry cn=ipa_pwd_extop,cn=plugins,cn=config rob From george_he7 at yahoo.com Fri Jun 29 17:06:50 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 10:06:50 -0700 (PDT) Subject: [Freeipa-users] rpcgssd Message-ID: <1340989610.69080.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root at nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. # systemctl status rpcgssd.service rpcgssd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 29 17:41:19 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 13:41:19 -0400 Subject: [Freeipa-users] rpcgssd In-Reply-To: <1340989610.69080.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340989610.69080.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <4FEDE8BF.7080706@redhat.com> george he wrote: > Hello all, > > Is there a problem with this document: > https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html > > It says > Start the GSS daemon. > > [root at nfs-client-server ~]# service rpcgssd start > > but when I do it, the nfs-client says > > Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. > # systemctl status rpcgssd.service > rpcgssd.service > Loaded: error (Reason: No such file or directory) > Active: inactive (dead) You don't say what Fedora release you're using but I'm going to assume Fedora 17. Try starting nfs-secure.service rob From george_he7 at yahoo.com Fri Jun 29 17:52:51 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 10:52:51 -0700 (PDT) Subject: [Freeipa-users] rpcgssd In-Reply-To: <4FEDE8BF.7080706@redhat.com> References: <1340989610.69080.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FEDE8BF.7080706@redhat.com> Message-ID: <1340992371.4025.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hello Rob, It is fedora 17. I did "systemctl start nfs-secure.service" on the nfs-server. No error message. What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). I tried mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ on the client, which happens to be the ipa-server, and get mount.nfs4: mount(2): Permission denied Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 29, 2012 1:41 PM >Subject: Re: [Freeipa-users] rpcgssd > >george he wrote: >> Hello all, >> >> Is there a problem with this document: >> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html >> >> It says >> Start the GSS daemon. >> >> [root at nfs-client-server ~]# service rpcgssd start >> >> but when I do it, the nfs-client says >> >> Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. >> # systemctl status rpcgssd.service >> rpcgssd.service >> ??? ? Loaded: error (Reason: No such file or directory) >> ??? ? Active: inactive (dead) > >You don't say what Fedora release you're using but I'm going to assume >Fedora 17. > >Try starting nfs-secure.service > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jun 29 18:03:12 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2012 14:03:12 -0400 Subject: [Freeipa-users] nfs server In-Reply-To: <1340982489.4831.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> <1340981584.14199.9.camel@willson.li.ssimo.org> <1340982489.4831.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <1340992992.14199.20.camel@willson.li.ssimo.org> On Fri, 2012-06-29 at 08:08 -0700, george he wrote: > Hello, > > > do you mean to run only this on the nfs-server? > > > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve.edu at MYREALM.EDU > -k /etc/krb5.keytab > > > Rob says to run ipa-getkeytab on each machine... So I guess I should > run the above command on the ipa-server before I run it on the > nfs-server? > Otherwise it seems to me the nfs-server won't know the new keytab > in /tmp/ on the ipa-server. George, you need to think about a keytab as a password. It is the password for the specific service named in the principal name. *Only* that service (the nfs server in this case) must know the keys. If you leak the keys, you are compromising the security of your deployment. In general extra care needs to be used in managing keys. At no point they should be world readable for example, and they should always be transmitted securely (either enveloped in a gpg file or copied using scp/sftp or similar methods that ensure the communication is encrypted. The best way to ensure keys are properly handled is to retrieve them directly on the target machine, and only there. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Fri Jun 29 20:26:23 2012 From: george_he7 at yahoo.com (george he) Date: Fri, 29 Jun 2012 13:26:23 -0700 (PDT) Subject: [Freeipa-users] rpcgssd In-Reply-To: <1340992371.4025.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1340989610.69080.YahooMailNeo@web120003.mail.ne1.yahoo.com> <4FEDE8BF.7080706@redhat.com> <1340992371.4025.