From rmeggins at redhat.com Tue May 1 00:38:28 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Apr 2012 18:38:28 -0600 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <4F9F3084.6060309@redhat.com> On 04/30/2012 05:52 PM, David Copperfield wrote: > Hi Rich and all, > > Thank you a lot for pointing out the place of the scripts. > > The scripts are found at the place specified and trued, they are > working great in general, but there are still some places needs help: > > 1, there are no manual or help regarding the command options. Not sure > where the normal usage could be looked up. > > [root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif > No manual entry for db2ldif > > [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help > Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* > [{-x excludesuffix}*] [-a outputfile] > [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] > Note: either "-n backend_instance" or "-s includesuffix" is required. > [root at ipamaster scripts-PEGACLOUDS-COM]# http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html In general - you can use the .pl scripts when the server is running, the non-.pl scripts when the server is down. So, use ldif2db.pl to do an online import. Also, with ipa, you can use -n userRoot or -n ipaca depending on if this is the ipa instance or the CA instance. > > 2, what is the 'official' way increase file descriptors for IPA & 389 > Directory server?? > > [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s > 'dc=pegaclouds,dc=com' > Exported ldif file: > /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif > [30/Apr/2012:16:45:42 -0700] - > /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: > nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors > must range from 1 to 1024 (the current process limit). Server will > use a setting of 1024. > [30/Apr/2012:16:45:42 -0700] - Config Warning: - > nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors > must range from 1 to 1024 (the current process limit). Server will > use a setting of 1024. > ... db2ldif doesn't use file descriptors in the same way as the server does when it is using them to listen and service incoming connections - just ignore that message > > 3, the ldif2db command will abort when IPA(Directory Server) is running. > > I have to stop IPA first, then run ldif2db, and fireup IPA at the > end. It may not be a bad thing to avoid potential data base > corruption. But please confirm whether this is a feature or a bug. > > [root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s > 'dc=pegaclouds,dc=com' -i > /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif > > importing data ... > ... > [30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot > [30/Apr/2012:16:50:00 -0700] - Unable to import the database because > it is being used by another slapd process. > [30/Apr/2012:16:50:00 -0700] - Shutting down due to possible conflicts > with other slapd processes Use ldif2db.pl > > Thanks. > > --David > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* E Deon Lackey ; "freeipa-users at redhat.com" > > *Sent:* Monday, April 30, 2012 4:23 PM > *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica > into a master > > On 04/30/2012 04:58 PM, David Copperfield wrote: >> Hi, >> >> > >> > Currently, there is no disaster recovery or backup information. >> There are a couple of RFEs open to develop this information. My >> understanding (and this is something that >> > Dmitri or one of the engineers can explain better) is that the best >> thing to do is to back up the DS instances using db2ldif and then >> spin up a new server/replica instance and >> > import the backed up data using ldif2db. >> >> Thanks for pointing out a way to do partial backup/restore. >> >> But the command db2ldif, or its sibling command ldif2db can not be >> located on IPA master/replica. > > look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD > >> The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. >> and the two commands doesn't show up anywhere. >> >> Could anyone elaborate how to use the two template commands, or >> please point me to the document or http link(s) is enough. Thanks a lot. >> >> [root at ipamaster script-templates]# rpm -qa | grep 389 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >> >> [root at ipamaster script-templates]# rpm -ql 389-ds-base >> 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >> /usr/share/dirsrv/script-templates/template-db2ldif >> /usr/share/dirsrv/script-templates/template-db2ldif.pl >> /usr/share/dirsrv/script-templates/template-ldif2db >> /usr/share/dirsrv/script-templates/template-ldif2db.pl >> [root at ipamaster script-templates]# >> >> --David >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 1 00:47:04 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 17:47:04 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <4F9F3084.6060309@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> Message-ID: <1335833224.18868.YahooMailNeo@web125704.mail.ne1.yahoo.com> Hi Rich, Thanks. Those are really helpful. Though I think I've to learn the underlying 389 Directory Server part and become an expert as well.? :) --David ________________________________ From: Rich Megginson To: David Copperfield Cc: "freeipa-users at redhat.com" Sent: Monday, April 30, 2012 5:38 PM Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master On 04/30/2012 05:52 PM, David Copperfield wrote: Hi Rich and all, > > > >Thank you a lot for pointing out the place of the scripts. > > > >The scripts are found at the place specified and trued, they are working great in general, but there are still some places needs help: > > > >1, there are no manual or help regarding the command options. Not sure where the normal usage could be looked up. > > >[root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >No manual entry for db2ldif > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >?????????????? [{-x excludesuffix}*] [-a outputfile] >?????????????? [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >Note: either "-n backend_instance" or "-s includesuffix" is required. >[root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html In general - you can use the .pl scripts when the server is running, the non-.pl scripts when the server is down.? So, use ldif2db.pl to do an online import. Also, with ipa, you can use -n userRoot or -n ipaca depending on if this is the ipa instance or the CA instance. > >2, what is the 'official' way increase file descriptors for IPA & 389 Directory server?? > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s 'dc=pegaclouds,dc=com' >Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >[30/Apr/2012:16:45:42 -0700] - /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >[30/Apr/2012:16:45:42 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >... > db2ldif doesn't use file descriptors in the same way as the server does when it is using them to listen and service incoming connections - just ignore that message > >3, the ldif2db command will abort when IPA(Directory Server) is running. > > > >?I have to stop IPA first, then run ldif2db, and fireup IPA at the end. It may not be a bad thing to avoid potential data base corruption. But please confirm whether this is a feature or a bug. > > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s 'dc=pegaclouds,dc=com' -i /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >importing data ... >... >[30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >[30/Apr/2012:16:50:00 -0700] - Unable to import the database because it is being used by another slapd process. >[30/Apr/2012:16:50:00 -0700] - Shutting down due to possible conflicts with other slapd processes > Use ldif2db.pl > >Thanks. > > >--David > > > > >________________________________ > From: Rich Megginson >To: David Copperfield >Cc: E Deon Lackey ; "freeipa-users at redhat.com" >Sent: Monday, April 30, 2012 4:23 PM >Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master > > >On 04/30/2012 04:58 PM, David Copperfield wrote: >Hi, >> >>> >> >>> Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that >>> Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and >>> import the backed up data using ldif2db. >> >>Thanks for pointing out a way to do partial backup/restore. >> >>But the command db2ldif, or its sibling command ldif2db can not be located on IPA master/replica. >look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD > > >The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere. >> >>Could anyone elaborate how to use the two template commands, or please point me to the document or http link(s) is enough. Thanks a lot. >> >> >>[root at ipamaster script-templates]# rpm -qa | grep 389 >>389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >> >>[root at ipamaster script-templates]# rpm -ql 389-ds-base 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>/usr/share/dirsrv/script-templates/template-db2ldif >>/usr/share/dirsrv/script-templates/template-db2ldif.pl >>/usr/share/dirsrv/script-templates/template-ldif2db >>/usr/share/dirsrv/script-templates/template-ldif2db.pl >>[root at ipamaster script-templates]# >> >>--David >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 1 01:01:49 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 18:01:49 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <4F9F3084.6060309@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> Message-ID: <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> Hi Rich and all, ?the '-n ipaca' option doesn't work for CA certificate LDAP backend. [root at ipslave scripts-PEGACLOUDS-COM]# pwd /var/lib/dirsrv/scripts-PEGACLOUDS-COM [root at ipaslave scripts-PEGACLOUDS-COM]# ls ../ scripts-PEGACLOUDS-COM? slapd-PEGACLOUDS-COM? slapd-PKI-IPA [root at ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif ... [30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'. [root at ipaslave scripts-PEGACLOUDS-COM]# --David ________________________________ From: Rich Megginson To: David Copperfield Cc: "freeipa-users at redhat.com" Sent: Monday, April 30, 2012 5:38 PM Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master On 04/30/2012 05:52 PM, David Copperfield wrote: Hi Rich and all, > > > >Thank you a lot for pointing out the place of the scripts. > > > >The scripts are found at the place specified and trued, they are working great in general, but there are still some places needs help: > > > >1, there are no manual or help regarding the command options. Not sure where the normal usage could be looked up. > > >[root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >No manual entry for db2ldif > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >?????????????? [{-x excludesuffix}*] [-a outputfile] >?????????????? [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >Note: either "-n backend_instance" or "-s includesuffix" is required. >[root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html In general - you can use the .pl scripts when the server is running, the non-.pl scripts when the server is down.? So, use ldif2db.pl to do an online import. Also, with ipa, you can use -n userRoot or -n ipaca depending on if this is the ipa instance or the CA instance. > >2, what is the 'official' way increase file descriptors for IPA & 389 Directory server?? > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s 'dc=pegaclouds,dc=com' >Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >[30/Apr/2012:16:45:42 -0700] - /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >[30/Apr/2012:16:45:42 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >... > db2ldif doesn't use file descriptors in the same way as the server does when it is using them to listen and service incoming connections - just ignore that message > >3, the ldif2db command will abort when IPA(Directory Server) is running. > > > >?I have to stop IPA first, then run ldif2db, and fireup IPA at the end. It may not be a bad thing to avoid potential data base corruption. But please confirm whether this is a feature or a bug. > > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s 'dc=pegaclouds,dc=com' -i /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >importing data ... >... >[30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >[30/Apr/2012:16:50:00 -0700] - Unable to import the database because it is being used by another slapd process. >[30/Apr/2012:16:50:00 -0700] - Shutting down due to possible conflicts with other slapd processes > Use ldif2db.pl > >Thanks. > > >--David > > > > >________________________________ > From: Rich Megginson >To: David Copperfield >Cc: E Deon Lackey ; "freeipa-users at redhat.com" >Sent: Monday, April 30, 2012 4:23 PM >Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master > > >On 04/30/2012 04:58 PM, David Copperfield wrote: >Hi, >> >>> >> >>> Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that >>> Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and >>> import the backed up data using ldif2db. >> >>Thanks for pointing out a way to do partial backup/restore. >> >>But the command db2ldif, or its sibling command ldif2db can not be located on IPA master/replica. >look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD > > >The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere. >> >>Could anyone elaborate how to use the two template commands, or please point me to the document or http link(s) is enough. Thanks a lot. >> >> >>[root at ipamaster script-templates]# rpm -qa | grep 389 >>389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >> >>[root at ipamaster script-templates]# rpm -ql 389-ds-base 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>/usr/share/dirsrv/script-templates/template-db2ldif >>/usr/share/dirsrv/script-templates/template-db2ldif.pl >>/usr/share/dirsrv/script-templates/template-ldif2db >>/usr/share/dirsrv/script-templates/template-ldif2db.pl >>[root at ipamaster script-templates]# >> >>--David >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 1 01:43:14 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 01:43:14 +0000 Subject: [Freeipa-users] password policy Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8776B@STAWINCOX10MBX1.staff.vuw.ac.nz> Is there a way for a standard user to query how long before his password is going to expire? ie locally we can do chage --list Also if the password is expired is there a grace period past which a user cant reset when they next login? I notice that there are commands like, ipa pwpolicy-show --user=jsmith "ipa" isnt installed on std IPA clients? what package is needed to allow users access to this command, would allowing them access be a problem? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 1 01:50:35 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 18:50:35 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com> I think the problem is figured out, though solution is not easy. Would some one please open a bug for this problem. Another close question to ask: Does this means the IPA PKI/CA system is still in its beta/alpha stage, and better avoid in production IPA deployment? I've see messages, Q/A in mail list of 389 Directory Server and freeIPA much, much more often than the Dogtag. If so, I can use --selfsign to install IPA masters and replicas now, and wait until the Dogtag is mature enough. because this IPA solution is the core of our business authentication and authorization, and so I have been asked several times to make it reliable and easy to maintain. Otherwise the admin. official would rather to? keep existing Kerberos+OpenLDAP solution which is time proven. Now the problem debugging is attached below: [root at ipaclient09 scripts-EXAMPLE-COM]# sh -x ./db2ldif -n ipaca ... + ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a /var/lib/dirsrv/slapd-EXMAPLE-COM/ldif/EXAMPLE-COM-ipaca-2012_04_30_183403.ldif -n ipaca [30/Apr/2012:18:34:03 -0700] - /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. [30/Apr/2012:18:34:03 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. [30/Apr/2012:18:34:03 -0700] - ERROR: Could not find backend 'ipaca' but when I run ns-slapd directly, with config using backed slapd-PKI-IPA, then it works and a ldif backup file is created. [root at ipaclient09 scripts-EXAMPLE-COM]# /usr/sbin/ns-slapd db2ldif -D /etc/dirsrv/slapd-PKI-IPA -a /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif -n ipaca ldiffile: /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif [30/Apr/2012:18:37:54 -0700] - export ipaca: Processed 63 entries (100%). [30/Apr/2012:18:37:54 -0700] - All database threads now stopped [root at ipaclient09 scripts-PEGACLOUDS-COM]# ls -alF /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif -rw-------. 1 pkisrv dirsrv 125567 Apr 30 18:37 /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif [root at ipaclient09 scripts-EXAMPLE-COM]# And inside the script db2ldif, it is found that codes are hard-coded to the user/group/netgroup LDAP backend already, and breaks backup/restore for PKI-IPA LDAP. [root at ipaclient09 scripts-EXAMPLE-COM]# grep PKI /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif [root at ipaclient09 scripts-EXAMPLE-COM]# grep EXAMPLE /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif ??????? echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-`date +%Y_%m_%d_%H%M%S`.ldif ??????? echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-${be}-`date +%Y_%m_%d_%H%M%S`.ldif ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM "$@" ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a $ldif_file "$@" [root at ipaclient09 scripts-EXAMPLE-COM]# --David ________________________________ From: David Copperfield To: Rich Megginson Cc: "freeipa-users at redhat.com" Sent: Monday, April 30, 2012 6:01 PM Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master Hi Rich and all, ?the '-n ipaca' option doesn't work for CA certificate LDAP backend. [root at ipslave scripts-PEGACLOUDS-COM]# pwd /var/lib/dirsrv/scripts-PEGACLOUDS-COM [root at ipaslave scripts-PEGACLOUDS-COM]# ls ../ scripts-PEGACLOUDS-COM? slapd-PEGACLOUDS-COM? slapd-PKI-IPA [root at ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif ... [30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'. [root at ipaslave scripts-PEGACLOUDS-COM]# --David ________________________________ From: Rich Megginson To: David Copperfield Cc: "freeipa-users at redhat.com" Sent: Monday, April 30, 2012 5:38 PM Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master On 04/30/2012 05:52 PM, David Copperfield wrote: Hi Rich and all, > > > >Thank you a lot for pointing out the place of the scripts. > > > >The scripts are found at the place specified and trued, they are working great in general, but there are still some places needs help: > > > >1, there are no manual or help regarding the command options. Not sure where the normal usage could be looked up. > > >[root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >No manual entry for db2ldif > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >?????????????? [{-x excludesuffix}*] [-a outputfile] >?????????????? [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >Note: either "-n backend_instance" or "-s includesuffix" is required. >[root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html In general - you can use the .pl scripts when the server is running, the non-.pl scripts when the server is down.? So, use ldif2db.pl to do an online import. Also, with ipa, you can use -n userRoot or -n ipaca depending on if this is the ipa instance or the CA instance. > >2, what is the 'official' way increase file descriptors for IPA & 389 Directory server?? > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s 'dc=pegaclouds,dc=com' >Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >[30/Apr/2012:16:45:42 -0700] - /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >[30/Apr/2012:16:45:42 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. >... > db2ldif doesn't use file descriptors in the same way as the server does when it is using them to listen and service incoming connections - just ignore that message > >3, the ldif2db command will abort when IPA(Directory Server) is running. > > > >?I have to stop IPA first, then run ldif2db, and fireup IPA at the end. It may not be a bad thing to avoid potential data base corruption. But please confirm whether this is a feature or a bug. > > > >[root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s 'dc=pegaclouds,dc=com' -i /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >importing data ... >... >[30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >[30/Apr/2012:16:50:00 -0700] - Unable to import the database because it is being used by another slapd process. >[30/Apr/2012:16:50:00 -0700] - Shutting down due to possible conflicts with other slapd processes > Use ldif2db.pl > >Thanks. > > >--David > > > > >________________________________ > From: Rich Megginson >To: David Copperfield >Cc: E Deon Lackey ; "freeipa-users at redhat.com" >Sent: Monday, April 30, 2012 4:23 PM >Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master > > >On 04/30/2012 04:58 PM, David Copperfield wrote: >Hi, >> >>> >> >>> Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that >>> Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and >>> import the backed up data using ldif2db. >> >>Thanks for pointing out a way to do partial backup/restore. >> >>But the command db2ldif, or its sibling command ldif2db can not be located on IPA master/replica. >look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD > > >The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere. >> >>Could anyone elaborate how to use the two template commands, or please point me to the document or http link(s) is enough. Thanks a lot. >> >> >>[root at ipamaster script-templates]# rpm -qa | grep 389 >>389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >> >>[root at ipamaster script-templates]# rpm -ql 389-ds-base 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>/usr/share/dirsrv/script-templates/template-db2ldif >>/usr/share/dirsrv/script-templates/template-db2ldif.pl >>/usr/share/dirsrv/script-templates/template-ldif2db >>/usr/share/dirsrv/script-templates/template-ldif2db.pl >>[root at ipamaster script-templates]# >> >>--David >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 1 02:07:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Apr 2012 22:07:25 -0400 Subject: [Freeipa-users] password policy In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8776B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8776B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F9F455D.7020108@redhat.com> Steven Jones wrote: > Is there a way for a standard user to query how long before his password > is going to expire? > > ie locally we can do chage --list chage requires shadow passwords IIRC and we don't provide that map in sssd. Off the top of my head I think the only way to get it would be an ldapsearch which would be rather nasty. Would be relatively easy to script up I suppose. > Also if the password is expired is there a grace period past which a > user cant reset when they next login? I don't believe so. > I notice that there are commands like, > > ipa pwpolicy-show --user=jsmith > > "ipa" isnt installed on std IPA clients? what package is needed to allow > users access to this command, would allowing them access be a problem? The ipa tool is in the [free]ipa-admintools package. There is no reason you can't install this on every client, we just figured it would be overkill to include it by default. rob From Steven.Jones at vuw.ac.nz Tue May 1 02:22:22 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 02:22:22 +0000 Subject: [Freeipa-users] ipa-client install error Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. ============== [root at rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjonesst1 at ODS.VUW.AC.NZ: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root at rhel664ws01 ~]# =========== Is this expected when trying to connect 6.3beta? ie its simply not compatible? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Tue May 1 02:34:30 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Apr 2012 20:34:30 -0600 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335833224.18868.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> <1335833224.18868.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <4F9F4BB6.3040502@redhat.com> On 04/30/2012 06:47 PM, David Copperfield wrote: > Hi Rich, > > Thanks. Those are really helpful. > > Though I think I've to learn the underlying 389 Directory Server part > and become an expert as well. :) Shouldn't be necessary, long term. The goal of IPA is to hide most of those 389-ish things from you. > > --David > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" > *Sent:* Monday, April 30, 2012 5:38 PM > *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica > into a master > > On 04/30/2012 05:52 PM, David Copperfield wrote: >> Hi Rich and all, >> >> Thank you a lot for pointing out the place of the scripts. >> >> The scripts are found at the place specified and trued, they are >> working great in general, but there are still some places needs help: >> >> 1, there are no manual or help regarding the command options. Not >> sure where the normal usage could be looked up. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >> No manual entry for db2ldif >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >> Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >> [{-x excludesuffix}*] [-a outputfile] >> [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >> Note: either "-n backend_instance" or "-s includesuffix" is required. >> [root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html > > In general - you can use the .pl scripts when the server is running, > the non-.pl scripts when the server is down. So, use > ldif2db.pl to do an online import. > > Also, with ipa, you can use -n userRoot or -n ipaca depending on if > this is the ipa instance or the CA instance. >> >> 2, what is the 'official' way increase file descriptors for IPA & 389 >> Directory server?? >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s >> 'dc=pegaclouds,dc=com' >> Exported ldif file: >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >> [30/Apr/2012:16:45:42 -0700] - >> /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> [30/Apr/2012:16:45:42 -0700] - Config Warning: - >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> ... > > db2ldif doesn't use file descriptors in the same way as the server > does when it is using them to listen and service incoming connections > - just ignore that message > >> >> 3, the ldif2db command will abort when IPA(Directory Server) is running. >> >> I have to stop IPA first, then run ldif2db, and fireup IPA at the >> end. It may not be a bad thing to avoid potential data base >> corruption. But please confirm whether this is a feature or a bug. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s >> 'dc=pegaclouds,dc=com' -i >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >> >> importing data ... >> ... >> [30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >> [30/Apr/2012:16:50:00 -0700] - Unable to import the database because >> it is being used by another slapd process. >> [30/Apr/2012:16:50:00 -0700] - Shutting down due to possible >> conflicts with other slapd processes > > Use ldif2db.pl > >> >> Thanks. >> >> --David >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* E Deon Lackey ; >> "freeipa-users at redhat.com" >> >> *Sent:* Monday, April 30, 2012 4:23 PM >> *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica >> into a master >> >> On 04/30/2012 04:58 PM, David Copperfield wrote: >>> Hi, >>> >>> > >>> > Currently, there is no disaster recovery or backup information. >>> There are a couple of RFEs open to develop this information. My >>> understanding (and this is something that >>> > Dmitri or one of the engineers can explain better) is that the >>> best thing to do is to back up the DS instances using db2ldif and >>> then spin up a new server/replica instance and >>> > import the backed up data using ldif2db. >>> >>> Thanks for pointing out a way to do partial backup/restore. >>> >>> But the command db2ldif, or its sibling command ldif2db can not be >>> located on IPA master/replica. >> >> look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD >> >>> The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. >>> and the two commands doesn't show up anywhere. >>> >>> Could anyone elaborate how to use the two template commands, or >>> please point me to the document or http link(s) is enough. Thanks a lot. >>> >>> [root at ipamaster script-templates]# rpm -qa | grep 389 >>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >>> >>> [root at ipamaster script-templates]# rpm -ql 389-ds-base >>> 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>> /usr/share/dirsrv/script-templates/template-db2ldif >>> /usr/share/dirsrv/script-templates/template-db2ldif.pl >>> /usr/share/dirsrv/script-templates/template-ldif2db >>> /usr/share/dirsrv/script-templates/template-ldif2db.pl >>> [root at ipamaster script-templates]# >>> >>> --David >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 1 02:35:12 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Apr 2012 20:35:12 -0600 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <4F9F4BE0.7060200@redhat.com> On 04/30/2012 07:01 PM, David Copperfield wrote: > Hi Rich and all, > > the '-n ipaca' option doesn't work for CA certificate LDAP backend. > > [root at ipslave scripts-PEGACLOUDS-COM]# pwd > /var/lib/dirsrv/scripts-PEGACLOUDS-COM > [root at ipaslave scripts-PEGACLOUDS-COM]# ls ../ > scripts-PEGACLOUDS-COM slapd-PEGACLOUDS-COM slapd-PKI-IPA > > [root at ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca > Exported ldif file: > /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif > ... > [30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'. > [root at ipaslave scripts-PEGACLOUDS-COM]# Right. Sorry, forgot to mention that the CA instance puts its scripts in the "standard" place under /usr/lib64/dirsrv/slapd-PKI-IPA > > --David > > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" > *Sent:* Monday, April 30, 2012 5:38 PM > *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica > into a master > > On 04/30/2012 05:52 PM, David Copperfield wrote: >> Hi Rich and all, >> >> Thank you a lot for pointing out the place of the scripts. >> >> The scripts are found at the place specified and trued, they are >> working great in general, but there are still some places needs help: >> >> 1, there are no manual or help regarding the command options. Not >> sure where the normal usage could be looked up. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >> No manual entry for db2ldif >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >> Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >> [{-x excludesuffix}*] [-a outputfile] >> [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >> Note: either "-n backend_instance" or "-s includesuffix" is required. >> [root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html > > In general - you can use the .pl scripts when the server is running, > the non-.pl scripts when the server is down. So, use > ldif2db.pl to do an online import. > > Also, with ipa, you can use -n userRoot or -n ipaca depending on if > this is the ipa instance or the CA instance. >> >> 2, what is the 'official' way increase file descriptors for IPA & 389 >> Directory server?? >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s >> 'dc=pegaclouds,dc=com' >> Exported ldif file: >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >> [30/Apr/2012:16:45:42 -0700] - >> /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> [30/Apr/2012:16:45:42 -0700] - Config Warning: - >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> ... > > db2ldif doesn't use file descriptors in the same way as the server > does when it is using them to listen and service incoming connections > - just ignore that message > >> >> 3, the ldif2db command will abort when IPA(Directory Server) is running. >> >> I have to stop IPA first, then run ldif2db, and fireup IPA at the >> end. It may not be a bad thing to avoid potential data base >> corruption. But please confirm whether this is a feature or a bug. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s >> 'dc=pegaclouds,dc=com' -i >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >> >> importing data ... >> ... >> [30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >> [30/Apr/2012:16:50:00 -0700] - Unable to import the database because >> it is being used by another slapd process. >> [30/Apr/2012:16:50:00 -0700] - Shutting down due to possible >> conflicts with other slapd processes > > Use ldif2db.pl > >> >> Thanks. >> >> --David >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* E Deon Lackey ; >> "freeipa-users at redhat.com" >> >> *Sent:* Monday, April 30, 2012 4:23 PM >> *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica >> into a master >> >> On 04/30/2012 04:58 PM, David Copperfield wrote: >>> Hi, >>> >>> > >>> > Currently, there is no disaster recovery or backup information. >>> There are a couple of RFEs open to develop this information. My >>> understanding (and this is something that >>> > Dmitri or one of the engineers can explain better) is that the >>> best thing to do is to back up the DS instances using db2ldif and >>> then spin up a new server/replica instance and >>> > import the backed up data using ldif2db. >>> >>> Thanks for pointing out a way to do partial backup/restore. >>> >>> But the command db2ldif, or its sibling command ldif2db can not be >>> located on IPA master/replica. >> >> look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD >> >>> The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. >>> and the two commands doesn't show up anywhere. >>> >>> Could anyone elaborate how to use the two template commands, or >>> please point me to the document or http link(s) is enough. Thanks a lot. >>> >>> [root at ipamaster script-templates]# rpm -qa | grep 389 >>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >>> >>> [root at ipamaster script-templates]# rpm -ql 389-ds-base >>> 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>> /usr/share/dirsrv/script-templates/template-db2ldif >>> /usr/share/dirsrv/script-templates/template-db2ldif.pl >>> /usr/share/dirsrv/script-templates/template-ldif2db >>> /usr/share/dirsrv/script-templates/template-ldif2db.pl >>> [root at ipamaster script-templates]# >>> >>> --David >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 1 02:35:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 02:35:51 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC87F72@STAWINCOX10MBX1.staff.vuw.ac.nz> encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. ============== [root at rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjonesst1 at ODS.VUW.AC.NZ: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root at rhel664ws01 ~]# =========== Is this expected when trying to connect 6.3beta? ie its simply not compatible? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaclient-install.log Type: application/octet-stream Size: 14994 bytes Desc: ipaclient-install.log URL: From rmeggins at redhat.com Tue May 1 02:38:12 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Apr 2012 20:38:12 -0600 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> <1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4F9F4C94.5070107@redhat.com> On 04/30/2012 07:50 PM, David Copperfield wrote: > I think the problem is figured out, though solution is not easy. Would > some one please open a bug for this problem. > > Another close question to ask: Does this means the IPA PKI/CA system > is still in its beta/alpha stage, and better avoid in production IPA > deployment? I don't know about from an IPA perspective, but DogTag has been in heavy duty commercial deployment for over a decade. > > I've see messages, Q/A in mail list of 389 Directory Server and > freeIPA much, much more often than the Dogtag. If so, I can use > --selfsign to install IPA masters and replicas now, and wait until the > Dogtag is mature enough. because this IPA solution is the core of our > business authentication and authorization, and so I have been asked > several times to make it reliable and easy to maintain. Otherwise the > admin. official would rather to keep existing Kerberos+OpenLDAP > solution which is time proven. > > Now the problem debugging is attached below: > > [root at ipaclient09 scripts-EXAMPLE-COM]# sh -x ./db2ldif -n ipaca > ... > + ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a > /var/lib/dirsrv/slapd-EXMAPLE-COM/ldif/EXAMPLE-COM-ipaca-2012_04_30_183403.ldif > -n ipaca > [30/Apr/2012:18:34:03 -0700] - /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif: > nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", > maximum file descriptors must range from 1 to 1024 (the current > process limit). Server will use a setting of 1024. > [30/Apr/2012:18:34:03 -0700] - Config Warning: - > nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors > must range from 1 to 1024 (the current process limit). Server will > use a setting of 1024. > [30/Apr/2012:18:34:03 -0700] - ERROR: Could not find backend 'ipaca' > > but when I run ns-slapd directly, with config using backed > slapd-PKI-IPA, then it works and a ldif backup file is created. > > [root at ipaclient09 scripts-EXAMPLE-COM]# /usr/sbin/ns-slapd db2ldif -D > /etc/dirsrv/slapd-PKI-IPA -a > /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif -n > ipaca > ldiffile: > /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif > [30/Apr/2012:18:37:54 -0700] - export ipaca: Processed 63 entries (100%). > [30/Apr/2012:18:37:54 -0700] - All database threads now stopped > [root at ipaclient09 scripts-PEGACLOUDS-COM]# ls -alF > /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif > -rw-------. 1 pkisrv dirsrv 125567 Apr 30 18:37 > /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif > [root at ipaclient09 scripts-EXAMPLE-COM]# It is because slapi-PKI-IPA is a separate 389 instance, and the scripts are very much instance specific - you cannot use the scripts in /var/lib/dirsrv/slapd-DOMAIN to manage /etc/dirsrv/slapd-PKI-IPA, nor can you use the scripts in /usr/lib64/dirsrv/slapd-PKI-IPA to manage /etc/dirsrv/slapd-DOMAIN > > And inside the script db2ldif, it is found that codes are hard-coded > to the user/group/netgroup LDAP backend already, and breaks > backup/restore for PKI-IPA LDAP. See above > > [root at ipaclient09 scripts-EXAMPLE-COM]# grep PKI > /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif > [root at ipaclient09 scripts-EXAMPLE-COM]# grep EXAMPLE > /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif > echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-`date > +%Y_%m_%d_%H%M%S`.ldif > echo > /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-${be}-`date > +%Y_%m_%d_%H%M%S`.ldif > ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM "$@" > ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a $ldif_file "$@" > [root at ipaclient09 scripts-EXAMPLE-COM]# > > --David > > > > > > ------------------------------------------------------------------------ > *From:* David Copperfield > *To:* Rich Megginson > *Cc:* "freeipa-users at redhat.com" > *Sent:* Monday, April 30, 2012 6:01 PM > *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica > into a master > > Hi Rich and all, > > the '-n ipaca' option doesn't work for CA certificate LDAP backend. > > [root at ipslave scripts-PEGACLOUDS-COM]# pwd > /var/lib/dirsrv/scripts-PEGACLOUDS-COM > [root at ipaslave scripts-PEGACLOUDS-COM]# ls ../ > scripts-PEGACLOUDS-COM slapd-PEGACLOUDS-COM slapd-PKI-IPA > > [root at ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca > Exported ldif file: > /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif > ... > [30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'. > [root at ipaslave scripts-PEGACLOUDS-COM]# > > --David > > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" > *Sent:* Monday, April 30, 2012 5:38 PM > *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica > into a master > > On 04/30/2012 05:52 PM, David Copperfield wrote: >> Hi Rich and all, >> >> Thank you a lot for pointing out the place of the scripts. >> >> The scripts are found at the place specified and trued, they are >> working great in general, but there are still some places needs help: >> >> 1, there are no manual or help regarding the command options. Not >> sure where the normal usage could be looked up. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif >> No manual entry for db2ldif >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help >> Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* >> [{-x excludesuffix}*] [-a outputfile] >> [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] >> Note: either "-n backend_instance" or "-s includesuffix" is required. >> [root at ipamaster scripts-PEGACLOUDS-COM]# > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html > > In general - you can use the .pl scripts when the server is running, > the non-.pl scripts when the server is down. So, use > ldif2db.pl to do an online import. > > Also, with ipa, you can use -n userRoot or -n ipaca depending on if > this is the ipa instance or the CA instance. >> >> 2, what is the 'official' way increase file descriptors for IPA & 389 >> Directory server?? >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s >> 'dc=pegaclouds,dc=com' >> Exported ldif file: >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif >> [30/Apr/2012:16:45:42 -0700] - >> /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> [30/Apr/2012:16:45:42 -0700] - Config Warning: - >> nsslapd-maxdescriptors: invalid value "8192", maximum file >> descriptors must range from 1 to 1024 (the current process limit). >> Server will use a setting of 1024. >> ... > > db2ldif doesn't use file descriptors in the same way as the server > does when it is using them to listen and service incoming connections > - just ignore that message > >> >> 3, the ldif2db command will abort when IPA(Directory Server) is running. >> >> I have to stop IPA first, then run ldif2db, and fireup IPA at the >> end. It may not be a bad thing to avoid potential data base >> corruption. But please confirm whether this is a feature or a bug. >> >> [root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s >> 'dc=pegaclouds,dc=com' -i >> /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif >> >> importing data ... >> ... >> [30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot >> [30/Apr/2012:16:50:00 -0700] - Unable to import the database because >> it is being used by another slapd process. >> [30/Apr/2012:16:50:00 -0700] - Shutting down due to possible >> conflicts with other slapd processes > > Use ldif2db.pl > >> >> Thanks. >> >> --David >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* E Deon Lackey ; >> "freeipa-users at redhat.com" >> >> *Sent:* Monday, April 30, 2012 4:23 PM >> *Subject:* Re: [Freeipa-users] Confused/lost at promoting a replica >> into a master >> >> On 04/30/2012 04:58 PM, David Copperfield wrote: >>> Hi, >>> >>> > >>> > Currently, there is no disaster recovery or backup information. >>> There are a couple of RFEs open to develop this information. My >>> understanding (and this is something that >>> > Dmitri or one of the engineers can explain better) is that the >>> best thing to do is to back up the DS instances using db2ldif and >>> then spin up a new server/replica instance and >>> > import the backed up data using ldif2db. >>> >>> Thanks for pointing out a way to do partial backup/restore. >>> >>> But the command db2ldif, or its sibling command ldif2db can not be >>> located on IPA master/replica. >> >> look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD >> >>> The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. >>> and the two commands doesn't show up anywhere. >>> >>> Could anyone elaborate how to use the two template commands, or >>> please point me to the document or http link(s) is enough. Thanks a lot. >>> >>> [root at ipamaster script-templates]# rpm -qa | grep 389 >>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 >>> >>> [root at ipamaster script-templates]# rpm -ql 389-ds-base >>> 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >>> /usr/share/dirsrv/script-templates/template-db2ldif >>> /usr/share/dirsrv/script-templates/template-db2ldif.pl >>> /usr/share/dirsrv/script-templates/template-ldif2db >>> /usr/share/dirsrv/script-templates/template-ldif2db.pl >>> [root at ipamaster script-templates]# >>> >>> --David >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 1 03:47:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 03:47:30 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> I have a user jonesst1 which can login to a workstation fine, but a second user thing cannot, here is the secure log output, ========= May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 login: LOGIN ON tty1 BY jonesst1 May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 1 15:45:55 vuwunicorh6ws04 login: PAM adding faulty module: /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED LOGIN 1 FROM (null) FOR thing, Authentication failure ============= How do I trace what is wrong with the user "thing"? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 1 03:52:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 03:52:30 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I removed jonesst1 from the user group, then jonesst1 cannot login, so jonesst1 is using user group and HBAC to login as is thing....put it back and jonesst1 works again... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May 2012 3:47 p.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] Trying to trace why a user cannot login to a client I have a user jonesst1 which can login to a workstation fine, but a second user thing cannot, here is the secure log output, ========= May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 login: LOGIN ON tty1 BY jonesst1 May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 1 15:45:55 vuwunicorh6ws04 login: PAM adding faulty module: /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED LOGIN 1 FROM (null) FOR thing, Authentication failure ============= How do I trace what is wrong with the user "thing"? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Tue May 1 06:38:28 2012 From: jzeleny at redhat.com (Jan Zeleny) Date: Tue, 1 May 2012 08:38:28 +0200 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC87F72@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC87F72@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <201205010838.28690.jzeleny@redhat.com> I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > ============== > [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjonesst1 at ODS.VUW.AC.NZ: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root at rhel664ws01 ~]# > =========== > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? From jzeleny at redhat.com Tue May 1 06:43:49 2012 From: jzeleny at redhat.com (Jan Zeleny) Date: Tue, 1 May 2012 08:43:49 +0200 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <201205010843.49685.jzeleny@redhat.com> Steven Jones wrote: > Hi, > > I removed jonesst1 from the user group, then jonesst1 cannot login, so > jonesst1 is using user group and HBAC to login as is thing....put it back > and jonesst1 works again... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 3:47 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] Trying to trace why a user cannot login to a > client > > I have a user jonesst1 which can login to a workstation fine, but a second > user thing cannot, here is the secure log output, > > ========= > May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session > opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 > login: LOGIN ON tty1 BY jonesst1 > May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session > closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable > to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory May 1 15:45:55 > vuwunicorh6ws04 login: PAM adding faulty module: > /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: > pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 > tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: > pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 > 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May > 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user > thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED > LOGIN 1 FROM (null) FOR thing, Authentication failure ============= This looks like system error in SSSD, could you please try to reproduce the issue again and send us SSSD log files with reasonable debug level (let's say 7)? Thanks Jan From sgallagh at redhat.com Tue May 1 11:41:32 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 01 May 2012 07:41:32 -0400 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-04-30 at 22:14 +0000, Steven Jones wrote: > Hi, > > Do you want me to open a RH case? > Yes, that's probably best. Please include as much detail as possible, such as your sssd.conf and, ideally, a sanitized sssd_DOMAINNAME.log at level 6 or higher. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Tue May 1 12:02:13 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 01 May 2012 08:02:13 -0400 Subject: [Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install In-Reply-To: <1335822663.65917.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1335822663.65917.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <1335873733.4578.96.camel@sgallagh520.sgallagh.bos.redhat.com> On Mon, 2012-04-30 at 14:51 -0700, David Copperfield wrote: > > Hi folks, > > During migration existing Kerberos/LDAP setup clients to IPA, after > 'ipa-client-install' command is run and reports successful migration, > we found that the client fails to talk with IPA server. > > The symptom is: in the /var/log/messages file at IPA client side, we > can see the following entries: > > Apr 30 11:07:04 ldapclient02 sssd: Starting up > Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: > Starting up > Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up > Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up > Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed > to initialize credentials using keytab [(null)]: Decrypt integrity > check failed. Unable to create GSSAPI-encrypted LDAP connection. > > It is figured out that, instead of backup and > overwrite /etc/krb5.keytab, ipa-client-install only appends the new > generated host keytab entries to the same file /etc/krb5.keytab. Then > when the original entries have a higher KVNO version than the newly > generated siblings, the latter is shadowed and ignored. > > > After manual removing the old entries from /etc/krb5.keytab with the > tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA > server and problem goes away. It will be greatly appreciated if native > ipa-rmkeytab can be extended to do the same job. > Actually, this was a bug in SSSD that has now been fixed in the RHEL 6.3 beta. It's related to https://bugzilla.redhat.com/show_bug.cgi?id=805281 Please give that a try and see if it resolves your issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Tue May 1 12:40:39 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 May 2012 08:40:39 -0400 Subject: [Freeipa-users] migration of netgroups into IPA ?? In-Reply-To: <1335820007.33988.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9AE74D.80401@redhat.com> <1335553534.95430.YahooMailNeo@web125705.mail.ne1.yahoo.com> <4F9AF03C.5010405@redhat.com> <1335554991.39114.YahooMailNeo@web125706.mail.ne1.yahoo.com> <1335820007.33988.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4F9FD9C7.8030202@redhat.com> On 04/30/2012 05:06 PM, David Copperfield wrote: > Hi folks, > > We have quite a bunch of netgroups which are hosted on openldap > server presently, and now it is time to migrate them into freeIPA. The > NIS triples are in the format: > > (-, username, - ) > > or > > (hostname001, - , - ) > > And these openldap netgroups are used for variable purposes, host > listing for ssh/gssh, access control, sudoers, etc. > > So after user accounts and groups are migrated, netgroups needs to be > migrated too for openldap/IPA migration/cutover. There is no Redhat > documents on this part though. Has any one tried netgroup migration > before? Or we have to input by hand into IPA (host, hostgroup, > user-group) and replace netgroup with hostgroup(which will create > respective netgroups in the background), and replace NIS user groups > and real posix user groups? > > Please advice. Thanks a lot. > > --David > We do not provide migration script for netgroups however it is very simple to create a script that would recreate netgroups using IPA command line. The reason why we do not do netgroup migration automatically is because it is a good time to reconsider now netgroups are used in your environment. For example if you use netgroups to group hosts we recommend you creating a host group for those hosts. Each host group by default has an automatically created netgroup with the same name. This can be turned off but out of box every host group creates a netgroup. If you use netgroups for users consider switching to user groups rather than using netgroups for users. Using user groups is more flexible and preferred method. Also see chapter 7. It has examples of the scripts that can help you to migrate netgroups. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 1 13:19:39 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 May 2012 09:19:39 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F9FE2EB.1080704@redhat.com> Steven Jones wrote: > I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. > > ============== > [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjonesst1 at ODS.VUW.AC.NZ: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect > conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection > raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ > [root at rhel664ws01 ~]# > =========== > > Is this expected when trying to connect 6.3beta? ie its simply not compatible? > The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob From rcritten at redhat.com Tue May 1 13:31:22 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 May 2012 09:31:22 -0400 Subject: [Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install In-Reply-To: <1335822663.65917.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1335822663.65917.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <4F9FE5AA.1050205@redhat.com> David Copperfield wrote: > > Hi folks, > > During migration existing Kerberos/LDAP setup clients to IPA, after > 'ipa-client-install' command is run and reports successful migration, we > found that the client fails to talk with IPA server. > > The symptom is: in the /var/log/messages file at IPA client side, we can > see the following entries: > > Apr 30 11:07:04 ldapclient02 sssd: Starting up > Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: Starting up > Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up > Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up > Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed to > initialize credentials using keytab [(null)]: Decrypt integrity check > failed. Unable to create GSSAPI-encrypted LDAP connection. > > It is figured out that, instead of backup and overwrite > /etc/krb5.keytab, ipa-client-install only appends the new generated host > keytab entries to the same file /etc/krb5.keytab. Then when the original > entries have a higher KVNO version than the newly generated siblings, > the latter is shadowed and ignored. > > After manual removing the old entries from /etc/krb5.keytab with the > tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA > server and problem goes away. It will be greatly appreciated if native > ipa-rmkeytab can be extended to do the same job. ipa-rmkeytab doesn't need to be extended to do this, we would just want to run it prior to ipa-getkeytab in the installer. There is an option to remove all tickets for a given realm, that seems to be the best fit here. I opened a ticket to track this, https://fedorahosted.org/freeipa/ticket/2698 rob From rcritten at redhat.com Tue May 1 13:48:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 May 2012 09:48:51 -0400 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4F9F3084.6060309@redhat.com> <1335834109.70407.YahooMailNeo@web125706.mail.ne1.yahoo.com> <1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4F9FE9C3.90901@redhat.com> David Copperfield wrote: > I think the problem is figured out, though solution is not easy. Would > some one please open a bug for this problem. > > Another close question to ask: Does this means the IPA PKI/CA system is > still in its beta/alpha stage, and better avoid in production IPA > deployment? > > I've see messages, Q/A in mail list of 389 Directory Server and freeIPA > much, much more often than the Dogtag. If so, I can use --selfsign to > install IPA masters and replicas now, and wait until the Dogtag is > mature enough. because this IPA solution is the core of our business > authentication and authorization, and so I have been asked several times > to make it reliable and easy to maintain. Otherwise the admin. official > would rather to keep existing Kerberos+OpenLDAP solution which is time > proven. As Rich pointed out, there are per-instance specific versions of the scripts. This is related to the templates you saw in the rpm. CAs are not sexy which may be why the dogtag list is low volume. I get the feeling that many people just get by with self-signed certificates that are managed by hand. There is a fair bit of discussion in the freenode #dogtag IRC channel from time to time. There is no way to migrate from one CA type to another within IPA (without re-installing IPA). rob From Steven.Jones at vuw.ac.nz Tue May 1 20:40:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 20:40:41 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <201205010843.49685.jzeleny@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <201205010843.49685.jzeleny@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The sssd log on the client rolled over on the 28th of march and there are no logs since....ie the log is zero length. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Jan Zeleny [jzeleny at redhat.com] Sent: Tuesday, 1 May 2012 6:43 p.m. To: freeipa-users at redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client Steven Jones wrote: > Hi, > > I removed jonesst1 from the user group, then jonesst1 cannot login, so > jonesst1 is using user group and HBAC to login as is thing....put it back > and jonesst1 works again... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 3:47 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] Trying to trace why a user cannot login to a > client > > I have a user jonesst1 which can login to a workstation fine, but a second > user thing cannot, here is the secure log output, > > ========= > May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session > opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 > login: LOGIN ON tty1 BY jonesst1 > May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session > closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable > to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory May 1 15:45:55 > vuwunicorh6ws04 login: PAM adding faulty module: > /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: > pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 > tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: > pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 > 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May > 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user > thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED > LOGIN 1 FROM (null) FOR thing, Authentication failure ============= This looks like system error in SSSD, could you please try to reproduce the issue again and send us SSSD log files with reasonable debug level (let's say 7)? Thanks Jan From Steven.Jones at vuw.ac.nz Tue May 1 20:41:22 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 20:41:22 +0000 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC896AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Which sssd.conf's? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Gallagher [sgallagh at redhat.com] Sent: Tuesday, 1 May 2012 11:41 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. On Mon, 2012-04-30 at 22:14 +0000, Steven Jones wrote: > Hi, > > Do you want me to open a RH case? > Yes, that's probably best. Please include as much detail as possible, such as your sssd.conf and, ideally, a sanitized sssd_DOMAINNAME.log at level 6 or higher. From Steven.Jones at vuw.ac.nz Tue May 1 20:52:22 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 20:52:22 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <201205010838.28690.jzeleny@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC87F72@STAWINCOX10MBX1.staff.vuw.ac.nz>, <201205010838.28690.jzeleny@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC896C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections.......as far as I know....but the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.....its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Jan Zeleny [jzeleny at redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users at redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > ============== > [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjonesst1 at ODS.VUW.AC.NZ: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root at rhel664ws01 ~]# > =========== > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? From Steven.Jones at vuw.ac.nz Tue May 1 20:55:38 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 20:55:38 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <201205010843.49685.jzeleny@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> The sssd from rhel6.3beta workstation is 1.8.0-22.el6.x86_64 The sssd from rhel6.2 workstation is 1.5.1-66.el6_2.3.x86_64 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 2 May 2012 8:40 a.m. To: Jan Zeleny; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client Hi, The sssd log on the client rolled over on the 28th of march and there are no logs since....ie the log is zero length. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Jan Zeleny [jzeleny at redhat.com] Sent: Tuesday, 1 May 2012 6:43 p.m. To: freeipa-users at redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client Steven Jones wrote: > Hi, > > I removed jonesst1 from the user group, then jonesst1 cannot login, so > jonesst1 is using user group and HBAC to login as is thing....put it back > and jonesst1 works again... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 3:47 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] Trying to trace why a user cannot login to a > client > > I have a user jonesst1 which can login to a workstation fine, but a second > user thing cannot, here is the secure log output, > > ========= > May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session > opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 > login: LOGIN ON tty1 BY jonesst1 > May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session > closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable > to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory May 1 15:45:55 > vuwunicorh6ws04 login: PAM adding faulty module: > /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: > pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 > tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: > pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 > 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May > 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user > thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED > LOGIN 1 FROM (null) FOR thing, Authentication failure ============= This looks like system error in SSSD, could you please try to reproduce the issue again and send us SSSD log files with reasonable debug level (let's say 7)? Thanks Jan _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue May 1 20:56:39 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 20:56:39 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC896C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC87F72@STAWINCOX10MBX1.staff.vuw.ac.nz>, <201205010838.28690.jzeleny@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC896C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC896E3@STAWINCOX10MBX1.staff.vuw.ac.nz> Error there on my part its 1.8 not 1.5.....I have another machine that is 1.5. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 2 May 2012 8:52 a.m. To: Jan Zeleny; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections.......as far as I know....but the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.....its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Jan Zeleny [jzeleny at redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users at redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > ============== > [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjonesst1 at ODS.VUW.AC.NZ: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root at rhel664ws01 ~]# > =========== > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Tue May 1 20:59:58 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 1 May 2012 22:59:58 +0200 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC896AF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120501205958.GE19576@hendrix.redhat.com> On Tue, May 01, 2012 at 08:41:22PM +0000, Steven Jones wrote: > Which sssd.conf's? > The machines you are logging to. From jhrozek at redhat.com Tue May 1 21:04:12 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 1 May 2012 23:04:12 +0200 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> <201205010843.49685.jzeleny@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120501210412.GF19576@hendrix.redhat.com> On Tue, May 01, 2012 at 08:55:38PM +0000, Steven Jones wrote: > The sssd from rhel6.3beta workstation is 1.8.0-22.el6.x86_64 > > The sssd from rhel6.2 workstation is 1.5.1-66.el6_2.3.x86_64 > > regards > > Steven Jones Does by any chance your sssd.conf include a debug_level directive in the [sssd] section and not in the others? I think that was a case that only worked by accident and we removed it in 1.7 The "fix" is to specify debug_level in all the sections you'd like to print debug information from. In your case, that would be the [domain/*] section and perhaps the [pam] section. From Steven.Jones at vuw.ac.nz Tue May 1 22:12:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 22:12:48 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <20120501210412.GF19576@hendrix.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> <201205010843.49685.jzeleny@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120501210412.GF19576@hendrix.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC89A87@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, 2 May 2012 9:04 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client On Tue, May 01, 2012 at 08:55:38PM +0000, Steven Jones wrote: > The sssd from rhel6.3beta workstation is 1.8.0-22.el6.x86_64 > > The sssd from rhel6.2 workstation is 1.5.1-66.el6_2.3.x86_64 > > regards > > Steven Jones Does by any chance your sssd.conf include a debug_level directive in the [sssd] section and not in the others? I think that was a case that only worked by accident and we removed it in 1.7 The "fix" is to specify debug_level in all the sections you'd like to print debug information from. In your case, that would be the [domain/*] section and perhaps the [pam] section. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd-logs.tar.gz Type: application/x-gzip Size: 124653 bytes Desc: sssd-logs.tar.gz URL: From Steven.Jones at vuw.ac.nz Tue May 1 22:15:49 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 22:15:49 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <4F9FE2EB.1080704@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F9FE2EB.1080704@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: > I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. > > ============== > [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjonesst1 at ODS.VUW.AC.NZ: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect > conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection > raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ > [root at rhel664ws01 ~]# > =========== > > Is this expected when trying to connect 6.3beta? ie its simply not compatible? > The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob From Steven.Jones at vuw.ac.nz Tue May 1 22:18:40 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 May 2012 22:18:40 +0000 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC89AA5@STAWINCOX10MBX1.staff.vuw.ac.nz> Well this is consistant....I just stopped it to move to a new vmware cluster and clients fail to log in.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Gallagher [sgallagh at redhat.com] Sent: Tuesday, 1 May 2012 11:41 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. On Mon, 2012-04-30 at 22:14 +0000, Steven Jones wrote: > Hi, > > Do you want me to open a RH case? > Yes, that's probably best. Please include as much detail as possible, such as your sssd.conf and, ideally, a sanitized sssd_DOMAINNAME.log at level 6 or higher. From dpal at redhat.com Tue May 1 22:31:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 May 2012 18:31:52 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA06458.2070904@redhat.com> On 05/01/2012 06:15 PM, Steven Jones wrote: > So this opens a chicken and egg? > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way..... > Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 2 May 2012 1:19 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > Steven Jones wrote: >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. >> >> ============== >> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir >> Discovery was successful! >> Hostname: rhel664ws01.ods.vuw.ac.nz >> Realm: ODS.VUW.AC.NZ >> DNS Domain: ods.vuw.ac.nz >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >> >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: admjonesst1 >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Password for admjonesst1 at ODS.VUW.AC.NZ: >> >> Enrolled in IPA realm ODS.VUW.AC.NZ >> Created /etc/ipa/default.conf >> Unable to activate the SSH service in SSSD config. >> Please make sure you have SSSD built with SSH support installed. >> Configure SSH support manually in /etc/sssd/sssd.conf. >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >> Traceback (most recent call last): >> File "/usr/sbin/ipa-client-install", line 1534, in >> sys.exit(main()) >> File "/usr/sbin/ipa-client-install", line 1521, in main >> rval = install(options, env, fstore, statestore) >> File "/usr/sbin/ipa-client-install", line 1358, in install >> api.Backend.xmlclient.connect() >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect >> conn = self.create_connection(*args, **kw) >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection >> raise errors.KerberosError(major=str(krberr), minor='') >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ >> [root at rhel664ws01 ~]# >> =========== >> >> Is this expected when trying to connect 6.3beta? ie its simply not compatible? >> > The newer 2.2 client cannot connect to an older 2.1 server because it > isn't going to send the TGT that the 2.1 server requires. We should > handle this better, I've opened a ticket to track this: > https://fedorahosted.org/freeipa/ticket/2697 > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Tue May 1 22:34:25 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 01 May 2012 18:34:25 -0400 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC896AF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1335872492.4578.92.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1335911665.4578.119.camel@sgallagh520.sgallagh.bos.redhat.com> On Tue, 2012-05-01 at 20:41 +0000, Steven Jones wrote: > Which sssd.conf's? On the clients that you cannot log into. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From eshabahang at yahoo.com Wed May 2 07:14:52 2012 From: eshabahang at yahoo.com (shabahang elmian) Date: Wed, 2 May 2012 00:14:52 -0700 (PDT) Subject: [Freeipa-users] Error in Installation - unable to create CA In-Reply-To: <1335685874.17289.YahooMailNeo@web161602.mail.bf1.yahoo.com> References: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> <4F95795D.6050507@redhat.com> <1335685874.17289.YahooMailNeo@web161602.mail.bf1.yahoo.com> Message-ID: <1335942892.51335.YahooMailNeo@web161606.mail.bf1.yahoo.com> Hello, I would be thankful if some one can help me to resolve the problem. Shabahang ________________________________ From: shabahang elmian To: Rob Crittenden Cc: "freeipa-users at redhat.com" Sent: Sunday, April 29, 2012 12:21 PM Subject: Re: [Freeipa-users] Error in Installation - unable to create CA [2012-04-23 17:07:32] [debug] set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] Processing PKI security modules for '/var/lib/pki-ca' ... [2012-04-23 17:07:32] [debug] ? ? Attempting to add hardware security modules to system if applicable ... [2012-04-23 17:07:32] [debug] ? ? ? ? module name: lunasa ?lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] ? ? ? ? module name: nfast ?lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] configuring SELinux ... [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9180. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9701. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9443. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9444. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9446. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9445. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9447. ?Port already defined otherwise. [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to run semanage. [2012-04-23 17:07:34] [debug] Running restorecon commands [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/java/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/lib/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/run/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/log/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /etc/pki-ca) [2012-04-23 17:07:34] [debug] Installation manifest: /var/lib/pki-ca/install_info [2012-04-23 17:07:34] [debug] The following was performed: Installed Files: ? ? /etc/pki-ca/CS.cfg ... . . ? ? /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar Removed Items: ? ? /etc/pki-ca/noise ? ? /etc/pki-ca/pfile [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart pki-cad at pki-ca.service) [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details." [2012-04-23 17:07:34] [log] Configuration Wizard listening on https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs [2012-04-23 17:07:34] [log] After configuration, the server can be operated by the command: /bin/systemctl restart pki-cad at pki-ca.service [root at ipa ~]#? [root at ipa system]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server [root at ipa system]#? [root at ipa system]#? [root at ipa system]# > /var/log/audit/audit.log? [root at ipa system]#? [root at ipa system]#? [root at ipa system]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: ? * Configure a stand-alone CA (dogtag) for certificate management ? * Configure the Network Time Daemon (ntpd) ? * Create and configure an instance of Directory Server ? * Create and configure a Kerberos Key Distribution Center (KDC) ? * Configure Apache (httpd) ? * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [ipa.mtnirancell.ir]:? Warning: skipping DNS resolution of host ipa.mtnirancell.ir The domain name has been calculated based on the host name. Please confirm the domain name [mtnirancell.ir]:? The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [MTNIRANCELL.IR]:? Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password:? Password (confirm):? The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password:? Password (confirm):? Do you want to configure DNS forwarders? [yes]:? Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder:? No DNS forwarders configured Do you want to configure the reverse zone? [yes]:? Please specify the reverse zone name [58.131.10.in-addr.arpa.]:? Using reverse zone 58.131.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ? ? ?ipa.mtnirancell.ir IP address: ? ?10.131.58.43 Domain name: ? mtnirancell.ir Realm name: ? ?MTNIRANCELL.IR BIND DNS server will be configured to serve IPA domain with: Forwarders: ? ?No forwarders Reverse zone: ?58.131.10.in-addr.arpa. Continue to configure the system with these values? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd ? [1/4]: stopping ntpd ? [2/4]: writing configuration ? [3/4]: configuring ntpd to start on boot ? [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 minutes 30 seconds ? [1/3]: creating directory server user ? [2/3]: creating directory server instance ? [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 33 minutes 30 seconds ? [1/16]: creating certificate server user ? [2/16]: configuring certificate server instance ipa ? ? ? ? : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name' 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: ?Configuration of CA failed [root at ipa system]# cat ?/var/log/audit/audit.log? type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' [root at ipa system]#? shabahang ________________________________ From: Rob Crittenden To: shabahang elmian Cc: "freeipa-users at redhat.com" Sent: Monday, April 23, 2012 8:16 PM Subject: Re: [Freeipa-users] Error in Installation - unable to create CA shabahang elmian wrote: > Hello, > There is a problem on configuring FreeIPA. > would you please help. > > please find following : > >? ? 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds >? ? 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server >? ? instance >? ? 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent >? ? ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445 >? ? -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX >? ? -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin >? ? -admin_email root at localhost -admin_password XXXXXXXX -agent_name >? ? ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >? ? -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host >? ? ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager >? ? -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size >? ? 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >? ? -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >? ? -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >? ? -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >? ? -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >? ? -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >? ? -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >? ? -external false -clone false >? ? 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 >? ? ####################################################################### >? ? CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR >? ? tokenpwd:XXXXXXXX >? ? ############################################# >? ? Attempting to connect to: ipa.mtnirancell.ir:9445 >? ? Exception in LoginPanel(): java.lang.NullPointerException >? ? ERROR: ConfigureCA: LoginPanel() failure >? ? ERROR: unable to create CA >? ? ####################################################################### >? ? 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send >? ? Request:java.net.ConnectException: Connection refused >? ? java.net.ConnectException: Connection refused >? ? at java.net.PlainSocketImpl.socketConnect(Native Method) >? ? at >? ? java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) >? ? at >? ? java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) >? ? at >? ? java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) >? ? at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) >? ? at java.net.Socket.connect(Socket.java:546) >? ? at java.net.Socket.connect(Socket.java:495) >? ? at java.net.Socket.(Socket.java:392) >? ? at java.net.Socket.(Socket.java:235) >? ? at HTTPClient.sslConnect(HTTPClient.java:326) >? ? at ConfigureCA.LoginPanel(ConfigureCA.java:244) >? ? at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >? ? at ConfigureCA.main(ConfigureCA.java:1672) >? ? java.lang.NullPointerException >? ? at ConfigureCA.LoginPanel(ConfigureCA.java:245) >? ? at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >? ? at ConfigureCA.main(ConfigureCA.java:1672) > >? ? 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance >? ? Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >? ? ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR >? ? -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA >? ? -domain_name IPA -admin_user admin -admin_email root at localhost >? ? -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size >? ? 2048 -agent_key_type rsa -agent_cert_subject >? ? CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir >? ? -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password >? ? XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type >? ? rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >? ? -subsystem_name pki-cad -token_name internal >? ? -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >? ? -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >? ? -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >? ? -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >? ? -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >? ? -external false -clone false' returned non-zero exit status 255 >? ? 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed >? ? File "/usr/sbin/ipa-server-install", line 1173, in >? ? rval = main() > >? ? File "/usr/sbin/ipa-server-install", line 974, in main >? ? subject_base=options.subject) > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >? ? line 537, in configure_instance >? ? self.start_creation("Configuring certificate server", 210) > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >? ? line 248, in start_creation >? ? method() > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >? ? line 677, in __configure_instance >? ? raise RuntimeError('Configuration of CA failed') > > please note : > >? ? [root at ipa ~]# uname -a >? ? Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 >? ? 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux >? ? [root at ipa ~]# cat /etc/redhat-release >? ? Fedora release 16 (Verne) >? ? [root at ipa ~]# It would appear that the CA silent installer (pki-silent) couldn't talk to the CA. There are more logs in /var/log/pki-ca that may hold more information on why. You might also want to look for any new AVCs in /var/log/audit/audit.log. regards rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed May 2 13:28:49 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 May 2012 15:28:49 +0200 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <4FA06458.2070904@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA06458.2070904@redhat.com> Message-ID: <1335965329.7781.9.camel@balmora.brq.redhat.com> On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: > On 05/01/2012 06:15 PM, Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way..... > > > > Yes this is a serious problem. Thank you for uncovering it. > Current plan is to: provide a fix for the older clients to be able to > connect to 2.2 via errata. > Make sure that the 2.2 client can connect to the 2.1 server. > > Thanks > Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use "ipa" command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin From rcritten at redhat.com Wed May 2 13:44:57 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 09:44:57 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA13A59.4050806@redhat.com> Steven Jones wrote: > So this opens a chicken and egg? > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 2 May 2012 1:19 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > Steven Jones wrote: >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. >> >> ============== >> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir >> Discovery was successful! >> Hostname: rhel664ws01.ods.vuw.ac.nz >> Realm: ODS.VUW.AC.NZ >> DNS Domain: ods.vuw.ac.nz >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >> >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: admjonesst1 >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Password for admjonesst1 at ODS.VUW.AC.NZ: >> >> Enrolled in IPA realm ODS.VUW.AC.NZ >> Created /etc/ipa/default.conf >> Unable to activate the SSH service in SSSD config. >> Please make sure you have SSSD built with SSH support installed. >> Configure SSH support manually in /etc/sssd/sssd.conf. >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >> Traceback (most recent call last): >> File "/usr/sbin/ipa-client-install", line 1534, in >> sys.exit(main()) >> File "/usr/sbin/ipa-client-install", line 1521, in main >> rval = install(options, env, fstore, statestore) >> File "/usr/sbin/ipa-client-install", line 1358, in install >> api.Backend.xmlclient.connect() >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect >> conn = self.create_connection(*args, **kw) >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection >> raise errors.KerberosError(major=str(krberr), minor='') >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ >> [root at rhel664ws01 ~]# >> =========== >> >> Is this expected when trying to connect 6.3beta? ie its simply not compatible? >> > > The newer 2.2 client cannot connect to an older 2.1 server because it > isn't going to send the TGT that the 2.1 server requires. We should > handle this better, I've opened a ticket to track this: > https://fedorahosted.org/freeipa/ticket/2697 > > rob > From mkosek at redhat.com Wed May 2 13:52:40 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 May 2012 15:52:40 +0200 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <4FA13A59.4050806@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com> Message-ID: <1335966760.7781.15.camel@balmora.brq.redhat.com> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: > Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... > > No, that's not the problem at all. Enrolled clients will work as > expected. New 6.3 clients can enroll with a 6.3 server. Based on the log > it looks like a 6.3 client can't enroll with a 6.2 server but I'm still > investigating. We'll fix it if needed. > > rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________________ > > From: Rob Crittenden [rcritten at redhat.com] > > Sent: Wednesday, 2 May 2012 1:19 a.m. > > To: Steven Jones > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] ipa-client install error > > > > Steven Jones wrote: > >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. > >> > >> ============== > >> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > >> Discovery was successful! > >> Hostname: rhel664ws01.ods.vuw.ac.nz > >> Realm: ODS.VUW.AC.NZ > >> DNS Domain: ods.vuw.ac.nz > >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz > >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> User authorized to enroll computers: admjonesst1 > >> Synchronizing time with KDC... > >> Unable to sync time with IPA NTP server, assuming the time is in sync. > >> Password for admjonesst1 at ODS.VUW.AC.NZ: > >> > >> Enrolled in IPA realm ODS.VUW.AC.NZ > >> Created /etc/ipa/default.conf > >> Unable to activate the SSH service in SSSD config. > >> Please make sure you have SSSD built with SSH support installed. > >> Configure SSH support manually in /etc/sssd/sssd.conf. > >> Configured /etc/sssd/sssd.conf > >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > >> Traceback (most recent call last): > >> File "/usr/sbin/ipa-client-install", line 1534, in > >> sys.exit(main()) > >> File "/usr/sbin/ipa-client-install", line 1521, in main > >> rval = install(options, env, fstore, statestore) > >> File "/usr/sbin/ipa-client-install", line 1358, in install > >> api.Backend.xmlclient.connect() > >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect > >> conn = self.create_connection(*args, **kw) > >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection > >> raise errors.KerberosError(major=str(krberr), minor='') > >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ > >> [root at rhel664ws01 ~]# > >> =========== > >> > >> Is this expected when trying to connect 6.3beta? ie its simply not compatible? > >> > > > > The newer 2.2 client cannot connect to an older 2.1 server because it > > isn't going to send the TGT that the 2.1 server requires. We should > > handle this better, I've opened a ticket to track this: > > https://fedorahosted.org/freeipa/ticket/2697 > > > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matt at mldserviceslex.com Wed May 2 13:52:50 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 09:52:50 -0400 Subject: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability Message-ID: Greetings, Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. The first problem was at the install. yum install ipa-client ipa-admintools No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web. But I went ahead with the installation and I have joined RHEL5 to the domain. >From the command line. kinit mdavidson will log in.klistTicket cache: FILE:/tmp/krb5cc_0Default principal: mdavidson at EXAMPLE.COM Looks good but I cannot setup ssh and ssh is essential. I assume it?s because I cannot perform this part of the steps. http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise Linux 5 IPA client for incoming SSH connections:The IPA client installation process configures the NTP service by default, but you should ensure that time on the IPA client and server is synchronized. If it is not, run the following commands on the IPA client:# service ntpd stop# ntpdate -s -p 8 -u ipaserver.example.com# service ntpd startNoteThe ntpdate command does not work if ntpd is running.Obtain a Kerberos ticket for the admin user.# kinit adminAdd a host service principal on the IPA client.# ipa-addservice host/ipaclient.example.com (My error is -bash: ipa: command not found)Retrieve the keytab.# ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com -k /etc/krb5.keytab (My error is -bash: ipa: command not found) >From RHEL5 /var/log/secure:May ?1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from 192.168.1.110May ?1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid user mdavidsonMay ?1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknownMay ?1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.comMay ?1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay ?1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2May ?1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2May ?1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknownMay ?1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay ?1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2May ?1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknownMay ?1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay ?1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 DNS works.ntpd is running.I checked all the configuration files.I have searched with no luck for ipa-admintools for Red Hat 5 and I?m sure this is why I cannot run the ipa commands in step 1.5. What am I missing? Any thoughts or suggestions? ThanksMatt From jhrozek at redhat.com Wed May 2 14:07:42 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 2 May 2012 16:07:42 +0200 Subject: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability In-Reply-To: References: Message-ID: <20120502140742.GD3469@zeppelin.brq.redhat.com> On Wed, May 02, 2012 at 09:52:50AM -0400, Matthew Davidson wrote: > > Greetings, > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. > The first problem was at the install. > yum install ipa-client ipa-admintools > No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web. > But I went ahead with the installation and I have joined RHEL5 to the domain. > >From the command line. > kinit mdavidson will log in.klistTicket cache: FILE:/tmp/krb5cc_0Default principal: mdavidson at EXAMPLE.COM > Looks good but I cannot setup ssh and ssh is essential. > I assume it?s because I cannot perform this part of the steps. > http://bit.ly/Ivxxwj : Is your server IPAv1 or v2? The documentation link you provided points to v1 documentation. IIRC IPAv1 is not supported anymore.. Here is a link to the IPAv2 docs: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html From matt at mldserviceslex.com Wed May 2 12:55:03 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 08:55:03 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability Message-ID: Greetings, Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. The first problem was at the install. yum install ipa-client ipa-admintools No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web. But I went ahead with the installation and I have joined RHEL5 to the domain. >From the command line. kinit mdavidson will log in. klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mdavidson at EXAMPLE.COM Looks good but I cannot setup ssh and ssh is essential. I assume it?s because I cannot perform this part of the steps. http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise Linux 5 IPA client for incoming SSH connections: The IPA client installation process configures the NTP service by default, but you should ensure that time on the IPA client and server is synchronized. If it is not, run the following commands on the IPA client: # service ntpd stop # ntpdate -s -p 8 -u ipaserver.example.com # service ntpd start Note The ntpdate command does not work if ntpd is running. Obtain a Kerberos ticket for the admin user. # kinit admin Add a host service principal on the IPA client. # ipa-addservice host/ipaclient.example.com (My error is -bash: ipa: command not found) Retrieve the keytab. # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com -k /etc/krb5.keytab (My error is -bash: ipa: command not found) >From RHEL5 /var/log/secure: May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from 192.168.1.110 May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid user mdavidson May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 DNS works. ntpd is running. I checked all the configuration files. I have searched for ipa-admintools and I?m sure this is why I cannot run the ipa commands in step 1.5. What am I missing? Any thoughts or suggestions? Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 2 14:17:02 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 10:17:02 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: Message-ID: <4FA141DE.1080703@redhat.com> Matthew Davidson wrote: > Greetings, > > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 > server. > > The first problem was at the install. > > yum install ipa-client ipa-admintools > > *No ipa-admintools! The RHEL5 system is registered with Red Hat and I > have searched the web.* There is no admin tools package for 5.x. Only a client enrollment script is availab.e > But I went ahead with the installation and I have joined RHEL5 to the > domain. > > From the command line. > > kinit mdavidson will log in. > > klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: mdavidson at EXAMPLE.COM > > Looks good but I cannot setup ssh and ssh is essential. > > I assume it?s because I cannot perform this part of the steps. > > http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise > Linux 5 IPA client for incoming SSH connections: > > The IPA client installation process configures the NTP service by > default, but you should ensure that time on the IPA client and server is > synchronized. If it is not, run the following commands on the IPA client: > > # service ntpd stop > > # ntpdate -s -p 8 -u ipaserver.example.com > > # service ntpd start > > Note > > The ntpdate command does not work if ntpd is running. > > Obtain a Kerberos ticket for the admin user. > > # kinit admin > > Add a host service principal on the IPA client. > > # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa: > command not found)* > > Retrieve the keytab. > > # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com > -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)* These instructions are for IPA v1. I don't know why you get an error message about ipa not found when running ipa- though. The client installer should have already created a host service principal. Run: klist -kt /etc/krb5.keytab to see what keys are available. When you ran ipa-client-install were any errors reported? It appears that basic nss services aren't working. Can you do: id mdavidson getent passwd mdavidson If these don't work then sssd won't either (nor anything else). rob > > From RHEL5 /var/log/secure: > > May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from > 192.168.1.110 > > May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid > user mdavidson > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > user unknown > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > > May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user > mdavidson from 192.168.1.110 port 58959 ssh2 > > May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user > mdavidson from 192.168.1.110 port 58959 ssh2 > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > user unknown > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > > May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user > mdavidson from 192.168.1.110 port 58959 ssh2 > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > user unknown > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > > May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user > mdavidson from 192.168.1.110 port 58959 ssh2 > > DNS works. > > ntpd is running. > > I checked all the configuration files. > > I have searched for ipa-admintools and I?m sure this is why I cannot run > the ipa commands in step 1.5. > > What am I missing? Any thoughts or suggestions? > > Matt > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matt at mldserviceslex.com Wed May 2 14:31:08 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 10:31:08 -0400 Subject: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability In-Reply-To: <20120502140742.GD3469@zeppelin.brq.redhat.com> References: , <20120502140742.GD3469@zeppelin.brq.redhat.com> Message-ID: Sorry about not?supplying?the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various documents and not had much luck. ThanksMatt ---------------------------------------- > Date: Wed, 2 May 2012 16:07:42 +0200 > From: jhrozek at redhat.com > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability > > On Wed, May 02, 2012 at 09:52:50AM -0400, Matthew Davidson wrote: > > > > Greetings, > > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. > > The first problem was at the install. > > yum install ipa-client ipa-admintools > > No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web. > > But I went ahead with the installation and I have joined RHEL5 to the domain. > > >From the command line. > > kinit mdavidson will log in.klistTicket cache: FILE:/tmp/krb5cc_0Default principal: mdavidson at EXAMPLE.COM > > Looks good but I cannot setup ssh and ssh is essential. > > I assume it?s because I cannot perform this part of the steps. > > http://bit.ly/Ivxxwj : > > Is your server IPAv1 or v2? The documentation link you provided points > to v1 documentation. > > IIRC IPAv1 is not supported anymore.. > > Here is a link to the IPAv2 docs: > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matt at mldserviceslex.com Wed May 2 14:37:33 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 10:37:33 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA141DE.1080703@redhat.com> References: , <4FA141DE.1080703@redhat.com> Message-ID: "Run: klist -kt /etc/krb5.keytab to see what keys are available." It shows the master server and itself. "When you ran ipa-client-install were any errors reported?" None It appears that basic nss services aren't working. Can you do: id mdavidsonid: mdavidson: No such user getent passwd mdavidsonreturns nothing. ThanksMatt ---------------------------------------- > Date: Wed, 2 May 2012 10:17:02 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > Greetings, > > > > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 > > server. > > > > The first problem was at the install. > > > > yum install ipa-client ipa-admintools > > > > *No ipa-admintools! The RHEL5 system is registered with Red Hat and I > > have searched the web.* > > There is no admin tools package for 5.x. Only a client enrollment script > is availab.e > > > But I went ahead with the installation and I have joined RHEL5 to the > > domain. > > > > From the command line. > > > > kinit mdavidson will log in. > > > > klist > > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > > Default principal: mdavidson at EXAMPLE.COM > > > > Looks good but I cannot setup ssh and ssh is essential. > > > > I assume it?s because I cannot perform this part of the steps. > > > > http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise > > Linux 5 IPA client for incoming SSH connections: > > > > The IPA client installation process configures the NTP service by > > default, but you should ensure that time on the IPA client and server is > > synchronized. If it is not, run the following commands on the IPA client: > > > > # service ntpd stop > > > > # ntpdate -s -p 8 -u ipaserver.example.com > > > > # service ntpd start > > > > Note > > > > The ntpdate command does not work if ntpd is running. > > > > Obtain a Kerberos ticket for the admin user. > > > > # kinit admin > > > > Add a host service principal on the IPA client. > > > > # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa: > > command not found)* > > > > Retrieve the keytab. > > > > # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com > > -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)* > > These instructions are for IPA v1. I don't know why you get an error > message about ipa not found when running ipa- though. > > The client installer should have already created a host service > principal. Run: klist -kt /etc/krb5.keytab to see what keys are available. > > When you ran ipa-client-install were any errors reported? > > It appears that basic nss services aren't working. Can you do: > > id mdavidson > getent passwd mdavidson > > If these don't work then sssd won't either (nor anything else). > > rob > > > > > From RHEL5 /var/log/secure: > > > > May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from > > 192.168.1.110 > > > > May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid > > user mdavidson > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > DNS works. > > > > ntpd is running. > > > > I checked all the configuration files. > > > > I have searched for ipa-admintools and I?m sure this is why I cannot run > > the ipa commands in step 1.5. > > > > What am I missing? Any thoughts or suggestions? > > > > Matt > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > From matt at mldserviceslex.com Wed May 2 15:10:20 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 11:10:20 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA141DE.1080703@redhat.com> References: , <4FA141DE.1080703@redhat.com> Message-ID: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. thanks,Matt ---------------------------------------- > Date: Wed, 2 May 2012 10:17:02 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > Greetings, > > > > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 > > server. > > > > The first problem was at the install. > > > > yum install ipa-client ipa-admintools > > > > *No ipa-admintools! The RHEL5 system is registered with Red Hat and I > > have searched the web.* > > There is no admin tools package for 5.x. Only a client enrollment script > is availab.e > > > But I went ahead with the installation and I have joined RHEL5 to the > > domain. > > > > From the command line. > > > > kinit mdavidson will log in. > > > > klist > > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > > Default principal: mdavidson at EXAMPLE.COM > > > > Looks good but I cannot setup ssh and ssh is essential. > > > > I assume it?s because I cannot perform this part of the steps. > > > > http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise > > Linux 5 IPA client for incoming SSH connections: > > > > The IPA client installation process configures the NTP service by > > default, but you should ensure that time on the IPA client and server is > > synchronized. If it is not, run the following commands on the IPA client: > > > > # service ntpd stop > > > > # ntpdate -s -p 8 -u ipaserver.example.com > > > > # service ntpd start > > > > Note > > > > The ntpdate command does not work if ntpd is running. > > > > Obtain a Kerberos ticket for the admin user. > > > > # kinit admin > > > > Add a host service principal on the IPA client. > > > > # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa: > > command not found)* > > > > Retrieve the keytab. > > > > # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com > > -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)* > > These instructions are for IPA v1. I don't know why you get an error > message about ipa not found when running ipa- though. > > The client installer should have already created a host service > principal. Run: klist -kt /etc/krb5.keytab to see what keys are available. > > When you ran ipa-client-install were any errors reported? > > It appears that basic nss services aren't working. Can you do: > > id mdavidson > getent passwd mdavidson > > If these don't work then sssd won't either (nor anything else). > > rob > > > > > From RHEL5 /var/log/secure: > > > > May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from > > 192.168.1.110 > > > > May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid > > user mdavidson > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com > > > > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; > > user unknown > > > > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > > > May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user > > mdavidson from 192.168.1.110 port 58959 ssh2 > > > > DNS works. > > > > ntpd is running. > > > > I checked all the configuration files. > > > > I have searched for ipa-admintools and I?m sure this is why I cannot run > > the ipa commands in step 1.5. > > > > What am I missing? Any thoughts or suggestions? > > > > Matt > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 2 15:22:35 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 2 May 2012 17:22:35 +0200 Subject: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability In-Reply-To: References: <20120502140742.GD3469@zeppelin.brq.redhat.com> Message-ID: <20120502152234.GF3469@zeppelin.brq.redhat.com> On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote: > > Sorry about not?supplying?the versions! > On the redhat 6.2 server: > ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 > Red Hat 5.8ipa-client-2.1.3-1.el5 > I have looked over various documents and not had much luck. > ThanksMatt That's what I was suggesting. Your server is an IPAv2 server, but the documentation you were following was an IPAv1 document. Here is a link to the "Identity Management Guide" and the chapter that describes how to enroll a client in particular: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html From rcritten at redhat.com Wed May 2 15:30:52 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 11:30:52 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: , <4FA141DE.1080703@redhat.com> Message-ID: <4FA1532C.8070709@redhat.com> Matthew Davidson wrote: > To clarify one point. > > I used the current redhat documents to setup the two systems. > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > SSH does not seem to be discussed and that is when I started web surfing > in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob From rcritten at redhat.com Wed May 2 15:34:02 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 11:34:02 -0400 Subject: [Freeipa-users] Error in Installation - unable to create CA In-Reply-To: <1335942892.51335.YahooMailNeo@web161606.mail.bf1.yahoo.com> References: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> <4F95795D.6050507@redhat.com> <1335685874.17289.YahooMailNeo@web161602.mail.bf1.yahoo.com> <1335942892.51335.YahooMailNeo@web161606.mail.bf1.yahoo.com> Message-ID: <4FA153EA.40406@redhat.com> shabahang elmian wrote: > Hello, > I would be thankful if some one can help me to resolve the problem. We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is. It would appear that the CA process didn't start. Details on your versions of ipa-server and pki-ca would be helpful too. rob > > Shabahang > > ------------------------------------------------------------------------ > *From:* shabahang elmian > *To:* Rob Crittenden > *Cc:* "freeipa-users at redhat.com" > *Sent:* Sunday, April 29, 2012 12:21 PM > *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA > > [2012-04-23 17:07:32] [debug] > set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, > pkiuser) > [2012-04-23 17:07:32] [debug] > set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) > [2012-04-23 17:07:32] [debug] > set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) > [2012-04-23 17:07:32] [debug] > set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) > [2012-04-23 17:07:32] [debug] Processing PKI security modules for > '/var/lib/pki-ca' ... > [2012-04-23 17:07:32] [debug] Attempting to add hardware security > modules to system if applicable ... > [2012-04-23 17:07:32] [debug] module name: lunasa lib: > /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! > [2012-04-23 17:07:32] [debug] module name: nfast lib: > /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! > [2012-04-23 17:07:32] [debug] configuring SELinux ... > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9180. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9701. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9443. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9444. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9446. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9445. Port already defined otherwise. > [2012-04-23 17:07:34] [error] Failed setting selinux context > pki_ca_port_t for 9447. Port already defined otherwise. > [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to > run semanage. > [2012-04-23 17:07:34] [debug] Running restorecon commands > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /usr/share/java/pki) > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /usr/share/pki) > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /var/lib/pki-ca) > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /var/run/pki) > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /var/log/pki-ca) > [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca > [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R > /etc/pki-ca) > [2012-04-23 17:07:34] [debug] Installation manifest: > /var/lib/pki-ca/install_info > [2012-04-23 17:07:34] [debug] The following was performed: > Installed Files: > /etc/pki-ca/CS.cfg > ... > . > . > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar > Removed Items: > /etc/pki-ca/noise > /etc/pki-ca/pfile > > [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart > pki-cad at pki-ca.service) > [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system > logs and 'systemctl status' for details." > [2012-04-23 17:07:34] [log] Configuration Wizard listening on > https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs > [2012-04-23 17:07:34] [log] After configuration, the server can be > operated by the command: > /bin/systemctl restart pki-cad at pki-ca.service > [root at ipa ~]# > > [root at ipa system]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: y > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Unconfiguring CA directory server > [root at ipa system]# > [root at ipa system]# > [root at ipa system]# > /var/log/audit/audit.log > [root at ipa system]# > [root at ipa system]# > [root at ipa system]# ipa-server-install --setup-dns > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will set up the FreeIPA Server. > > This includes: > * Configure a stand-alone CA (dogtag) for certificate management > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > * Configure DNS (bind) > > To accept the default shown in brackets, press the Enter key. > > Existing BIND configuration detected, overwrite? [no]: y > Enter the fully qualified domain name of the computer > on which you're setting up server software. Using the form > . > Example: master.example.com. > > > Server host name [ipa.mtnirancell.ir]: > > Warning: skipping DNS resolution of host ipa.mtnirancell.ir > The domain name has been calculated based on the host name. > > Please confirm the domain name [mtnirancell.ir]: > > The kerberos protocol requires a Realm name to be defined. > This is typically the domain name converted to uppercase. > > Please provide a realm name [MTNIRANCELL.IR]: > Certain directory server operations require an administrative user. > This user is referred to as the Directory Manager and has full access > to the Directory for system management tasks and will be added to the > instance of directory server created for IPA. > The password must be at least 8 characters long. > > Directory Manager password: > Password (confirm): > > The IPA server requires an administrative user, named 'admin'. > This user is a regular system account used for IPA server administration. > > IPA admin password: > Password (confirm): > > Do you want to configure DNS forwarders? [yes]: > Enter the IP address of DNS forwarder to use, or press Enter to finish. > Enter IP address for a DNS forwarder: > No DNS forwarders configured > Do you want to configure the reverse zone? [yes]: > Please specify the reverse zone name [58.131.10.in-addr.arpa.]: > Using reverse zone 58.131.10.in-addr.arpa. > > The IPA Master Server will be configured with: > Hostname: ipa.mtnirancell.ir > IP address: 10.131.58.43 > Domain name: mtnirancell.ir > Realm name: MTNIRANCELL.IR > > BIND DNS server will be configured to serve IPA domain with: > Forwarders: No forwarders > Reverse zone: 58.131.10.in-addr.arpa. > > Continue to configure the system with these values? [no]: y > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 minutes 30 > seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > Configuring certificate server: Estimated time 33 minutes 30 seconds > [1/16]: creating certificate server user > [2/16]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl > /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' > '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' > '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' > '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' > 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' > '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' > XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP > Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name' > 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' > '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > [root at ipa system]# cat /var/log/audit/audit.log > type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' > type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? > res=success' > type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? > res=success' > type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? > res=success' > type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? > res=success' > [root at ipa system]# > > shabahang > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* shabahang elmian > *Cc:* "freeipa-users at redhat.com" > *Sent:* Monday, April 23, 2012 8:16 PM > *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA > > shabahang elmian wrote: > > Hello, > > There is a problem on configuring FreeIPA. > > would you please help. > > > > please find following : > > > > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds > > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server > > instance > > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent > > ConfigureCA -cs_hostname ipa.mtnirancell.ir > -cs_port 9445 > > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX > > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin > > -admin_email root at localhost -admin_password XXXXXXXX -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host > > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager > > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size > > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR > > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR > > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR > > -external false -clone false > > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 > > ####################################################################### > > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR > > tokenpwd:XXXXXXXX > > ############################################# > > Attempting to connect to: ipa.mtnirancell.ir:9445 > > Exception in LoginPanel(): java.lang.NullPointerException > > ERROR: ConfigureCA: LoginPanel() failure > > ERROR: unable to create CA > > ####################################################################### > > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send > > Request:java.net.ConnectException: Connection refused > > java.net .ConnectException: Connection refused > > at java.net > .PlainSocketImpl.socketConnect(Native Method) > > at > > java.net > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > > at > > java.net > .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > > at > > > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > > at java.net > .SocksSocketImpl.connect(SocksSocketImpl.java:384) > > at java.net .Socket.connect(Socket.java:546) > > at java.net.Socket.connect(Socket.java:495) > > at java.net.Socket.(Socket.java:392) > > at java.net.Socket.(Socket.java:235) > > at HTTPClient.sslConnect(HTTPClient.java:326) > > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > > at ConfigureCA.main(ConfigureCA.java:1672) > > java.lang.NullPointerException > > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > > at ConfigureCA.main(ConfigureCA.java:1672) > > > > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance > > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR > > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA > > -domain_name IPA -admin_user admin -admin_email root at localhost > > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size > > 2048 -agent_key_type rsa -agent_cert_subject > > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir > > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password > > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type > > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > > -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR > > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR > > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR > > -external false -clone false' returned non-zero exit status 255 > > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed > > File "/usr/sbin/ipa-server-install", line 1173, in > > rval = main() > > > > File "/usr/sbin/ipa-server-install", line 974, in main > > subject_base=options.subject) > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 537, in configure_instance > > self.start_creation("Configuring certificate server", 210) > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 248, in start_creation > > method() > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 677, in __configure_instance > > raise RuntimeError('Configuration of CA failed') > > > > please note : > > > > [root at ipa ~]# uname -a > > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 > > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > > [root at ipa ~]# cat /etc/redhat-release > > Fedora release 16 (Verne) > > [root at ipa ~]# > > It would appear that the CA silent installer (pki-silent) couldn't talk > to the CA. There are more logs in /var/log/pki-ca that may hold more > information on why. > > You might also want to look for any new AVCs in /var/log/audit/audit.log. > > regards > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matt at mldserviceslex.com Wed May 2 16:43:43 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 12:43:43 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA1532C.8070709@redhat.com> References: , <4FA141DE.1080703@redhat.com> , <4FA1532C.8070709@redhat.com> Message-ID: Hi Rob [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.comDNS domain 'example.com' is not configured for automatic KDC address lookup.KDC address will be set to fixed value. Discovery was successful!Hostname: rhel6.example.comRealm: EXAMPLE.COMDNS Domain: EXAMPLE.COMIPA Server: rhel6.example.comBaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Password for admin at EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COMCreated /etc/ipa/default.confConfigured /etc/sssd/sssd.confConfigured /etc/krb5.conf for IPA realm EXAMPLE.COMSSSD enabledUnable to find 'admin' user with 'getent passwd admin'!Recognized configuration: SSSDChanged configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.comNTP enabledClient configuration complete. /var/log/secureMay 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidsonMay 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknownMay 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.comMay 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log(Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children(Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping!Matt > Date: Wed, 2 May 2012 11:30:52 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > To clarify one point. > > > > I used the current redhat documents to setup the two systems. > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > SSH does not seem to be discussed and that is when I started web surfing > > in an attempt to fix my problem before reaching out for help. > > A host service principal is created during enrollment so no additional > work should be needed for SSH to work. The problem you're having is > related to the fact that user lookup services are failing. > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there > are any errors reported regarding sssd? > > What options did you pass to ipa-client-install? > > rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed May 2 17:51:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 13:51:15 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: , <4FA141DE.1080703@redhat.com> , <4FA1532C.8070709@redhat.com> Message-ID: <4FA17413.8030805@redhat.com> On 05/02/2012 12:43 PM, Matthew Davidson wrote: > Hi Rob > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic KDC address > lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for admin at EXAMPLE.COM: > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > *Unable to find 'admin' user with 'getent passwd admin'!* 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded server name: > rhel6.example.com > NTP enabled > Client configuration complete. > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user > mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > mdavidson from 192.168.1.5 port 52511 ssh2 > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received > Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received > Terminated: terminating children > > thanks for helping! > Matt > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > From: rcritten at redhat.com > > To: matt at mldserviceslex.com > > CC: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > Matthew Davidson wrote: > > > To clarify one point. > > > > > > I used the current redhat documents to setup the two systems. > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > SSH does not seem to be discussed and that is when I started web > surfing > > > in an attempt to fix my problem before reaching out for help. > > > > A host service principal is created during enrollment so no additional > > work should be needed for SSH to work. The problem you're having is > > related to the fact that user lookup services are failing. > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there > > are any errors reported regarding sssd? > > > > What options did you pass to ipa-client-install? > > > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 2 18:27:08 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 14:27:08 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: , <4FA141DE.1080703@redhat.com> , <4FA1532C.8070709@redhat.com> Message-ID: <4FA17C7C.2000600@redhat.com> Matthew Davidson wrote: > Hi Rob > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for admin at EXAMPLE.COM: > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > *Unable to find 'admin' user with 'getent passwd admin'!* > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded server name: > rhel6.example.com > NTP enabled > Client configuration complete. > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user > mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user > unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > mdavidson from 192.168.1.5 port 52511 ssh2 > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > found in Kerberos database This is the key. sssd can't connect to the IPA server due to this Kerberos error which is why the user information is unavailable. Am I right to to assume you have another Kerberos server (or AD) configured using the same realm name on your network? I have the feeling sssd is finding the wrong KDC. rob From matt at mldserviceslex.com Wed May 2 18:50:06 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 14:50:06 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA17413.8030805@redhat.com> References: , , <4FA141DE.1080703@redhat.com> , , <4FA1532C.8070709@redhat.com>, , <4FA17413.8030805@redhat.com> Message-ID: Dmitri,1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root at rhel5 ~]# kinit adminPassword for admin at EXAMPLE.COM: [root at rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. ThanksMatt Date: Wed, 2 May 2012 13:51:15 -0400 From: dpal at redhat.com To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin at EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt > Date: Wed, 2 May 2012 11:30:52 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > To clarify one point. > > > > I used the current redhat documents to setup the two systems. > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > SSH does not seem to be discussed and that is when I started web surfing > > in an attempt to fix my problem before reaching out for help. > > A host service principal is created during enrollment so no additional > work should be needed for SSH to work. The problem you're having is > related to the fact that user lookup services are failing. > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there > are any errors reported regarding sssd? > > What options did you pass to ipa-client-install? > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed May 2 18:57:24 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 14:57:24 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: , , <4FA141DE.1080703@redhat.com> , , <4FA1532C.8070709@redhat.com>, , <4FA17413.8030805@redhat.com> Message-ID: <4FA18394.7080507@redhat.com> On 05/02/2012 02:50 PM, Matthew Davidson wrote: > Dmitri, > 1) Do you have admin account on IPA side? > > Yes. And judging by the command below admin does log in, or am I mistaken? > > [root at rhel5 ~]# kinit admin > Password for admin at EXAMPLE.COM: > > [root at rhel5 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > No firewall. shut those down at the first sign of trouble. > > Thanks > Matt > > ------------------------------------------------------------------------ > Date: Wed, 2 May 2012 13:51:15 -0400 > From: dpal at redhat.com > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > Hi Rob > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic KDC > address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for admin at EXAMPLE.COM: > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > *Unable to find 'admin' user with 'getent passwd admin'!* > > > 1) Do you have admin account on IPA side? > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded server > name: rhel6.example.com > NTP enabled > Client configuration complete. > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid > user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > mdavidson from 192.168.1.5 port 52511 ssh2 > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > > thanks for helping! > Matt > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > From: rcritten at redhat.com > > To: matt at mldserviceslex.com > > CC: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > Matthew Davidson wrote: > > > To clarify one point. > > > > > > I used the current redhat documents to setup the two systems. > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > SSH does not seem to be discussed and that is when I started > web surfing > > > in an attempt to fix my problem before reaching out for help. > > > > A host service principal is created during enrollment so no > additional > > work should be needed for SSH to work. The problem you're having is > > related to the fact that user lookup services are failing. > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if > there > > are any errors reported regarding sssd? > > > > What options did you pass to ipa-client-install? > > > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ Freeipa-users mailing > list Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed May 2 19:52:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 15:52:02 -0400 Subject: [Freeipa-users] Error in Installation - unable to create CA In-Reply-To: <4FA153EA.40406@redhat.com> References: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> <4F95795D.6050507@redhat.com> <1335685874.17289.YahooMailNeo@web161602.mail.bf1.yahoo.com> <1335942892.51335.YahooMailNeo@web161606.mail.bf1.yahoo.com> <4FA153EA.40406@redhat.com> Message-ID: <4FA19062.2090000@redhat.com> On 05/02/2012 11:34 AM, Rob Crittenden wrote: > shabahang elmian wrote: >> Hello, >> I would be thankful if some one can help me to resolve the problem. > > We need to see /var/log/ipaserver-install.log and potentially > /var/log/pki-ca/debug to determine what the problem is. > > It would appear that the CA process didn't start. > > Details on your versions of ipa-server and pki-ca would be helpful too. > > rob > https://bugzilla.redhat.com/show_bug.cgi?id=818123 Might be related. Please see comments there and requests for additional logs. >> >> Shabahang >> >> ------------------------------------------------------------------------ >> *From:* shabahang elmian >> *To:* Rob Crittenden >> *Cc:* "freeipa-users at redhat.com" >> *Sent:* Sunday, April 29, 2012 12:21 PM >> *Subject:* Re: [Freeipa-users] Error in Installation - unable to >> create CA >> >> [2012-04-23 17:07:32] [debug] >> set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, >> pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] >> set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) >> [2012-04-23 17:07:32] [debug] Processing PKI security modules for >> '/var/lib/pki-ca' ... >> [2012-04-23 17:07:32] [debug] Attempting to add hardware security >> modules to system if applicable ... >> [2012-04-23 17:07:32] [debug] module name: lunasa lib: >> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! >> [2012-04-23 17:07:32] [debug] module name: nfast lib: >> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! >> [2012-04-23 17:07:32] [debug] configuring SELinux ... >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9180. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9701. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9443. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9444. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9446. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9445. Port already defined otherwise. >> [2012-04-23 17:07:34] [error] Failed setting selinux context >> pki_ca_port_t for 9447. Port already defined otherwise. >> [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to >> run semanage. >> [2012-04-23 17:07:34] [debug] Running restorecon commands >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /usr/share/java/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /usr/share/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/lib/pki-ca) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/run/pki) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /var/log/pki-ca) >> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca >> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R >> /etc/pki-ca) >> [2012-04-23 17:07:34] [debug] Installation manifest: >> /var/lib/pki-ca/install_info >> [2012-04-23 17:07:34] [debug] The following was performed: >> Installed Files: >> /etc/pki-ca/CS.cfg >> ... >> . >> . >> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar >> Removed Items: >> /etc/pki-ca/noise >> /etc/pki-ca/pfile >> >> [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart >> pki-cad at pki-ca.service) >> [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart >> pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system >> logs and 'systemctl status' for details." >> [2012-04-23 17:07:34] [log] Configuration Wizard listening on >> https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs >> >> [2012-04-23 17:07:34] [log] After configuration, the server can be >> operated by the command: >> /bin/systemctl restart pki-cad at pki-ca.service >> [root at ipa ~]# >> >> [root at ipa system]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: y >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Unconfiguring CA directory server >> [root at ipa system]# >> [root at ipa system]# >> [root at ipa system]# > /var/log/audit/audit.log >> [root at ipa system]# >> [root at ipa system]# >> [root at ipa system]# ipa-server-install --setup-dns >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> ============================================================================== >> >> This program will set up the FreeIPA Server. >> >> This includes: >> * Configure a stand-alone CA (dogtag) for certificate management >> * Configure the Network Time Daemon (ntpd) >> * Create and configure an instance of Directory Server >> * Create and configure a Kerberos Key Distribution Center (KDC) >> * Configure Apache (httpd) >> * Configure DNS (bind) >> >> To accept the default shown in brackets, press the Enter key. >> >> Existing BIND configuration detected, overwrite? [no]: y >> Enter the fully qualified domain name of the computer >> on which you're setting up server software. Using the form >> . >> Example: master.example.com. >> >> >> Server host name [ipa.mtnirancell.ir]: >> >> Warning: skipping DNS resolution of host ipa.mtnirancell.ir >> The domain name has been calculated based on the host name. >> >> Please confirm the domain name [mtnirancell.ir]: >> >> The kerberos protocol requires a Realm name to be defined. >> This is typically the domain name converted to uppercase. >> >> Please provide a realm name [MTNIRANCELL.IR]: >> Certain directory server operations require an administrative user. >> This user is referred to as the Directory Manager and has full access >> to the Directory for system management tasks and will be added to the >> instance of directory server created for IPA. >> The password must be at least 8 characters long. >> >> Directory Manager password: >> Password (confirm): >> >> The IPA server requires an administrative user, named 'admin'. >> This user is a regular system account used for IPA server >> administration. >> >> IPA admin password: >> Password (confirm): >> >> Do you want to configure DNS forwarders? [yes]: >> Enter the IP address of DNS forwarder to use, or press Enter to finish. >> Enter IP address for a DNS forwarder: >> No DNS forwarders configured >> Do you want to configure the reverse zone? [yes]: >> Please specify the reverse zone name [58.131.10.in-addr.arpa.]: >> Using reverse zone 58.131.10.in-addr.arpa. >> >> The IPA Master Server will be configured with: >> Hostname: ipa.mtnirancell.ir >> IP address: 10.131.58.43 >> Domain name: mtnirancell.ir >> Realm name: MTNIRANCELL.IR >> >> BIND DNS server will be configured to serve IPA domain with: >> Forwarders: No forwarders >> Reverse zone: 58.131.10.in-addr.arpa. >> >> Continue to configure the system with these values? [no]: y >> >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 minutes 30 >> seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> [3/3]: restarting directory server >> done configuring pkids. >> Configuring certificate server: Estimated time 33 minutes 30 seconds >> [1/16]: creating certificate server user >> [2/16]: configuring certificate server instance >> ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl >> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' >> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' >> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' >> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' >> 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' >> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name' >> 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' >> '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 >> Unexpected error - see ipaserver-install.log for details: >> Configuration of CA failed >> [root at ipa system]# cat /var/log/audit/audit.log >> type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' >> type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' >> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? >> res=success' >> [root at ipa system]# >> >> shabahang >> >> >> ------------------------------------------------------------------------ >> *From:* Rob Crittenden >> *To:* shabahang elmian >> *Cc:* "freeipa-users at redhat.com" >> *Sent:* Monday, April 23, 2012 8:16 PM >> *Subject:* Re: [Freeipa-users] Error in Installation - unable to >> create CA >> >> shabahang elmian wrote: >> > Hello, >> > There is a problem on configuring FreeIPA. >> > would you please help. >> > >> > please find following : >> > >> > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds >> > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server >> > instance >> > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent >> > ConfigureCA -cs_hostname ipa.mtnirancell.ir >> -cs_port 9445 >> > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX >> > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin >> > -admin_email root at localhost -admin_password XXXXXXXX -agent_name >> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host >> > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager >> > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size >> > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >> > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >> > -external false -clone false >> > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 >> > >> ####################################################################### >> > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR >> > tokenpwd:XXXXXXXX >> > ############################################# >> > Attempting to connect to: ipa.mtnirancell.ir:9445 >> > Exception in LoginPanel(): java.lang.NullPointerException >> > ERROR: ConfigureCA: LoginPanel() failure >> > ERROR: unable to create CA >> > >> ####################################################################### >> > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send >> > Request:java.net.ConnectException: Connection refused >> > java.net .ConnectException: Connection refused >> > at java.net >> .PlainSocketImpl.socketConnect(Native >> Method) >> > at >> > java.net >> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) >> >> > at >> > java.net >> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) >> >> > at >> > >> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) >> >> > at java.net >> .SocksSocketImpl.connect(SocksSocketImpl.java:384) >> >> > at java.net >> .Socket.connect(Socket.java:546) >> > at java.net.Socket.connect(Socket.java:495) >> > at java.net.Socket.(Socket.java:392) >> > at java.net.Socket.(Socket.java:235) >> > at HTTPClient.sslConnect(HTTPClient.java:326) >> > at ConfigureCA.LoginPanel(ConfigureCA.java:244) >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > at ConfigureCA.main(ConfigureCA.java:1672) >> > java.lang.NullPointerException >> > at ConfigureCA.LoginPanel(ConfigureCA.java:245) >> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >> > at ConfigureCA.main(ConfigureCA.java:1672) >> > >> > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance >> > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR >> > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA >> > -domain_name IPA -admin_user admin -admin_email root at localhost >> > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size >> > 2048 -agent_key_type rsa -agent_cert_subject >> > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir >> > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password >> > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type >> > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >> > -subsystem_name pki-cad -token_name internal >> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >> > -external false -clone false' returned non-zero exit status 255 >> > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed >> > File "/usr/sbin/ipa-server-install", line 1173, in >> > rval = main() >> > >> > File "/usr/sbin/ipa-server-install", line 974, in main >> > subject_base=options.subject) >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> > line 537, in configure_instance >> > self.start_creation("Configuring certificate server", 210) >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> > line 248, in start_creation >> > method() >> > >> > File >> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> > line 677, in __configure_instance >> > raise RuntimeError('Configuration of CA failed') >> > >> > please note : >> > >> > [root at ipa ~]# uname -a >> > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 >> > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux >> > [root at ipa ~]# cat /etc/redhat-release >> > Fedora release 16 (Verne) >> > [root at ipa ~]# >> >> It would appear that the CA silent installer (pki-silent) couldn't talk >> to the CA. There are more logs in /var/log/pki-ca that may hold more >> information on why. >> >> You might also want to look for any new AVCs in >> /var/log/audit/audit.log. >> >> regards >> >> rob >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From matt at mldserviceslex.com Wed May 2 20:37:23 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Wed, 2 May 2012 16:37:23 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA18394.7080507@redhat.com> References: , , <4FA141DE.1080703@redhat.com> , , <4FA1532C.8070709@redhat.com>, , <4FA17413.8030805@redhat.com> , <4FA18394.7080507@redhat.com> Message-ID: " Is this from the client or from the server? I bet on the server." That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files. thanksMatt Date: Wed, 2 May 2012 14:57:24 -0400 From: dpal at redhat.com To: matt at mldserviceslex.com CC: freeipa-users at redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 02:50 PM, Matthew Davidson wrote: Dmitri, 1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root at rhel5 ~]# kinit admin Password for admin at EXAMPLE.COM: [root at rhel5 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. Thanks Matt Date: Wed, 2 May 2012 13:51:15 -0400 From: dpal at redhat.com To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin at EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt > Date: Wed, 2 May 2012 11:30:52 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > To clarify one point. > > > > I used the current redhat documents to setup the two systems. > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > SSH does not seem to be discussed and that is when I started web surfing > > in an attempt to fix my problem before reaching out for help. > > A host service principal is created during enrollment so no additional > work should be needed for SSH to work. The problem you're having is > related to the fact that user lookup services are failing. > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there > are any errors reported regarding sssd? > > What options did you pass to ipa-client-install? > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 2 20:47:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 16:47:11 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: References: , , <4FA141DE.1080703@redhat.com> , , <4FA1532C.8070709@redhat.com>, , <4FA17413.8030805@redhat.com> , <4FA18394.7080507@redhat.com> Message-ID: <4FA19D4F.9010302@redhat.com> Matthew Davidson wrote: > " Is this from the client or from the server? I bet on the server." > > That is from the client. I sent a reply to Rob about the DNS, but I was > under the assumption that the client was using the config files. > We recommend using a different realm name for the IPA realm, it makes life much simpler. You can try disabling DNS lookups for the KDC in /etc/krb5.conf and defining a KDC. You may also need to tell the sssd locator, configured in /var/lib/sss/pubconf/kdcinfo.$REALM. IPA and AD both attempt to use the same DNS SRV records for autodiscovery. What is happening is your client is getting the AD information and trying to authenticate against it. regards rob From sbernst at gmail.com Wed May 2 20:59:56 2012 From: sbernst at gmail.com (Steven Bernstein) Date: Wed, 2 May 2012 15:59:56 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10 In-Reply-To: References: Message-ID: Free IPA List peeps, I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting up at home. I came across a reference at one point dealing with smart cards being associated with the user's that hold them. I can't find the reference at this point and was wondering if there might be a list on the Wiki or someplace that details the errors that come back when trying to initialize or register a smart card with the server? Thanks so much! Steven On Wed, May 2, 2012 at 1:57 PM, wrote: > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson) > 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 2 May 2012 14:50:06 -0400 > From: Matthew Davidson > To: , > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > > Dmitri,1) Do you have admin account on IPA side? > Yes. And judging by the command below admin does log in, or am I mistaken? > [root at rhel5 ~]# kinit adminPassword for admin at EXAMPLE.COM: > [root at rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: > admin at EXAMPLE.COM > Valid starting Expires Service principal05/02/12 14:47:40 > 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM > Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > No firewall. shut those down at the first sign of trouble. > > ThanksMatt > Date: Wed, 2 May 2012 13:51:15 -0400 > From: dpal at redhat.com > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic > KDC address lookup. > KDC address will be set to fixed value. > > > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: > yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for admin at EXAMPLE.COM: > > > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > Unable to find 'admin' user with 'getent passwd admin'! > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > > > > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded > server name: rhel6.example.com > NTP enabled > Client configuration complete. > > > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson > from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > check pass; user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: > pam_succeed_if(sshd:auth): error retrieving information about > user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > > > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > > > > thanks for helping! > Matt > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcritten at redhat.com > > > To: matt at mldserviceslex.com > > > CC: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I > started web surfing > > > > in an attempt to fix my problem before reaching out > for help. > > > > > > A host service principal is created during enrollment so > no additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are > failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Wed, 02 May 2012 14:57:24 -0400 > From: Dmitri Pal > To: Matthew Davidson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <4FA18394.7080507 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > On 05/02/2012 02:50 PM, Matthew Davidson wrote: > > Dmitri, > > 1) Do you have admin account on IPA side? > > > > Yes. And judging by the command below admin does log in, or am I > mistaken? > > > > [root at rhel5 ~]# kinit admin > > Password for admin at EXAMPLE.COM: > > > > [root at rhel5 ~]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at EXAMPLE.COM > > > > Valid starting Expires Service principal > > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > Is this from the client or from the server? I bet on the server. > Rob might be right that the client fails to find the right > authentication server due to the DNS configuration. > > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > No firewall. shut those down at the first sign of trouble. > > > > Thanks > > Matt > > > > ------------------------------------------------------------------------ > > Date: Wed, 2 May 2012 13:51:15 -0400 > > From: dpal at redhat.com > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > > --server=rhel6.example.com > > DNS domain 'example.com' is not configured for automatic KDC > > address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: rhel6.example.com > > Realm: EXAMPLE.COM > > DNS Domain: EXAMPLE.COM > > IPA Server: rhel6.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for admin at EXAMPLE.COM: > > > > Enrolled in IPA realm EXAMPLE.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > > SSSD enabled > > *Unable to find 'admin' user with 'getent passwd admin'!* > > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > Recognized configuration: SSSD > > Changed configuration of /etc/ldap.conf to use hardcoded server > > name: rhel6.example.com > > NTP enabled > > Client configuration complete. > > > > /var/log/secure > > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > > 192.168.1.5 > > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid > > user mdavidson > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > > user unknown > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com > > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > > mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > > > /var/log/sssd/sssd.log > > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > > > thanks for helping! > > Matt > > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcritten at redhat.com > > > To: matt at mldserviceslex.com > > > CC: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two systems. > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I started > > web surfing > > > > in an attempt to fix my problem before reaching out for help. > > > > > > A host service principal is created during enrollment so no > > additional > > > work should be needed for SSH to work. The problem you're having is > > > related to the fact that user lookup services are failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if > > there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > _______________________________________________ Freeipa-users mailing > > list Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 46, Issue 10 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed May 2 21:28:33 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 May 2012 21:28:33 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <1335965329.7781.9.camel@balmora.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA06458.2070904@redhat.com>, <1335965329.7781.9.camel@balmora.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8ABB6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, "proper" isnt defined as such, but yes in an ideal world.... Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.....now we have to start to separate them.... also will IPA server on 6.3 collide with IPA server on 6.2? It would be "proper" to only upgrade one IPA at a time in case the upgrade buggered IPA....otherwise I have to do all at once.......and if it goes wrong I'm left with nothing...... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: > On 05/01/2012 06:15 PM, Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way..... > > > > Yes this is a serious problem. Thank you for uncovering it. > Current plan is to: provide a fix for the older clients to be able to > connect to 2.2 via errata. > Make sure that the 2.2 client can connect to the 2.1 server. > > Thanks > Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use "ipa" command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed May 2 21:29:43 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 May 2012 21:29:43 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <1335966760.7781.15.camel@balmora.