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <1341001583.91723.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, nfs-secure.service is running on the client, but I still get mount.nfs4: mount(2): Permission denied and there's no message in /var/log/. Any help? Thanks, George >________________________________ > From: george he >To: Rob Crittenden >Cc: "freeipa-users at redhat.com" >Sent: Friday, June 29, 2012 1:52 PM >Subject: Re: [Freeipa-users] rpcgssd > > >Hello Rob, > > >It is fedora 17. >I did "systemctl start nfs-secure.service" on the nfs-server. No error message. >What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). >I tried >mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ >on the client, which happens to be the ipa-server, and get > >mount.nfs4: mount(2): Permission denied >Thanks, >George > > > >>________________________________ >> From: Rob Crittenden >>To: george he >>Cc: "freeipa-users at redhat.com" >>Sent: Friday, June 29, 2012 1:41 PM >>Subject: Re: [Freeipa-users] rpcgssd >> >>george he wrote: >>> Hello all, >>> >>> Is there a problem with this document: >>> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html >>> >>> It says >>> Start the GSS daemon. >>> >>> [root at nfs-client-server ~]# service rpcgssd start >>> >>> but when I do it, the nfs-client says >>> >>> Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. >>> # systemctl status rpcgssd.service >>> rpcgssd.service >>> ??? ? Loaded: error (Reason: No such file or directory) >>> ??? ? Active: inactive (dead) >> >>You don't say what Fedora release you're using but I'm going to assume >>Fedora 17. >> >>Try starting nfs-secure.service >> >>rob >> >> >> >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Jun 29 21:16:50 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 29 Jun 2012 23:16:50 +0200 Subject: [Freeipa-users] nfs4 acl Message-ID: hi, I followed the instructions here http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.htmland they worked flawlessly. Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is not possible, is it possible to use a netapp file as nfs4 server with acl support for rhel 6 clients? TIA, -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ptader at linuxscope.com Fri Jun 29 21:55:00 2012 From: ptader at linuxscope.com (Paul Tader) Date: Fri, 29 Jun 2012 16:55:00 -0500 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <4FD5FDB7.6030809@linuxscope.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> <4FD5FDB7.6030809@linuxscope.com> Message-ID: <4FEE2434.7090305@linuxscope.com> On 6/11/12 9:16 AM, Paul Tader wrote: > On 6/5/12 2:33 PM, Rob Crittenden wrote: >> JR Aquino wrote: >>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >>> >>>> A couple days ago my (apache) certificates expired. Users are able to >>>> kinit but tools such as sudo fail because of the expired >>>> certificates. Lots of reading/Google'ing later I found this script >>>> (steps) to renew these certs: >>> >>> I'm just curious, but, isn't certmonger supposed to automatically >>> renew these? Is certmonger failing in this case? >> >> Yes, the first thing to do is figure out why certmonger didn't >> automatically renew the certificates. Then it should be as simple as >> setting the date back, letting certmonger do its thing, then setting it >> forward again. >> >> That is very strange certmonger output. You might try setting the date >> back a couple of days and trying something like: >> >> ipa-getcert resubmit -i 20110706215145 >> >> And see what the status goes to. >> >> rob > > (Sorry for the delay reply) > > No luck with setting the date back and resubmitting the certificate. > > > > # /etc/init.d/ntpd stop > Stopping ntpd (via systemctl): [ OK ] > > # date 060112002012 > Fri Jun 1 12:00:00 CDT 2012 > > # /etc/init.d/httpd stop > Stopping httpd (via systemctl): [ OK ] > # /etc/init.d/httpd start > Starting httpd (via systemctl): [ OK ] > > # ipa-getcert resubmit -i 20110706215145 > Resubmitting "20110706215145" to "IPA". > > # ipa-getcert list > Number of certificates and requests being tracked: 3. > Request ID '20110706215109': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction, explaining: SSL connect error). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=RELAM.NET > subject: CN=srv01.company.net,O=REALM.NET > expires: 2012-06-03 20:19:49 UTC > eku: id-kp-serverAuth > track: yes > auto-renew: yes > Request ID '20110706215129': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction, explaining: SSL connect error). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=REALM.NET > subject: CN=srv01.company.net,O=REALM.NET > expires: 2012-06-03 20:19:49 UTC > eku: id-kp-serverAuth > track: yes > auto-renew: yes > Request ID '20110706215145': > status: GENERATING_CSR > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to > communicate with CMS (Unauthorized)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=REALM.NET > subject: CN=srv01.company.net,O=REALM.NET > expires: 2012-06-03 20:19:49 UTC > eku: id-kp-serverAuth > track: yes > auto-renew: yes > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local "host" service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. From rcritten at redhat.com Fri Jun 29 22:04:08 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 18:04:08 -0400 Subject: [Freeipa-users] nfs4 acl In-Reply-To: References: Message-ID: <4FEE2658.8090300@redhat.com> Natxo Asenjo wrote: > hi, > > I followed the instructions here > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html > and they worked flawlessly. > > Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is > not possible, is it possible to use a netapp file as nfs4 server with > acl support for rhel 6 clients? Here is documentation about RHEL 6 and NFS ACLs. I don't know if it works with netapp: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html rob From rcritten at redhat.com Fri Jun 29 22:14:10 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jun 2012 18:14:10 -0400 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <4FEE2434.7090305@linuxscope.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> <4FD5FDB7.6030809@linuxscope.com> <4FEE2434.7090305@linuxscope.com> Message-ID: <4FEE28B2.4040000@redhat.com> Paul Tader wrote: > On 6/11/12 9:16 AM, Paul Tader wrote: >> On 6/5/12 2:33 PM, Rob Crittenden wrote: >>> JR Aquino wrote: >>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >>>> >>>>> A couple days ago my (apache) certificates expired. Users are able to >>>>> kinit but tools such as sudo fail because of the expired >>>>> certificates. Lots of reading/Google'ing later I found this script >>>>> (steps) to renew these certs: >>>> >>>> I'm just curious, but, isn't certmonger supposed to automatically >>>> renew these? Is certmonger failing in this case? >>> >>> Yes, the first thing to do is figure out why certmonger didn't >>> automatically renew the certificates. Then it should be as simple as >>> setting the date back, letting certmonger do its thing, then setting it >>> forward again. >>> >>> That is very strange certmonger output. You might try setting the date >>> back a couple of days and trying something like: >>> >>> ipa-getcert resubmit -i 20110706215145 >>> >>> And see what the status goes to. >>> >>> rob >> >> (Sorry for the delay reply) >> >> No luck with setting the date back and resubmitting the certificate. >> >> >> >> # /etc/init.d/ntpd stop >> Stopping ntpd (via systemctl): [ OK ] >> >> # date 060112002012 >> Fri Jun 1 12:00:00 CDT 2012 >> >> # /etc/init.d/httpd stop >> Stopping httpd (via systemctl): [ OK ] >> # /etc/init.d/httpd start >> Starting httpd (via systemctl): [ OK ] >> >> # ipa-getcert resubmit -i 20110706215145 >> Resubmitting "20110706215145" to "IPA". >> >> # ipa-getcert list >> Number of certificates and requests being tracked: 3. >> Request ID '20110706215109': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction, explaining: SSL connect error). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >> >> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >> >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=RELAM.NET >> subject: CN=srv01.company.net,O=REALM.NET >> expires: 2012-06-03 20:19:49 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> Request ID '20110706215129': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction, explaining: SSL connect error). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=REALM.NET >> subject: CN=srv01.company.net,O=REALM.NET >> expires: 2012-06-03 20:19:49 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> Request ID '20110706215145': >> status: GENERATING_CSR >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: Unable to >> communicate with CMS (Unauthorized)). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=REALM.NET >> subject: CN=srv01.company.net,O=REALM.NET >> expires: 2012-06-03 20:19:49 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > Still working on this problem. I've imported new self signed certs > because I don't think I can renew expired certs and now all of the > entries list like this: > > Request ID '20110706215145': > status: NEED_CSR_GEN_TOKEN > ca-error: Error setting up ccache for local "host" service using > default keytab. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=REALM.NET > subject: CN=ipa01.domain.net,O=REALM.NET > expires: 2012-06-03 20:19:49 UTC > eku: id-kp-serverAuth > track: yes > auto-renew: yes > > > Any tips or suggestions? I've saved off the old files so I think I can > go back to the expired certs. This means that the keytab isn't working for certmonger. This could be a couple of things. I'd try this first: # kinit host/$(hostname) -kt /etc/krb5.keytab And # kvno host/$(hostname) rob From jlinoff at tabula.com Sat Jun 30 01:11:14 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 18:11:14 -0700 Subject: [Freeipa-users] Authentication failure when a reset the password Message-ID: <8AD4194C251EC74CB897E261038F4478010065D6@mantaray.tabula.com> Hi Everybody. I ran into a strange problem today: I reset a user password in the GUI to "Test1234" for testing but when I tried to login as that user and enter the password, I got an authentication error. Does anyone know why this might be occurring or how I can debug it? Here are some additional details: * OS: CentOS 6.2 * FreeIPA: 2.1.3 Here are the steps I went through: 1. I log into the server as "A". 2. I run "kinit admin 3. I add a user "B" with password: "F00bar5pam!" 4. I verify that the user exists https://localhost 5. I reset the password in the web interface to "Test1234" (yeah, I know, completely lame) 6. The GUI tells me that it reset. 7. I then try "ssh B at some-host" using the "Test1234" and get permission denied. That is odd, it may indicate an HBAC error. 8. So I try "su - B" with password "Test1234" and get "su: incorrect password" 9. Now I am stumped so I look /var/log/secure and see these entries: Jun 29 17:53:11 cuthbert su: pam_sss(su-l:auth): authentication failure; logname=A uid=500 euid=0 tty=pts/1 ruser=A rhost= user=B Jun 29 17:53:11 cuthbert su: pam_sss(su-l:auth): received for B: 4 (System error) 10. I didn't see anything strange in /var/log/dirsrv/slapd-EXAMPLE-COM/access 11. I didn't see anything strange in /var/log/dirsrc/slapd-PKI-API/access 12. I didn't see any SELinux errors in /var/log/audit/audit.log 13. I didn't see anything suspicious in /var/log/krb5kdc.log 14. In /var/log/pki-ca/debug there was some stuff about no sessions have been created but I am not sure whether that has anything to do with this What is system error 4 (step #9)? Is that the source of the problem? Any help would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Sat Jun 30 01:23:23 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 29 Jun 2012 18:23:23 -0700 Subject: [Freeipa-users] Authentication failure when a reset the password In-Reply-To: <8AD4194C251EC74CB897E261038F4478010065D6@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010065D6@mantaray.tabula.com> Message-ID: On Fri, Jun 29, 2012 at 6:11 PM, Joe Linoff wrote: > Hi Everybody. > > > > I ran into a strange problem today: I reset a user password in the GUI to > ?Test1234? for testing but when I tried to login as that user and enter the > password, I got an authentication error. Does anyone know why this might be > occurring or how I can debug it? ...snip... When you reset the user password in the GUI it is set to expire immediately, thus the user must change it the next time they login (klinit). See the documentation at https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/changing-pwds.html for more detail. Steve From jlinoff at tabula.com Sat Jun 30 01:49:25 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 29 Jun 2012 18:49:25 -0700 Subject: [Freeipa-users] Authentication failure when a reset the password In-Reply-To: References: <8AD4194C251EC74CB897E261038F4478010065D6@mantaray.tabula.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010065D8@mantaray.tabula.com> Thanks. It sounds like I should have been running kinit right off the bat. I expected su-l to do the same thing but it wouldn't accept the initial password. Regards, Joe -----Original Message----- From: Stephen Ingram [mailto:sbingram at gmail.com] Sent: Friday, June 29, 2012 6:23 PM To: Joe Linoff Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Authentication failure when a reset the password On Fri, Jun 29, 2012 at 6:11 PM, Joe Linoff wrote: > Hi Everybody. > > > > I ran into a strange problem today: I reset a user password in the GUI > to "Test1234" for testing but when I tried to login as that user and > enter the password, I got an authentication error. Does anyone know > why this might be occurring or how I can debug it? ...snip... When you reset the user password in the GUI it is set to expire immediately, thus the user must change it the next time they login (klinit). See the documentation at https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/changi ng-pwds.html for more detail. Steve