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz> What is the impact of IPA not working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Martin Kosek [mkosek at redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: > Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... > > No, that's not the problem at all. Enrolled clients will work as > expected. New 6.3 clients can enroll with a 6.3 server. Based on the log > it looks like a 6.3 client can't enroll with a 6.2 server but I'm still > investigating. We'll fix it if needed. > > rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________________ > > From: Rob Crittenden [rcritten at redhat.com] > > Sent: Wednesday, 2 May 2012 1:19 a.m. > > To: Steven Jones > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] ipa-client install error > > > > Steven Jones wrote: > >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. > >> > >> ============== > >> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir > >> Discovery was successful! > >> Hostname: rhel664ws01.ods.vuw.ac.nz > >> Realm: ODS.VUW.AC.NZ > >> DNS Domain: ods.vuw.ac.nz > >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz > >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> User authorized to enroll computers: admjonesst1 > >> Synchronizing time with KDC... > >> Unable to sync time with IPA NTP server, assuming the time is in sync. > >> Password for admjonesst1 at ODS.VUW.AC.NZ: > >> > >> Enrolled in IPA realm ODS.VUW.AC.NZ > >> Created /etc/ipa/default.conf > >> Unable to activate the SSH service in SSSD config. > >> Please make sure you have SSSD built with SSH support installed. > >> Configure SSH support manually in /etc/sssd/sssd.conf. > >> Configured /etc/sssd/sssd.conf > >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > >> Traceback (most recent call last): > >> File "/usr/sbin/ipa-client-install", line 1534, in > >> sys.exit(main()) > >> File "/usr/sbin/ipa-client-install", line 1521, in main > >> rval = install(options, env, fstore, statestore) > >> File "/usr/sbin/ipa-client-install", line 1358, in install > >> api.Backend.xmlclient.connect() > >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect > >> conn = self.create_connection(*args, **kw) > >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection > >> raise errors.KerberosError(major=str(krberr), minor='') > >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ > >> [root at rhel664ws01 ~]# > >> =========== > >> > >> Is this expected when trying to connect 6.3beta? ie its simply not compatible? > >> > > > > The newer 2.2 client cannot connect to an older 2.1 server because it > > isn't going to send the TGT that the 2.1 server requires. We should > > handle this better, I've opened a ticket to track this: > > https://fedorahosted.org/freeipa/ticket/2697 > > > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Wed May 2 21:37:37 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 17:37:37 -0400 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10 In-Reply-To: References: Message-ID: <4FA1A921.7030206@redhat.com> On 05/02/2012 04:59 PM, Steven Bernstein wrote: > Free IPA List peeps, > > I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting > up at home. I came across a reference at one point dealing with smart > cards being associated with the user's that hold them. > > I can't find the reference at this point and was wondering if there > might be a list on the Wiki or someplace that details the errors that > come back when trying to initialize or register a smart card with the > server? > Smart card support has been on our road map for some time but it is not implemented yet. May be you are confusing us with Dogtag project that we leverage for the certificate management. It supports SC management and provisioning for end users. IPA can handle certs for hosts and services only for the the time being. HTH Dmitri > Thanks so much! > > Steven > > On Wed, May 2, 2012 at 1:57 PM, > wrote: > > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson) > 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 2 May 2012 14:50:06 -0400 > From: Matthew Davidson > > To: >, > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > > Dmitri,1) Do you have admin account on IPA side? > Yes. And judging by the command below admin does log in, or am I > mistaken? > [root at rhel5 ~]# kinit adminPassword for admin at EXAMPLE.COM > : > [root at rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default > principal: admin at EXAMPLE.COM > Valid starting Expires Service principal05/02/12 > 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached > 2) Is there a firewall between client and server? Is LDAP and > LDAPS allowed via the FW? > No firewall. shut those down at the first sign of trouble. > > ThanksMatt > Date: Wed, 2 May 2012 13:51:15 -0400 > From: dpal at redhat.com > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > > --server=rhel6.example.com > DNS domain 'example.com ' is not > configured for automatic > KDC address lookup. > KDC address will be set to fixed value. > > > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: > yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for admin at EXAMPLE.COM : > > > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > > SSSD enabled > Unable to find 'admin' user with 'getent passwd admin'! > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > > > > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded > server name: rhel6.example.com > NTP enabled > Client configuration complete. > > > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson > from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > check pass; user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: > pam_succeed_if(sshd:auth): error retrieving information about > user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > > > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > > > > thanks for helping! > Matt > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcritten at redhat.com > > > To: matt at mldserviceslex.com > > > > CC: freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I > started web surfing > > > > in an attempt to fix my problem before reaching out > for help. > > > > > > A host service principal is created during enrollment so > no additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are > failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > Message: 2 > Date: Wed, 02 May 2012 14:57:24 -0400 > From: Dmitri Pal > > To: Matthew Davidson > > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <4FA18394.7080507 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > On 05/02/2012 02:50 PM, Matthew Davidson wrote: > > Dmitri, > > 1) Do you have admin account on IPA side? > > > > Yes. And judging by the command below admin does log in, or am I > mistaken? > > > > [root at rhel5 ~]# kinit admin > > Password for admin at EXAMPLE.COM : > > > > [root at rhel5 ~]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at EXAMPLE.COM > > > > Valid starting Expires Service principal > > 05/02/12 14:47:40 05/03/12 14:47:36 > krbtgt/EXAMPLE.COM at EXAMPLE.COM > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > Is this from the client or from the server? I bet on the server. > Rob might be right that the client fails to find the right > authentication server due to the DNS configuration. > > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > No firewall. shut those down at the first sign of trouble. > > > > Thanks > > Matt > > > > > ------------------------------------------------------------------------ > > Date: Wed, 2 May 2012 13:51:15 -0400 > > From: dpal at redhat.com > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > > > --server=rhel6.example.com > > DNS domain 'example.com ' is not > configured for automatic KDC > > address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: rhel6.example.com > > Realm: EXAMPLE.COM > > DNS Domain: EXAMPLE.COM > > IPA Server: rhel6.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for admin at EXAMPLE.COM : > :> > > > > Enrolled in IPA realm EXAMPLE.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > > > SSSD enabled > > *Unable to find 'admin' user with 'getent passwd admin'!* > > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > Recognized configuration: SSSD > > Changed configuration of /etc/ldap.conf to use hardcoded server > > name: rhel6.example.com > > NTP enabled > > Client configuration complete. > > > > /var/log/secure > > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > > 192.168.1.5 > > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid > > user mdavidson > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check > pass; > > user unknown > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com > > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): > error > > retrieving information about user mdavidson > > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user > > mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > > > /var/log/sssd/sssd.log > > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > > > thanks for helping! > > Matt > > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcritten at redhat.com > > > > > To: matt at mldserviceslex.com > > > > > CC: freeipa-users at redhat.com > > > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I started > > web surfing > > > > in an attempt to fix my problem before reaching out for > help. > > > > > > A host service principal is created during enrollment so no > > additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if > > there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > > > _______________________________________________ Freeipa-users > mailing > > list Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 46, Issue 10 > ********************************************* > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 2 21:38:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 17:38:33 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8ABB6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA06458.2070904@redhat.com>, <1335965329.7781.9.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABB6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA1A959.6010906@redhat.com> Steven Jones wrote: > Hi, > > "proper" isnt defined as such, but yes in an ideal world.... Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.....now we have to start to separate them.... Right, this is why we fixed the bug. > > also will IPA server on 6.3 collide with IPA server on 6.2? It would be "proper" to only upgrade one IPA at a time in case the upgrade buggered IPA....otherwise I have to do all at once.......and if it goes wrong I'm left with nothing...... It will be fixed to work in 6.3 GA. The client enrollment will succeed but you won't get the 6.3 features (like SSH host keys uploaded). The ipa tool is not downward compatible, so a 6.3 ipa tool will not work with a 6.2 server but the reverse WILL work. rob From dpal at redhat.com Wed May 2 21:39:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 17:39:52 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8ABB6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA06458.2070904@redhat.com>, <1335965329.7781.9.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABB6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA1A9A8.2030107@redhat.com> On 05/02/2012 05:28 PM, Steven Jones wrote: > Hi, > > "proper" isnt defined as such, but yes in an ideal world.... Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.....now we have to start to separate them.... > > also will IPA server on 6.3 collide with IPA server on 6.2? It would be "proper" to only upgrade one IPA at a time in case the upgrade buggered IPA....otherwise I have to do all at once.......and if it goes wrong I'm left with nothing...... > The issue affects client to server authentication not server to server replication so 6.3 and 6.2 should work fine for several days while you are migrating servers from 6.2 to 6.3. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] > Sent: Thursday, 3 May 2012 1:28 a.m. > To: dpal at redhat.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: >> On 05/01/2012 06:15 PM, Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way..... >>> >> Yes this is a serious problem. Thank you for uncovering it. >> Current plan is to: provide a fix for the older clients to be able to >> connect to 2.2 via errata. >> Make sure that the 2.2 client can connect to the 2.1 server. >> >> Thanks >> Dmitri > I am working on a patch for ipa-client-install which should make it > capable of joining an older IPA server. > > BTW, I always thought that the proper upgrade scenario is to upgrade the > servers to the new version first and then upgrade the clients. The issue > here is that the new IPA clients won't be able to use "ipa" command to > control the old server because they have a higher API version and the > old server would not support it. > > The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) > should be OK as we maintain backwards compatibility. > > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed May 2 21:40:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 17:40:29 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA1A9CD.9010701@redhat.com> Steven Jones wrote: > What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of "properly" but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob From dpal at redhat.com Wed May 2 21:45:05 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 17:45:05 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA1AAE1.3050301@redhat.com> On 05/02/2012 05:29 PM, Steven Jones wrote: > What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Martin Kosek [mkosek at redhat.com] > Sent: Thursday, 3 May 2012 1:52 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >> Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... >> No, that's not the problem at all. Enrolled clients will work as >> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >> investigating. We'll fix it if needed. >> >> rob > I just sent a patch for this issue to freeipa-devel list. The problem > was in the TGT forwarding as mentioned earlier in this thread. The > patched client can now join an older IPA server. But ipa command still > won't work properly as its API is higher that the server's. > > Martin > > >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] ipa-client install error >>> >>> Steven Jones wrote: >>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. >>>> >>>> ============== >>>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir >>>> Discovery was successful! >>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>> Realm: ODS.VUW.AC.NZ >>>> DNS Domain: ods.vuw.ac.nz >>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>> >>>> >>>> Continue to configure the system with these values? [no]: yes >>>> User authorized to enroll computers: admjonesst1 >>>> Synchronizing time with KDC... >>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>> Password for admjonesst1 at ODS.VUW.AC.NZ: >>>> >>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>> Created /etc/ipa/default.conf >>>> Unable to activate the SSH service in SSSD config. >>>> Please make sure you have SSSD built with SSH support installed. >>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>> Configured /etc/sssd/sssd.conf >>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-client-install", line 1534, in >>>> sys.exit(main()) >>>> File "/usr/sbin/ipa-client-install", line 1521, in main >>>> rval = install(options, env, fstore, statestore) >>>> File "/usr/sbin/ipa-client-install", line 1358, in install >>>> api.Backend.xmlclient.connect() >>>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect >>>> conn = self.create_connection(*args, **kw) >>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection >>>> raise errors.KerberosError(major=str(krberr), minor='') >>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ >>>> [root at rhel664ws01 ~]# >>>> =========== >>>> >>>> Is this expected when trying to connect 6.3beta? ie its simply not compatible? >>>> >>> The newer 2.2 client cannot connect to an older 2.1 server because it >>> isn't going to send the TGT that the 2.1 server requires. We should >>> handle this better, I've opened a ticket to track this: >>> https://fedorahosted.org/freeipa/ticket/2697 >>> >>> rob >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ian at crystal.harvard.edu Wed May 2 21:46:30 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Wed, 2 May 2012 17:46:30 -0400 Subject: [Freeipa-users] Replication status Message-ID: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian From Steven.Jones at vuw.ac.nz Wed May 2 21:53:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 May 2012 21:53:04 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <4FA1A9CD.9010701@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FA1A9CD.9010701@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8AF4D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Sorry, I used IPA I should have used lower case eg, "But ipa command still won't work properly as its API is higher that the server's." The way I read that is a client will have limited command line capability? that would be Ok over say some weeks while we upgraded. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 3 May 2012 9:40 a.m. To: Steven Jones Cc: Martin Kosek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: > What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of "properly" but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob From danieljamesscott at gmail.com Wed May 2 21:53:25 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 2 May 2012 17:53:25 -0400 Subject: [Freeipa-users] Replication status In-Reply-To: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> Message-ID: Hi, I'm definitely interested in this too. You can use ipa-replica-manage -v list $HOSTNAME to get detailed status information. I also found this: http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring But I believe that it needs to have the Directory Manager password hardcoded. Let me know if you figure out a nice solution. Thanks, Dan On Wed, May 2, 2012 at 5:46 PM, Ian Levesque wrote: > Hi, > > I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? > > Cheers, > Ian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed May 2 21:54:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 May 2012 21:54:13 +0000 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <4FA1AAE1.3050301@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FA1AAE1.3050301@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8AF58@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, BTW, is this advice in the admin guide? I would suggest its worth stating..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 3 May 2012 9:45 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client install error On 05/02/2012 05:29 PM, Steven Jones wrote: > What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Martin Kosek [mkosek at redhat.com] > Sent: Thursday, 3 May 2012 1:52 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >> Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... >> No, that's not the problem at all. Enrolled clients will work as >> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >> investigating. We'll fix it if needed. >> >> rob > I just sent a patch for this issue to freeipa-devel list. The problem > was in the TGT forwarding as mentioned earlier in this thread. The > patched client can now join an older IPA server. But ipa command still > won't work properly as its API is higher that the server's. > > Martin > > >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] ipa-client install error >>> >>> Steven Jones wrote: >>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. >>>> >>>> ============== >>>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir >>>> Discovery was successful! >>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>> Realm: ODS.VUW.AC.NZ >>>> DNS Domain: ods.vuw.ac.nz >>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>> >>>> >>>> Continue to configure the system with these values? [no]: yes >>>> User authorized to enroll computers: admjonesst1 >>>> Synchronizing time with KDC... >>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>> Password for admjonesst1 at ODS.VUW.AC.NZ: >>>> >>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>> Created /etc/ipa/default.conf >>>> Unable to activate the SSH service in SSSD config. >>>> Please make sure you have SSSD built with SSH support installed. >>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>> Configured /etc/sssd/sssd.conf >>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-client-install", line 1534, in >>>> sys.exit(main()) >>>> File "/usr/sbin/ipa-client-install", line 1521, in main >>>> rval = install(options, env, fstore, statestore) >>>> File "/usr/sbin/ipa-client-install", line 1358, in install >>>> api.Backend.xmlclient.connect() >>>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect >>>> conn = self.create_connection(*args, **kw) >>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection >>>> raise errors.KerberosError(major=str(krberr), minor='') >>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ >>>> [root at rhel664ws01 ~]# >>>> =========== >>>> >>>> Is this expected when trying to connect 6.3beta? ie its simply not compatible? >>>> >>> The newer 2.2 client cannot connect to an older 2.1 server because it >>> isn't going to send the TGT that the 2.1 server requires. We should >>> handle this better, I've opened a ticket to track this: >>> https://fedorahosted.org/freeipa/ticket/2697 >>> >>> rob >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Wed May 2 21:56:51 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 17:56:51 -0400 Subject: [Freeipa-users] Replication status In-Reply-To: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> Message-ID: <4FA1ADA3.70209@redhat.com> On 05/02/2012 05:46 PM, Ian Levesque wrote: > Hi, > > I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? > > Cheers, > Ian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users http://port389.org/wiki/Howto:ReplicationMonitoring -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed May 2 21:58:04 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 02 May 2012 17:58:04 -0400 Subject: [Freeipa-users] ipa-client install error In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8AF58@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC877C7@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4F9FE2EB.1080704@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A95@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA13A59.4050806@redhat.com>, <1335966760.7781.15.camel@balmora.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8ABC2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FA1AAE1.3050301@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC8AF58@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA1ADEC.3080003@redhat.com> On 05/02/2012 05:54 PM, Steven Jones wrote: > Hi, > > BTW, is this advice in the admin guide? I would suggest its worth stating..... > Noted. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 3 May 2012 9:45 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On 05/02/2012 05:29 PM, Steven Jones wrote: >> What is the impact of IPA not working properly? > You need to differentiate client system that uses IPA for identity > lookups and authentication and administrative station where you have > ipa-admintools package installed. It is not recommended to have this > package on the client side to be higher version than on the server. We > are currently fixing the issue for the client enrollment to work even if > you try to enroll later version of the ipa client with the earlier > version of the server but for ipa-admintools the general rule: upgrade > server first and then the client ipa-admintools package should continue > to apply. > > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Martin Kosek [mkosek at redhat.com] >> Sent: Thursday, 3 May 2012 1:52 a.m. >> To: Rob Crittenden >> Cc: Steven Jones; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] ipa-client install error >> >> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >>> Steven Jones wrote: >>>> So this opens a chicken and egg? >>>> >>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.... >>> No, that's not the problem at all. Enrolled clients will work as >>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >>> investigating. We'll fix it if needed. >>> >>> rob >> I just sent a patch for this issue to freeipa-devel list. The problem >> was in the TGT forwarding as mentioned earlier in this thread. The >> patched client can now join an older IPA server. But ipa command still >> won't work properly as its API is higher that the server's. >> >> Martin >> >> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rob Crittenden [rcritten at redhat.com] >>>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] ipa-client install error >>>> >>>> Steven Jones wrote: >>>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. >>>>> >>>>> ============== >>>>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir >>>>> Discovery was successful! >>>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>>> Realm: ODS.VUW.AC.NZ >>>>> DNS Domain: ods.vuw.ac.nz >>>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>>> >>>>> >>>>> Continue to configure the system with these values? [no]: yes >>>>> User authorized to enroll computers: admjonesst1 >>>>> Synchronizing time with KDC... >>>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>>> Password for admjonesst1 at ODS.VUW.AC.NZ: >>>>> >>>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>>> Created /etc/ipa/default.conf >>>>> Unable to activate the SSH service in SSSD config. >>>>> Please make sure you have SSSD built with SSH support installed. >>>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>>> Configured /etc/sssd/sssd.conf >>>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>>> Traceback (most recent call last): >>>>> File "/usr/sbin/ipa-client-install", line 1534, in >>>>> sys.exit(main()) >>>>> File "/usr/sbin/ipa-client-install", line 1521, in main >>>>> rval = install(options, env, fstore, statestore) >>>>> File "/usr/sbin/ipa-client-install", line 1358, in install >>>>> api.Backend.xmlclient.connect() >>>>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect >>>>> conn = self.create_connection(*args, **kw) >>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection >>>>> raise errors.KerberosError(major=str(krberr), minor='') >>>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ >>>>> [root at rhel664ws01 ~]# >>>>> =========== >>>>> >>>>> Is this expected when trying to connect 6.3beta? ie its simply not compatible? >>>>> >>>> The newer 2.2 client cannot connect to an older 2.1 server because it >>>> isn't going to send the TGT that the 2.1 server requires. We should >>>> handle this better, I've opened a ticket to track this: >>>> https://fedorahosted.org/freeipa/ticket/2697 >>>> >>>> rob >>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ian at crystal.harvard.edu Wed May 2 22:11:48 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Wed, 2 May 2012 18:11:48 -0400 Subject: [Freeipa-users] Replication status In-Reply-To: <4FA1ADA3.70209@redhat.com> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> <4FA1ADA3.70209@redhat.com> Message-ID: <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> On May 2, 2012, at 5:56 PM, Dmitri Pal wrote: >> I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? > > http://port389.org/wiki/Howto:ReplicationMonitoring Thanks for the reply, but storing the directory manager password in plain text defies any sort of paranoia that should be fundamental to an IPA admin. I find it hard to believe it's even recommended at all! Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? Thanks, Ian From rmeggins at redhat.com Wed May 2 22:48:34 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 02 May 2012 16:48:34 -0600 Subject: [Freeipa-users] Replication status In-Reply-To: <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> <4FA1ADA3.70209@redhat.com> <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> Message-ID: <4FA1B9C2.2020500@redhat.com> On 05/02/2012 04:11 PM, Ian Levesque wrote: > On May 2, 2012, at 5:56 PM, Dmitri Pal wrote: > >>> I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending& resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? >> http://port389.org/wiki/Howto:ReplicationMonitoring > Thanks for the reply, but storing the directory manager password in plain text defies any sort of paranoia that should be fundamental to an IPA admin. I find it hard to believe it's even recommended at all! > > Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV tombstone entry at the base of each suffix. > > Thanks, > Ian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ian at crystal.harvard.edu Thu May 3 01:36:40 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Wed, 2 May 2012 21:36:40 -0400 Subject: [Freeipa-users] Replication status In-Reply-To: <4FA1B9C2.2020500@redhat.com> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> <4FA1ADA3.70209@redhat.com> <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> <4FA1B9C2.2020500@redhat.com> Message-ID: On May 2, 2012, at 6:48 PM, Rich Megginson wrote: >> Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? > > You also need to expose the RUV tombstone entry at the base of each suffix. Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any pointers? Cheers, Ian From rmeggins at redhat.com Thu May 3 01:41:21 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 02 May 2012 19:41:21 -0600 Subject: [Freeipa-users] Replication status In-Reply-To: References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> <4FA1ADA3.70209@redhat.com> <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> <4FA1B9C2.2020500@redhat.com> Message-ID: <4FA1E241.3040606@redhat.com> On 05/02/2012 07:36 PM, Ian Levesque wrote: > On May 2, 2012, at 6:48 PM, Rich Megginson wrote: > >>> Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? >> You also need to expose the RUV tombstone entry at the base of each suffix. > Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any pointers? > > Cheers, > Ian > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html From Steven.Jones at vuw.ac.nz Thu May 3 02:00:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 May 2012 02:00:41 +0000 Subject: [Freeipa-users] bluearc and IPA Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8B0F8@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Has anyone got a Bluearc storage NAS working with IPA? if so do you have any notes please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Thu May 3 03:13:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 May 2012 23:13:21 -0400 Subject: [Freeipa-users] Replication status In-Reply-To: <4FA1E241.3040606@redhat.com> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> <4FA1ADA3.70209@redhat.com> <7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu> <4FA1B9C2.2020500@redhat.com> <4FA1E241.3040606@redhat.com> Message-ID: <4FA1F7D1.50703@redhat.com> Rich Megginson wrote: > On 05/02/2012 07:36 PM, Ian Levesque wrote: >> On May 2, 2012, at 6:48 PM, Rich Megginson wrote: >> >>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass >>>> to a less privileged account; i.e., an account solely designed to >>>> check replication status? >>> You also need to expose the RUV tombstone entry at the base of each >>> suffix. >> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; >> any pointers? >> >> Cheers, >> Ian >> > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html We already have some delegated permissions for replication but none granting only read access. Off the cuff, something like this might work: dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission cn: Read Replication Agreements ipapermissiontype: SYSTEM Note that you'll need to replace $SUFFIX with your base dn (dc=example,dc=com). This is untested so YMMV. If you find that it works and is useful please let us know, maybe we can add this for everyone to enjoy :-) rob From fykcee1 at gmail.com Thu May 3 09:35:59 2012 From: fykcee1 at gmail.com (cee1) Date: Thu, 3 May 2012 17:35:59 +0800 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? Message-ID: Hi all, We have a round of web services(mail, JIRA, trac etc), each has its own account database. We are seeking for a SSO solution, thus users need only to login once and can then access all web services. Does FreeIPA support it gracefully? -- Regards, - cee1 From matt at mldserviceslex.com Thu May 3 12:31:37 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Thu, 3 May 2012 08:31:37 -0400 Subject: [Freeipa-users] red hat 5 and red hat 6 compatability In-Reply-To: <4FA17C7C.2000600@redhat.com> References: , <4FA141DE.1080703@redhat.com> , <4FA1532C.8070709@redhat.com> , <4FA17C7C.2000600@redhat.com> Message-ID: Hi Rob, Turned off dns and added ip addresses, added names to host files and it works. My bad. Matt > Date: Wed, 2 May 2012 14:27:08 -0400 > From: rcritten at redhat.com > To: matt at mldserviceslex.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > Hi Rob > > > > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > > --server=rhel6.example.com > > DNS domain 'example.com' is not configured for automatic KDC address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: rhel6.example.com > > Realm: EXAMPLE.COM > > DNS Domain: EXAMPLE.COM > > IPA Server: rhel6.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for admin at EXAMPLE.COM: > > > > Enrolled in IPA realm EXAMPLE.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > > SSSD enabled > > *Unable to find 'admin' user with 'getent passwd admin'!* > > Recognized configuration: SSSD > > Changed configuration of /etc/ldap.conf to use hardcoded server name: > > rhel6.example.com > > NTP enabled > > Client configuration complete. > > > > /var/log/secure > > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 > > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user > > mdavidson > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user > > unknown > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com > > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > > mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not > > found in Kerberos database > > This is the key. sssd can't connect to the IPA server due to this > Kerberos error which is why the user information is unavailable. > > Am I right to to assume you have another Kerberos server (or AD) > configured using the same realm name on your network? I have the feeling > sssd is finding the wrong KDC. > > rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From prmarino1 at gmail.com Thu May 3 16:16:32 2012 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 3 May 2012 12:16:32 -0400 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: References: Message-ID: Yes and no. Not completly natively but in theory yes. Kerberos is the original SSO solution and it works very well but webapps don't always play nice with existing authentication soulutions. Since kerberos 5 is part of freeipa you have a chance to get it workin if they play nice with apaches autentication mechanisims. There is a apache module for kerberos auth that works well two notes about it turn on credential caching because it significantly reduces the load on the kerberos server and keep in mind that internet explorer leaves native kerberos on (you won't get prompted for a user name or password if you hve a valid kerberos ticket) but firefox turns it off by default and I'm not sure about crome. In other words if you leave the default setting in firefox it will use basic auth (clear text password unless you use ssl) to interact with apache and subsequently kerberos. This is a wonderfull way to make a secure authentication mechanisim insecure if you don't use ssl. That said I know for a fact track does work well with kerberos auth. One warning apache has an ldap authentication module as well, avoid it like the plage unless you like to launch denial of service atacks agianst your own servers. The ldap auth module will query your ldap servers every time a user accesses. A file or cgi on the server, and by file I mean a page with 5 images will query your ldap server at least 6 times every time you access it. The worst part about the ldap auth module in apache is it doesn't ever logout its connectiont to the ldap server as far as I can tell so its a recipie for a sourcerers aprentice syndrome dos atack because of filehandle limitations and the exponential number of connections it opens. Essentiaaly the apache ldap auth module is responsible for many of the claims that cetrrailize auth on linux and unix crash often. On May 3, 2012 5:39 AM, "cee1" wrote: > Hi all, > > We have a round of web services(mail, JIRA, trac etc), each has its > own account database. We are seeking for a SSO solution, thus users > need only to login once and can then access all web services. > > Does FreeIPA support it gracefully? > > > > -- > Regards, > > - cee1 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Thu May 3 16:26:21 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 3 May 2012 16:26:21 +0000 Subject: [Freeipa-users] Replication status In-Reply-To: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> Message-ID: I have been considering looking into using this: http://cnmonitor.sourceforge.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com http://www.citrixonline.com On May 2, 2012, at 2:46 PM, Ian Levesque wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Thu May 3 18:32:33 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 3 May 2012 18:32:33 +0000 Subject: [Freeipa-users] Replication status In-Reply-To: References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu> Message-ID: Also See: http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring ;) On May 3, 2012, at 9:26 AM, JR Aquino wrote: > I have been considering looking into using this: http://cnmonitor.sourceforge.net/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GIAC Certified Incident Handler | GIAC WebApp Penetration Tester > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > On May 2, 2012, at 2:46 PM, Ian Levesque wrote: > > Hi, > > I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending & resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? > > Cheers, > Ian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu May 3 19:49:16 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 May 2012 15:49:16 -0400 Subject: [Freeipa-users] Announcing FreeIPA v2.2.0 Release Message-ID: <4FA2E13C.9040006@redhat.com> The FreeIPA team is proud to announce version FreeIPA v2.2.0. It can be downloaded from http://www.freeipa.org/Downloads. A build is on the way to updates-testing for Fedora 17. Fedora 15 and 16 are not supported by FreeIPA 2.2.0 due to missing dependencies. == Highlights in 2.2.0 == * Forms-based login. If Kerberos Single-Sign-On authentication fails, you now have the option to authenticate through a form-base login page using your domain username and password. You an also go directly to the page named /ipa/ui/login.html to do form-based authentication without attempting a Kerberos login at all * Logout from the UI * Support for SSH known-hosts with sssd 1.8.0. This will create a known-hosts file dynamically based on information stored in IPA. * SELinux user maps to control a user's SELinux context depending on what host they log into (requires sssd 1.8.0+). * Support for global configuration of the name server stored in LDAP, including a list of global forwarders, forward policy, DNS zone refresh poll timeout. * Enhanced per-zone configuration, including query and transfer policy, and conditional forwarding. * DNS record CLI and Web UI is vastly improved, including an improved validation of supported DNS record types, an ability to create compound DNS records (like LOC or SRV) by its parts. * Migration improvements including being able to specify the basedn, translation of stored DN values. User-Private groups are no longer being created for migrated users. * We recommend that the compat plugin be disabled during migration to avoid unnecessary overhead. * On new installations the default users group, ipausers, is now non-POSIX to speed up user enumeration in SSSD. To make ipausers a POSIX group run ipa group-mod --posix ipausers. * The WebUI now has support for HBAC testing and Automember mananagement. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.1.90 rc1 has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 2.1.90 rc 1 == Alexander Bokovoy (1): * When changing multiple booleans with setsebool, pass each of them separately. Jan Cholasta (9): * Wait for child process to terminate after receiving SIGINT in ipautil.run. * Parse zone indices in IPv6 addresses in CheckedIPAddress. * Fix uses of O=REALM instead of the configured certificate subject base. * Fix the procedure for getting default values of command parameters. * Change parameters to use only default_from for dynamic default values. * Check whether the default user group is POSIX when adding new user with --noprivate. * Check configured maximum user login length on user rename. * Fix internal error when renaming user with an empty string. * Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". John Dennis (7): * Replace broken i18n shell test with Python test * improve handling of ds instances during uninstall * Use indexed format specifiers in i18n strings * text unit test should validate using installed mo file * Validate DN & RDN parameters for migrate command * don't append basedn to container if it is included * Fix name error in hbactest Lars Sjostrom (1): * Add disovery domain if client domain is different from server domain Martin Kosek (29): * Ignore case in yes/no prompts * Refresh resolvers after DNS install * Fix migration plugin compat check * Fix ipa-replica-manage TLS connection error * Treat UPGs correctly in winsync replication * Allow port numbers for idnsForwarders * Add missing global options in dnsconfig * Fix precallback validators in DNS plugin * Harden raw record processing in DNS plugin * Fix LDAP effective rights control with python-ldap 2.4.x * Avoid deleting DNS zone when a context is reused * Fix default SOA serial format * Amend permissions for new DNS attributes * Improve user awareness about dnsconfig * Fix dnsrecord-del interactive mode * Tolerate UDP port failures in conncheck * Improve automount indirect map error message * Forbid public access to DNS tree * Configure SELinux for httpd during upgrades * Fix installation when server hostname is not in a default domain * Return correct record name in DNS plugin * Fix dnsrecord_add interactive mode * Fix DNS and permissions unit tests * Raise proper exception when LDAP limits are exceeded * Do not fail migration because of duplicate groups * Fix help of --hostname option in ipa-client-install * Sort password policies properly with --pkey-only * Improve error message in zonemgr validator * Make ipa 2.2 client capable of joining an older server Ondrej Hamada (7): * More exception handlers in ipa-client-install * Search allowed attributes in superior objectclasses * Typos in FreeIPA messages * Netgroup nisdomain and hosts validation * Confusing default user groups * Unable to rename permission object * Fix empty external member processing Petr Viktorin (22): * Allow removing sudo commands with special characters from command groups * Enforce that required attributes can't be set to None in CRUD Update * Mark most config options as required * Don't crash when searching with empty relationship options * Remove ipausers' gidnumber from tests * Use nose tools to check for exceptions * Only split CSV in the client, quote instead of escaping * Add missing BuildRequires * Use valid argument names in tests * Add CLI parsing tests * Allow multi-line CSV parameters * Move test skipping to class setup * Fix little test errors * Test the batch plugin * Defer conversion and validation until after --{add,del,set}attr are handled * Limit permission and selfservice names to alphanumerics, -, _, space * Convert --setattr values for attributes marked no_update * Fix expected error messages in tests * Remove pattern_errmsg from API.txt * Pass make-test arguments through to Nose * Document the 'nonempty' flag * Additional tests for pwpolicy Petr Vobornik (22): * Fixed mask validation in network_validator * Fixed checkbox value in table without pkey * Certificate serial number in hex format - ui testing data * Fixed evaluating checkbox dirty status * Better hbactest validation message * Content is no more overwritten by error message * Show_content on refresh success * Fixed rpm build warning - extension.js listed twice * Add support of new options in dnsconfig * DNS forwarder validator * Added mac address to host page * Facet expiration flag * Inter-facet expiration * Reworked netgroup Web UI to allow setting user/host category * Fixed: permission attrs table didn't update its available options on load * Added attrs field to permission for target=subtree * DNS forward policy: checkboxes changed to radio buttons * Removed mutex option from checkboxes * Removal of memberofindirect_permissons from privileges * User is notified that password needs to be reset in forms-based login * Added permission field to delegation * Paging disable for password policies Rob Crittenden (34): * Fix NSS no_init in the NSSHTTPS class * Set minimum version of selinux-policy to pick up memcached fix * Fix nsslapd-anonlimitsdn dn in cn=config * Set SELinux boolean httpd_manage_ipa so ipa_memcached will work. * Don't set dbdir in the connection until after the connection is created. * Display serial number as HEX (DECIMAL) when showing certificates. * Add subject key identifier to the dogtag server cert profile. * Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf * Import the ipaserver plugins based on context, not env.in_server. * Don't allow hosts and services of IPA masters to be disabled. * Use a consistent parameter name in errors, defaulting to cli_name. * No longer shell escape the DM password when calling pkisilent. * Fix test failure testing rename with an invalid hostname. * Fix attributes that contain DNs when migrating. * Normalize the primary key value to lowercase during migration. * Fix unit tests to work with new comma-support, validation requirements * Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue * Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. * Add requires on python-krbV to client subpackage * Fix failure count interval attribute name in query for password policy. * Handle updating replication agreements that lack nsDS5ReplicatedAttributeList * Don't create private groups for migrated users, check for valid gidnumber * Add updated Output format for batch to API.txt * Make revocation_reason required when revoking a certificate. * Add missing comma to list of services that cannot be disabled. * Return consistent value when hostcat and usercat is all. * Dereference pointer when comparing password history in qsort compare. * Configure certmonger to execute restart scripts on renewal. * Remove the running state when uninstalling DS instances. * Return consistent expiration message for forms-based login * Use mixed-case for Read DNS Entries permission * Update docs for user-status, always show disabled, time for each server. Simo Sorce (1): * Fix memleak and silence Coverity defects From Steven.Jones at vuw.ac.nz Thu May 3 21:21:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 May 2012 21:21:04 +0000 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8B72E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, My experience so far is IPA is, it has a great interface to use but its only suitable for a very simple setup at present IMHO. Everything else ie in a typical complex and diverse enterprise is proving very hard going as it lacks critical mass from users and vendors. The biggest issue I am having is lack of documentation / examples when connecting to any sort of external service or hardware, eg Bluearc's kit, EMC kit, Bluecoat, samba, sendmail etc. Think of this as spending time hacking things....if you love doing that, if you are happy to be on your own and have a LOT of time, lots of coffee, good mental health insurance, its not mission critical and realistic management expectations to work to....go for it..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of cee1 [fykcee1 at gmail.com] Sent: Thursday, 3 May 2012 9:35 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? Hi all, We have a round of web services(mail, JIRA, trac etc), each has its own account database. We are seeking for a SSO solution, thus users need only to login once and can then access all web services. Does FreeIPA support it gracefully? -- Regards, - cee1 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From fykcee1 at gmail.com Fri May 4 02:11:34 2012 From: fykcee1 at gmail.com (cee1) Date: Fri, 4 May 2012 10:11:34 +0800 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: References: Message-ID: 2012/5/4 Paul Robert Marino : > There is a apache module for kerberos auth that works well two notes about > it turn on credential caching because it significantly reduces the load on > the kerberos server and keep in mind that internet explorer leaves native > kerberos on (you won't get prompted for a user name or password if you hve a > valid kerberos ticket) but firefox turns it off by default and I'm not sure > about crome. In other words if you leave the default setting in firefox it > will use basic auth (clear text password unless you use ssl) to interact > with apache and subsequently kerberos. This is a wonderfull way to make a > secure authentication mechanisim insecure if you don't use ssl. > That said I know for a fact track does work well with kerberos auth. That means if user's browser doesn't support kerberos or with kerberos off by default, it will break SSO, right? Maybe I should try FreeIPA in conjunction with CoSign? -- Regards, - cee1 From christoph.kaminski at biotronik.com Fri May 4 07:37:59 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 4 May 2012 09:37:59 +0200 Subject: [Freeipa-users] Announcing FreeIPA v2.2.0 Release In-Reply-To: <4FA2E13C.9040006@redhat.com> References: <4FA2E13C.9040006@redhat.com> Message-ID: are there already el5/el6 rpms somewhere? - MfG Christoph Kaminski Von: Rob Crittenden An: freeipa-devel , freeipa-users , freeipa-interest at redhat.com Datum: 03.05.2012 21:50 Betreff: [Freeipa-users] Announcing FreeIPA v2.2.0 Release Gesendet von: freeipa-users-bounces at redhat.com The FreeIPA team is proud to announce version FreeIPA v2.2.0. It can be downloaded from http://www.freeipa.org/Downloads. A build is on the way to updates-testing for Fedora 17. Fedora 15 and 16 are not supported by FreeIPA 2.2.0 due to missing dependencies. == Highlights in 2.2.0 == * Forms-based login. If Kerberos Single-Sign-On authentication fails, you now have the option to authenticate through a form-base login page using your domain username and password. You an also go directly to the page named /ipa/ui/login.html to do form-based authentication without attempting a Kerberos login at all * Logout from the UI * Support for SSH known-hosts with sssd 1.8.0. This will create a known-hosts file dynamically based on information stored in IPA. * SELinux user maps to control a user's SELinux context depending on what host they log into (requires sssd 1.8.0+). * Support for global configuration of the name server stored in LDAP, including a list of global forwarders, forward policy, DNS zone refresh poll timeout. * Enhanced per-zone configuration, including query and transfer policy, and conditional forwarding. * DNS record CLI and Web UI is vastly improved, including an improved validation of supported DNS record types, an ability to create compound DNS records (like LOC or SRV) by its parts. * Migration improvements including being able to specify the basedn, translation of stored DN values. User-Private groups are no longer being created for migrated users. * We recommend that the compat plugin be disabled during migration to avoid unnecessary overhead. * On new installations the default users group, ipausers, is now non-POSIX to speed up user enumeration in SSSD. To make ipausers a POSIX group run ipa group-mod --posix ipausers. * The WebUI now has support for HBAC testing and Automember mananagement. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.1.90 rc1 has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 2.1.90 rc 1 == Alexander Bokovoy (1): * When changing multiple booleans with setsebool, pass each of them separately. Jan Cholasta (9): * Wait for child process to terminate after receiving SIGINT in ipautil.run. * Parse zone indices in IPv6 addresses in CheckedIPAddress. * Fix uses of O=REALM instead of the configured certificate subject base. * Fix the procedure for getting default values of command parameters. * Change parameters to use only default_from for dynamic default values. * Check whether the default user group is POSIX when adding new user with --noprivate. * Check configured maximum user login length on user rename. * Fix internal error when renaming user with an empty string. * Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". John Dennis (7): * Replace broken i18n shell test with Python test * improve handling of ds instances during uninstall * Use indexed format specifiers in i18n strings * text unit test should validate using installed mo file * Validate DN & RDN parameters for migrate command * don't append basedn to container if it is included * Fix name error in hbactest Lars Sjostrom (1): * Add disovery domain if client domain is different from server domain Martin Kosek (29): * Ignore case in yes/no prompts * Refresh resolvers after DNS install * Fix migration plugin compat check * Fix ipa-replica-manage TLS connection error * Treat UPGs correctly in winsync replication * Allow port numbers for idnsForwarders * Add missing global options in dnsconfig * Fix precallback validators in DNS plugin * Harden raw record processing in DNS plugin * Fix LDAP effective rights control with python-ldap 2.4.x * Avoid deleting DNS zone when a context is reused * Fix default SOA serial format * Amend permissions for new DNS attributes * Improve user awareness about dnsconfig * Fix dnsrecord-del interactive mode * Tolerate UDP port failures in conncheck * Improve automount indirect map error message * Forbid public access to DNS tree * Configure SELinux for httpd during upgrades * Fix installation when server hostname is not in a default domain * Return correct record name in DNS plugin * Fix dnsrecord_add interactive mode * Fix DNS and permissions unit tests * Raise proper exception when LDAP limits are exceeded * Do not fail migration because of duplicate groups * Fix help of --hostname option in ipa-client-install * Sort password policies properly with --pkey-only * Improve error message in zonemgr validator * Make ipa 2.2 client capable of joining an older server Ondrej Hamada (7): * More exception handlers in ipa-client-install * Search allowed attributes in superior objectclasses * Typos in FreeIPA messages * Netgroup nisdomain and hosts validation * Confusing default user groups * Unable to rename permission object * Fix empty external member processing Petr Viktorin (22): * Allow removing sudo commands with special characters from command groups * Enforce that required attributes can't be set to None in CRUD Update * Mark most config options as required * Don't crash when searching with empty relationship options * Remove ipausers' gidnumber from tests * Use nose tools to check for exceptions * Only split CSV in the client, quote instead of escaping * Add missing BuildRequires * Use valid argument names in tests * Add CLI parsing tests * Allow multi-line CSV parameters * Move test skipping to class setup * Fix little test errors * Test the batch plugin * Defer conversion and validation until after --{add,del,set}attr are handled * Limit permission and selfservice names to alphanumerics, -, _, space * Convert --setattr values for attributes marked no_update * Fix expected error messages in tests * Remove pattern_errmsg from API.txt * Pass make-test arguments through to Nose * Document the 'nonempty' flag * Additional tests for pwpolicy Petr Vobornik (22): * Fixed mask validation in network_validator * Fixed checkbox value in table without pkey * Certificate serial number in hex format - ui testing data * Fixed evaluating checkbox dirty status * Better hbactest validation message * Content is no more overwritten by error message * Show_content on refresh success * Fixed rpm build warning - extension.js listed twice * Add support of new options in dnsconfig * DNS forwarder validator * Added mac address to host page * Facet expiration flag * Inter-facet expiration * Reworked netgroup Web UI to allow setting user/host category * Fixed: permission attrs table didn't update its available options on load * Added attrs field to permission for target=subtree * DNS forward policy: checkboxes changed to radio buttons * Removed mutex option from checkboxes * Removal of memberofindirect_permissons from privileges * User is notified that password needs to be reset in forms-based login * Added permission field to delegation * Paging disable for password policies Rob Crittenden (34): * Fix NSS no_init in the NSSHTTPS class * Set minimum version of selinux-policy to pick up memcached fix * Fix nsslapd-anonlimitsdn dn in cn=config * Set SELinux boolean httpd_manage_ipa so ipa_memcached will work. * Don't set dbdir in the connection until after the connection is created. * Display serial number as HEX (DECIMAL) when showing certificates. * Add subject key identifier to the dogtag server cert profile. * Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf * Import the ipaserver plugins based on context, not env.in_server. * Don't allow hosts and services of IPA masters to be disabled. * Use a consistent parameter name in errors, defaulting to cli_name. * No longer shell escape the DM password when calling pkisilent. * Fix test failure testing rename with an invalid hostname. * Fix attributes that contain DNs when migrating. * Normalize the primary key value to lowercase during migration. * Fix unit tests to work with new comma-support, validation requirements * Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue * Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. * Add requires on python-krbV to client subpackage * Fix failure count interval attribute name in query for password policy. * Handle updating replication agreements that lack nsDS5ReplicatedAttributeList * Don't create private groups for migrated users, check for valid gidnumber * Add updated Output format for batch to API.txt * Make revocation_reason required when revoking a certificate. * Add missing comma to list of services that cannot be disabled. * Return consistent value when hostcat and usercat is all. * Dereference pointer when comparing password history in qsort compare. * Configure certmonger to execute restart scripts on renewal. * Remove the running state when uninstalling DS instances. * Return consistent expiration message for forms-based login * Use mixed-case for Read DNS Entries permission * Update docs for user-status, always show disabled, time for each server. Simo Sorce (1): * Fix memleak and silence Coverity defects _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplement?rin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. Lothar Krings, Dr. Torsten Wolf BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our drug eluting absorbable metal scaffold program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. -------------- next part -------------- An HTML attachment was scrubbed... URL: From djuran at redhat.com Fri May 4 14:04:02 2012 From: djuran at redhat.com (David Juran) Date: Fri, 04 May 2012 16:04:02 +0200 Subject: [Freeipa-users] Trying out ipa on zlinux Message-ID: <1336140242.3243.243.camel@localhost.localdomain> Hello We've been trying to get IPA running on a RHEL6.2 zLinux (s390x). We've recompiled the RHEL6 SRPMS (including the 389 packages) for the architecture and eventually they installed. But when trying to set up the server, it fails when trying to create the KDC. Configuring Kerberos KDC: Estimated time 30 seconds [1/14]: setting KDC account password [2/14]: adding sasl mappings to the directory [3/14]: adding kerberos entries to the DS [4/14]: adding default ACIs [5/14]: configuring KDC Failed to populate the realm structure in kerberos Command 'kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com create -s -r SRV.VOLVO.COM -subtrees dc=srv,dc=volvo,dc=com -sscope sub' returned non-zero exit status 1 [6/14]: adding default keytypes root : CRITICAL Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h zlin2011.srv.volvo.com -v -f /tmp/tmpERWFsx -x -D cn=Directory Manager -y /tmp/tmpC1RCfQ' returned non-zero exit status 32 [7/14]: adding default password policy root : CRITICAL Failed to load default-pwpolicy.ldif: Command '/usr/bin/ldapmodify -h zlin2011.srv.volvo.com -v -f /tmp/tmpPUNKLs -x -D cn=Directory Manager -y /tmp/tmpPcnobe' returned non-zero exit status 32 [8/14]: creating a keytab for the directory Unexpected error - see ipaserver-install.log for details: Command 'kadmin.local -q addprinc -randkey ldap/zlin2011.srv.volvo.com at SRV.VOLVO.COM' returned non-zero exit status 1 >From the dirsrv access log, we see the following line which differs from when trying to install on x86_64 (where it works): [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from local to /var/run/slapd-SRV-VOLVO-COM.socket [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND dn="uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com" method=128 version=3 [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 Would anyone have a clue what could be wrong? -- David Juran +46-725-345801 Sr. Consultant Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Fri May 4 14:25:55 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 May 2012 10:25:55 -0400 Subject: [Freeipa-users] Trying out ipa on zlinux In-Reply-To: <1336140242.3243.243.camel@localhost.localdomain> References: <1336140242.3243.243.camel@localhost.localdomain> Message-ID: <1336141555.5722.159.camel@willson.li.ssimo.org> On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: > > [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from > local to /var/run/slapd-SRV-VOLVO-COM.socket > [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com" method=128 > version=3 > [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 > nentries=0 etime=0 > [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 > > Would anyone have a clue what could be wrong? > err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED are you lacking sasl dependencies in 389 by chance ? not sure that's the casuse though, as IIRC 2.1 used simple binds. Simo. -- Simo Sorce * Red Hat, Inc * New York From djuran at redhat.com Fri May 4 14:44:19 2012 From: djuran at redhat.com (David Juran) Date: Fri, 04 May 2012 16:44:19 +0200 Subject: [Freeipa-users] Trying out ipa on zlinux In-Reply-To: <1336141555.5722.159.camel@willson.li.ssimo.org> References: <1336140242.3243.243.camel@localhost.localdomain> <1336141555.5722.159.camel@willson.li.ssimo.org> Message-ID: <1336142659.3243.245.camel@localhost.localdomain> On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote: > On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: > > > > [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from > > local to /var/run/slapd-SRV-VOLVO-COM.socket > > [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND > > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com" method=128 > > version=3 > > [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 > > nentries=0 etime=0 > > [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 > > > > Would anyone have a clue what could be wrong? > > > err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED > > are you lacking sasl dependencies in 389 by chance ? I think I got SASL support in: root at zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# ldapsearch -D "cn=directory manager" -w secret -x -s base -b "" "supportedSASLMechanisms" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From matt at mldserviceslex.com Fri May 4 14:49:10 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Fri, 4 May 2012 10:49:10 -0400 Subject: [Freeipa-users] Integrate with Samba Message-ID: Hello, Does anyone have any pointers or documentation on integrating Samba or "file" shares with IPA? thanksMatt -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri May 4 14:52:51 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 May 2012 10:52:51 -0400 Subject: [Freeipa-users] Trying out ipa on zlinux In-Reply-To: <1336142659.3243.245.camel@localhost.localdomain> References: <1336140242.3243.243.camel@localhost.localdomain> <1336141555.5722.159.camel@willson.li.ssimo.org> <1336142659.3243.245.camel@localhost.localdomain> Message-ID: <1336143171.5722.160.camel@willson.li.ssimo.org> On Fri, 2012-05-04 at 16:44 +0200, David Juran wrote: > On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote: > > On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: > > > > > > [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from > > > local to /var/run/slapd-SRV-VOLVO-COM.socket > > > [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND > > > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com" method=128 > > > version=3 > > > [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 > > > nentries=0 etime=0 > > > [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 > > > > > > Would anyone have a clue what could be wrong? > > > > > err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED > > > > are you lacking sasl dependencies in 389 by chance ? > > I think I got SASL support in: > > root at zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# ldapsearch -D "cn=directory manager" -w secret -x -s base -b "" "supportedSASLMechanisms" > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: supportedSASLMechanisms > # > > # > dn: > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: PLAIN > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: LOGIN > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: ANONYMOUS > supportedSASLMechanisms: DIGEST-MD5 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > please run: rpm -qa |grep cyrus-sasl Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri May 4 14:56:28 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 May 2012 17:56:28 +0300 Subject: [Freeipa-users] Integrate with Samba In-Reply-To: References: Message-ID: <20120504145628.GA2249@redhat.com> On Fri, 04 May 2012, Matthew Davidson wrote: > >Hello, >Does anyone have any pointers or documentation on integrating Samba or >"file" shares with IPA? http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Some aspects of this instruction could be done a bit better and also IPAv3 will have a bit different schema (supported by native IPA passdb module for Samba) but the state as it is at least should work as a stop gap for file server cases. -- / Alexander Bokovoy From djuran at redhat.com Fri May 4 15:14:22 2012 From: djuran at redhat.com (David Juran) Date: Fri, 04 May 2012 17:14:22 +0200 Subject: [Freeipa-users] Trying out ipa on zlinux In-Reply-To: <1336143171.5722.160.camel@willson.li.ssimo.org> References: <1336140242.3243.243.camel@localhost.localdomain> <1336141555.5722.159.camel@willson.li.ssimo.org> <1336142659.3243.245.camel@localhost.localdomain> <1336143171.5722.160.camel@willson.li.ssimo.org> Message-ID: <1336144462.3243.250.camel@localhost.localdomain> On fre, 2012-05-04 at 10:52 -0400, Simo Sorce wrote: > > please run: > rpm -qa |grep cyrus-sasl root at zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# rpm -qa |grep cyrus-sasl cyrus-sasl-lib-2.1.23-13.el6.s390x cyrus-sasl-md5-2.1.23-13.el6.s390x cyrus-sasl-2.1.23-13.el6.s390x cyrus-sasl-plain-2.1.23-13.el6.s390x cyrus-sasl-gssapi-2.1.23-13.el6.s390x -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri May 4 15:26:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 May 2012 11:26:29 -0400 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: References: Message-ID: <4FA3F525.400@redhat.com> cee1 wrote: > 2012/5/4 Paul Robert Marino: >> There is a apache module for kerberos auth that works well two notes about >> it turn on credential caching because it significantly reduces the load on >> the kerberos server and keep in mind that internet explorer leaves native >> kerberos on (you won't get prompted for a user name or password if you hve a >> valid kerberos ticket) but firefox turns it off by default and I'm not sure >> about crome. In other words if you leave the default setting in firefox it >> will use basic auth (clear text password unless you use ssl) to interact >> with apache and subsequently kerberos. This is a wonderfull way to make a >> secure authentication mechanisim insecure if you don't use ssl. >> That said I know for a fact track does work well with kerberos auth. > That means if user's browser doesn't support kerberos or with kerberos > off by default, it will break SSO, right? > > Maybe I should try FreeIPA in conjunction with CoSign? Firefox needs to be configured to be allowed to perform Kerberos SSO in a domain. FreeIPA 2.2 introduced a forms-based login so you don't have to fall back to basic authentication (with KrbMethodK5Passwd on). In practice all web-based Kerberos should be protected by SSL. rob From jdennis at redhat.com Fri May 4 15:44:25 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 04 May 2012 11:44:25 -0400 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: <4FA3F525.400@redhat.com> References: <4FA3F525.400@redhat.com> Message-ID: <4FA3F959.8040508@redhat.com> On 05/04/2012 11:26 AM, Rob Crittenden wrote: > Firefox needs to be configured to be allowed to perform Kerberos SSO in > a domain. FreeIPA 2.2 introduced a forms-based login so you don't have > to fall back to basic authentication (with KrbMethodK5Passwd on). The forms based login applies to the IPA Admin console, the OP was asking web services other than the IPA admin console, therefore that's not relevant. What is relevant is getting the other web services to use kerberos negotiate auth instead of whatever they are currently using. The difficulty of that task really depends on the particular web service. The user must also be able to acquire a kerberos ticket. So the answer to the OP is, if you can satisfy the following two conditions then IPA is a graceful solution: 1) The web service can be configured to use kerberos negotiate auth. 2) Each of your users has a facility available to acquire a kerberos ticket. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Fri May 4 15:50:08 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 May 2012 11:50:08 -0400 Subject: [Freeipa-users] Trying out ipa on zlinux In-Reply-To: <1336144462.3243.250.camel@localhost.localdomain> References: <1336140242.3243.243.camel@localhost.localdomain> <1336141555.5722.159.camel@willson.li.ssimo.org> <1336142659.3243.245.camel@localhost.localdomain> <1336143171.5722.160.camel@willson.li.ssimo.org> <1336144462.3243.250.camel@localhost.localdomain> Message-ID: <1336146608.5722.166.camel@willson.li.ssimo.org> On Fri, 2012-05-04 at 17:14 +0200, David Juran wrote: > On fre, 2012-05-04 at 10:52 -0400, Simo Sorce wrote: > > > > > please run: > > rpm -qa |grep cyrus-sasl > > root at zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# rpm -qa |grep cyrus-sasl > cyrus-sasl-lib-2.1.23-13.el6.s390x > cyrus-sasl-md5-2.1.23-13.el6.s390x > cyrus-sasl-2.1.23-13.el6.s390x > cyrus-sasl-plain-2.1.23-13.el6.s390x > cyrus-sasl-gssapi-2.1.23-13.el6.s390x seem fine, in this case something else must be going on. Can you bind to a 389 user w/o issues outside of the ipa install script ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri May 4 15:52:40 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 May 2012 11:52:40 -0400 Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? In-Reply-To: <4FA3F959.8040508@redhat.com> References: <4FA3F525.400@redhat.com> <4FA3F959.8040508@redhat.com> Message-ID: <1336146760.5722.168.camel@willson.li.ssimo.org> On Fri, 2012-05-04 at 11:44 -0400, John Dennis wrote: > On 05/04/2012 11:26 AM, Rob Crittenden wrote: > > Firefox needs to be configured to be allowed to perform Kerberos SSO in > > a domain. FreeIPA 2.2 introduced a forms-based login so you don't have > > to fall back to basic authentication (with KrbMethodK5Passwd on). > > The forms based login applies to the IPA Admin console, the OP was > asking web services other than the IPA admin console, therefore that's > not relevant. > > What is relevant is getting the other web services to use kerberos > negotiate auth instead of whatever they are currently using. The > difficulty of that task really depends on the particular web service. > > The user must also be able to acquire a kerberos ticket. > > So the answer to the OP is, if you can satisfy the following two > conditions then IPA is a graceful solution: > > 1) The web service can be configured to use kerberos negotiate auth. > > 2) Each of your users has a facility available to acquire a kerberos ticket. You can also fall back to basic_auth and even mod_auth_ldap I guess. It's basically a matter of evaluating if you can live with letting other services see the user's password or not. In future we want to add auth mechanisms that do not necessarily depend on Kerberos and will not expose the user password to random services, like OpenID, Oath etc.. but we are not there yet. Simo. -- Simo Sorce * Red Hat, Inc * New York From cevich at redhat.com Fri May 4 19:12:24 2012 From: cevich at redhat.com (Chris Evich) Date: Fri, 04 May 2012 15:12:24 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed Message-ID: <4FA42A18.7090707@redhat.com> Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm now running: freeipa-python-2.1.4-7.fc16.x86_64 freeipa-client-2.1.4-7.fc16.x86_64 freeipa-admintools-2.1.4-7.fc16.x86_64 freeipa-server-2.1.4-7.fc16.x86_64 freeipa-server-selinux-2.1.4-7.fc16.x86_64 dogtag-pki-common-theme-9.0.11-1.fc16.noarch dogtag-pki-ca-theme-9.0.11-1.fc16.noarch pki-symkey-9.0.19-1.fc16.x86_64 pki-java-tools-9.0.19-1.fc16.noarch pki-setup-9.0.19-1.fc16.noarch pki-common-9.0.19-1.fc16.noarch pki-silent-9.0.19-1.fc16.noarch pki-util-9.0.19-1.fc16.noarch pki-selinux-9.0.19-1.fc16.noarch pki-ca-9.0.19-1.fc16.noarch I went to try and setup a replica following the docs at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html and ran into a problem I can't figure out (after checking logs, list, google, and BZ searches): [root@ log]# ipa-replica-prepare Directory Manager (existing master) password: Preparing replica for from Creating SSL certificate for the Directory Server Certificate issuance failed I just ran it again, with a tail on /var/log/pki-ca/debug and this is what it spat out: [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:14:44:09][http-9444-1]: xmlOutput true [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? Thanks. From rcritten at redhat.com Fri May 4 19:18:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 May 2012 15:18:50 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA42A18.7090707@redhat.com> References: <4FA42A18.7090707@redhat.com> Message-ID: <4FA42B9A.5050106@redhat.com> Chris Evich wrote: > Hi, > > I've got a FreeIPA setup at home I just built the other week on Fedora > 16. It's a very small/basic setup I'm mainly using for secure > NFS+Kerberos and automount. Today, I updated everything and rebooted, > and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm > now running: > > freeipa-python-2.1.4-7.fc16.x86_64 > freeipa-client-2.1.4-7.fc16.x86_64 > freeipa-admintools-2.1.4-7.fc16.x86_64 > freeipa-server-2.1.4-7.fc16.x86_64 > freeipa-server-selinux-2.1.4-7.fc16.x86_64 > dogtag-pki-common-theme-9.0.11-1.fc16.noarch > dogtag-pki-ca-theme-9.0.11-1.fc16.noarch > pki-symkey-9.0.19-1.fc16.x86_64 > pki-java-tools-9.0.19-1.fc16.noarch > pki-setup-9.0.19-1.fc16.noarch > pki-common-9.0.19-1.fc16.noarch > pki-silent-9.0.19-1.fc16.noarch > pki-util-9.0.19-1.fc16.noarch > pki-selinux-9.0.19-1.fc16.noarch > pki-ca-9.0.19-1.fc16.noarch > > I went to try and setup a replica following the docs at > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html > and ran into a problem I can't figure out (after checking logs, list, > google, and BZ searches): > > [root@ log]# ipa-replica-prepare > Directory Manager (existing master) password: > > Preparing replica for from > Creating SSL certificate for the Directory Server > Certificate issuance failed > > I just ran it again, with a tail on /var/log/pki-ca/debug and this is > what it spat out: > > [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = > /ca/ee/ca/profileSubmitSSLClient > [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param > name='cert_request_type' value='pkcs10' > [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param > name='cert_request' > value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n > ...cut... > H3dNbe4A > ' > [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param > name='requestor_name' value='IPA Installer' > [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param > name='xmlOutput' value='true' > [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param > name='profileId' value='caIPAserviceCert' > [04/May/2012:14:44:09][http-9444-1]: CMSServlet: > caProfileSubmitSSLClient start to service. > [04/May/2012:14:44:09][http-9444-1]: xmlOutput true > [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input > Parameters > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input > Parameter cert_request_type='pkcs10' > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input > Parameter > cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n > > ...cut... > H3dNbe4A > ' > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input > Parameter requestor_name='IPA Installer' > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input > Parameter xmlOutput='true' > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input > Parameter profileId='caIPAserviceCert' > [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input > Parameters > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false > [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId > caIPAserviceCert > [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 > 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 > > Which also looks normal (to me). Though I've done nothing intentional > with anything certificate related, again this is mainly a setup for > kerberos. Where else can I look, or what can I run to get more clues why > ipa-replica-prepare is failing? I think we'll need to get more info out of dogtag. If you edit /etc/ipa/default.conf and add debug=True, restart httpd, re-run the replica-prepare, there should be more information on the failure in /var/log/httpd/error_log. rob From cevich at redhat.com Fri May 4 20:17:49 2012 From: cevich at redhat.com (Chris Evich) Date: Fri, 04 May 2012 16:17:49 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA42B9A.5050106@redhat.com> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> Message-ID: <4FA4396D.9010109@redhat.com> On 05/04/2012 03:18 PM, Rob Crittenden wrote: > Chris Evich wrote: >> Hi, >> >> I've got a FreeIPA setup at home I just built the other week on Fedora >> 16. It's a very small/basic setup I'm mainly using for secure >> NFS+Kerberos and automount. Today, I updated everything and rebooted, ...cut... >> [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 >> 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 >> >> Which also looks normal (to me). Though I've done nothing intentional >> with anything certificate related, again this is mainly a setup for >> kerberos. Where else can I look, or what can I run to get more clues why >> ipa-replica-prepare is failing? > > I think we'll need to get more info out of dogtag. If you edit > /etc/ipa/default.conf and add debug=True, restart httpd, re-run the > replica-prepare, there should be more information on the failure in > /var/log/httpd/error_log. > > rob Whoa, okay, a WHOLE lot more info.: [Fri May 04 15:43:19 2012] [notice] Apache/2.2.22 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.3 Python/2.7.2 configured -- resuming normal operations [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ...lots more import plugin messages... [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** Then I run ipa-replica-prepare , put in my Directory Manager password, and it outputs the same "Certificate issuance failed". I had a tailf on /var/log/httpd/error_log but nothing new was logged (nothing logged at all in fact) :S In /var/log/pki-ca/debug I see (what appears similar to before): [04/May/2012:15:46:31][Timer-0]: In LdapBoundConnFactory::getConn() [04/May/2012:15:46:31][Timer-0]: masterConn is connected: true [04/May/2012:15:46:31][Timer-0]: getConn: conn is connected true [04/May/2012:15:46:31][Timer-0]: getConn: mNumConns now 2 [04/May/2012:15:46:31][Timer-0]: SecurityDomainSessionTable: getSessionIds(): no sessions have been created [04/May/2012:15:46:31][Timer-0]: returnConn: mNumConns now 3 [04/May/2012:15:48:11][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:15:48:11][http-9444-1]: xmlOutput true [04/May/2012:15:48:11][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:15:48:11][http-9444-1]: CMSServlet: curDate=Fri May 04 15:48:11 EDT 2012 id=caProfileSubmitSSLClient time=9 I think the 3-minute time difference is expected - I was checking through other logs. Nothing that appears relevant shows up in audit.log, messages, http/access.log, dirsrv/slapd-PKI-IPA/errors or access: [04/May/2012:15:46:30 -0400] conn=2 op=58 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [04/May/2012:15:46:30 -0400] conn=2 op=58 RESULT err=32 tag=101 nentries=0 etime=0 The only thing I've noticed recently (maybe after the kernel updated today) is every few minutes: May 4 15:43:57 ntpd[889]: frequency error -898 PPM exceeds tolerance 500 PPM May 4 15:50:01 ntpd[889]: frequency error -1475 PPM exceeds tolerance 500 PPM May 4 15:53:13 ntpd[889]: frequency error -1012 PPM exceeds tolerance 500 PPM Though I don't notice (with my eyes) the clock jumping around, and NTP is "locked" in on a few public servers. However I understand those messages indicate local clock instability and know this certificate stuff is time-sensitive. Also, in case it's relevant, this is a really small box: A dual-core Intel Atom w/ 2gig of memory. Though again, I've got only a handful of hosts setup to use it and am not seeing other signs of problems: i.e. the IPA Web UI appears to work fine, kerberos, NFS and automount are all also working fine. I'm stumped. Where to look next? From cevich at redhat.com Sun May 6 00:01:14 2012 From: cevich at redhat.com (Chris Evich) Date: Sat, 05 May 2012 20:01:14 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA4396D.9010109@redhat.com> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> <4FA4396D.9010109@redhat.com> Message-ID: <4FA5BF4A.6010604@redhat.com> On 05/04/2012 04:17 PM, Chris Evich wrote: > I'm stumped. Where to look next? Did some poking around (n/b I haven't used cert system much/at all before) and found this: [root@ conf.d]# ipa-getcert list -r Number of certificates and requests being tracked: 1. Request ID '20120504213228': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - ',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - ' CA: IPA issuer: subject: expires: unknown command: track: yes auto-renew: yes That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. From cevich at redhat.com Sun May 6 01:08:48 2012 From: cevich at redhat.com (Chris Evich) Date: Sat, 05 May 2012 21:08:48 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA5BF4A.6010604@redhat.com> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> <4FA4396D.9010109@redhat.com> <4FA5BF4A.6010604@redhat.com> Message-ID: <4FA5CF20.8080201@redhat.com> On 05/05/2012 08:01 PM, Chris Evich wrote: > On 05/04/2012 04:17 PM, Chris Evich wrote: > That makes me think maybe there's just a missing service principal or > something I can add? I'll see if I can remove that request and try > running ipa-replica-prepare again to see if it still gives that error > (systems have been restarted since then). Though any other > suggestions/ideas of what I can try or look at are much appreciated. > Thanks. > Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem.... I found the 20120504213228 request (from previous mail) sitting on the replica machine in /etc/pki/nssdb and was able to nuke it with certutil.Running ipa-replica-prepare however gave same failure. I'm assuming that came from when I did an ipa-client install on the replica box recently. Playing more to see if I could coax out more info, I tried running 'ipa cert-request' from what I want to be my replica machine: [root@ certs]# ipa cert-request --principal=imap/@ dovecot.csr ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found) At the same time, I had a tailf running on the master's /var/log/pki-ca/debug and this is what came out: [05/May/2012:20:51:55][TP-Processor2]: CMSServlet:service() uri = //ca/eeca/ca/profileSubmitSSLClient [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='cert_request' value='-----BEGIN CERTIFICATE REQUEST----- MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu ...blah blah blah... z2ZS4bG7jleB0zm1rN3b5TY= -----END CERTIFICATE REQUEST-----' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='xml' value='true' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet: caProfileSubmitSSLClient start to service. [05/May/2012:20:51:55][TP-Processor2]: xmlOutput true [05/May/2012:20:51:55][TP-Processor2]: Start of ProfileSubmitServlet Input Parameters [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter cert_request='-----BEGIN CERTIFICATE REQUEST----- MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu ...blah blah blah... z2ZS4bG7jleB0zm1rN3b5TY= -----END CERTIFICATE REQUEST-----' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter xml='true' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [05/May/2012:20:51:55][TP-Processor2]: End of ProfileSubmitServlet Input Parameters [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: start serving [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: SubId=profile [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: isRenewal false [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: profileId caIPAserviceCert [05/May/2012:20:51:55][TP-Processor2]: CMSServlet: curDate=Sat May 05 20:51:55 EDT 2012 id=caProfileSubmitSSLClient time=12 I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. From cevich at redhat.com Sun May 6 01:47:25 2012 From: cevich at redhat.com (Chris Evich) Date: Sat, 05 May 2012 21:47:25 -0400 Subject: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA5CF20.8080201@redhat.com> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> <4FA4396D.9010109@redhat.com> <4FA5BF4A.6010604@redhat.com> <4FA5CF20.8080201@redhat.com> Message-ID: <4FA5D82D.6080800@redhat.com> On 05/05/2012 09:08 PM, Chris Evich wrote: > On 05/05/2012 08:01 PM, Chris Evich wrote: >> On 05/04/2012 04:17 PM, Chris Evich wrote: >> That makes me think maybe there's just a missing service principal or >> something I can add? I'll see if I can remove that request and try >> running ipa-replica-prepare again to see if it still gives that error >> (systems have been restarted since then). Though any other >> suggestions/ideas of what I can try or look at are much appreciated. >> Thanks. >> > > Replying to myself again, bad-form, but maybe it'll help someone else if > they have a similar problem.... > ...cut... > I'm guessing there's something going on with this 'caIPAserviceCert' > thing. Granted I didn't try requesting any certs prior to the update, > however I can click the 'view' button in the web UI on some service > certs from the install, so it was generating them at some point. Google was kind to me and I found https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly confirmed was a problem: [root@ ~]# find /var/lib -name caIPAserviceCert.cfg /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ [root@ ca]# ll total 424 -rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg -rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg -rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg ...cut... -rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42 caInternalAuthServerCert.cfg -rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42 caInternalAuthSubsystemCert.cfg -rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42 caInternalAuthTransportCert.cfg -rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg ...cut... [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg [root@ ca]# fixfiles restore * [root@ ~]# systemctl restart pki-cad at pki-ca.service certmonger.service ipa.service (Probably only needed to restart ipa.service) Now generating the cert works like a champ! with a whole boat-load more stuff showing up in the debug log: [root@ ~]# ipa cert-request --principal=imap/@ dovecot.pem.csr Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE ...blahblahblah... fXlqt7LmHUSbfg== Subject: CN=,O= Issuer: CN=Certificate Authority,O= Not Before: Sun May 06 01:20:26 2012 UTC Not After: Wed May 07 01:20:26 2014 UTC Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 Fingerprint (SHA1): e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b Feeling confident, I tried ipa-replica-prepare and it worked! [root@ ca]# ipa-replica-prepare king.yewess.us Directory Manager (existing master) password: Preparing replica for from Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-.gpg I'm guessing what happened was I got bit by BZ 675742 or similar before or after the upgrade but never noticed b/c I haven't used the cert system until now. Maybe whatever the fix for this bug was should be revisited, or the upgrade process should make sure this file gets reset with the correct ownership. Otherwise, hopefully this exercise will be helpful to someone else, and thanks Rob for responding so quickly the other day. From Steven.Jones at vuw.ac.nz Sun May 6 21:03:33 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 6 May 2012 21:03:33 +0000 Subject: [Freeipa-users] Integrate with Samba In-Reply-To: <20120504145628.GA2249@redhat.com> References: , <20120504145628.GA2249@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8D6F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have just been through this with RH support, so there should be a k-base article...... If you don't have RH support I can paste my notes from that exercise here. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Alexander Bokovoy [abokovoy at redhat.com] Sent: Saturday, 5 May 2012 2:56 a.m. To: Matthew Davidson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Integrate with Samba On Fri, 04 May 2012, Matthew Davidson wrote: > >Hello, >Does anyone have any pointers or documentation on integrating Samba or >"file" shares with IPA? http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Some aspects of this instruction could be done a bit better and also IPAv3 will have a bit different schema (supported by native IPA passdb module for Samba) but the state as it is at least should work as a stop gap for file server cases. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Sun May 6 21:42:44 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 6 May 2012 21:42:44 +0000 Subject: [Freeipa-users] Integrate with Samba In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8D6F6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: , <20120504145628.GA2249@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC8D6F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8F3E9@STAWINCOX10MBX1.staff.vuw.ac.nz> This may help as well, https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba I looked at the RH support ticket for my samba issue and its a mess so I need to do a lot of cleaning up....but I'm working on NFSv4 server and Bluearc at the moment so dont have time. I also requested that the admin manual get updated with a samba howto section....and a backup howto section....Sendmail and dovecot sections would be very useful as well...... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 7 May 2012 9:03 a.m. To: Alexander Bokovoy; Matthew Davidson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Integrate with Samba Hi, I have just been through this with RH support, so there should be a k-base article...... If you don't have RH support I can paste my notes from that exercise here. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Alexander Bokovoy [abokovoy at redhat.com] Sent: Saturday, 5 May 2012 2:56 a.m. To: Matthew Davidson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Integrate with Samba On Fri, 04 May 2012, Matthew Davidson wrote: > >Hello, >Does anyone have any pointers or documentation on integrating Samba or >"file" shares with IPA? http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Some aspects of this instruction could be done a bit better and also IPAv3 will have a bit different schema (supported by native IPA passdb module for Samba) but the state as it is at least should work as a stop gap for file server cases. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From matt at mldserviceslex.com Sun May 6 22:00:45 2012 From: matt at mldserviceslex.com (Matthew Davidson) Date: Sun, 06 May 2012 18:00:45 -0400 Subject: [Freeipa-users] Integrate with Samba Message-ID: Hi Steven, I will search but anything you can supply would be welcomed. Matt Steven Jones wrote: >Hi, > >I have just been through this with RH support, so there should be a k-base article...... > >If you don't have RH support I can paste my notes from that exercise here. > > >regards > >Steven Jones > >Technical Specialist - Linux RHCE > >Victoria University, Wellington, NZ > >0064 4 463 6272 > >________________________________________ >From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Alexander Bokovoy [abokovoy at redhat.com] >Sent: Saturday, 5 May 2012 2:56 a.m. >To: Matthew Davidson >Cc: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Integrate with Samba > >On Fri, 04 May 2012, Matthew Davidson wrote: >> >>Hello, >>Does anyone have any pointers or documentation on integrating Samba or >>"file" shares with IPA? >http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >Some aspects of this instruction could be done a bit better and also >IPAv3 will have a bit different schema (supported by native IPA passdb >module for Samba) but the state as it is at least should work as a stop >gap for file server cases. > >-- >/ Alexander Bokovoy > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Sun May 6 22:17:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 6 May 2012 22:17:07 +0000 Subject: [Freeipa-users] Integrate with Samba In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8F416@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, If you have RH support I'd suggest you open a case with them and have them look at 00604837 to assist you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Matthew Davidson [matt at mldserviceslex.com] Sent: Monday, 7 May 2012 10:00 a.m. To: Steven Jones; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Integrate with Samba Hi Steven, I will search but anything you can supply would be welcomed. Matt Steven Jones wrote: >Hi, > >I have just been through this with RH support, so there should be a k-base article...... > >If you don't have RH support I can paste my notes from that exercise here. > > >regards > >Steven Jones > >Technical Specialist - Linux RHCE > >Victoria University, Wellington, NZ > >0064 4 463 6272 > >________________________________________ >From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Alexander Bokovoy [abokovoy at redhat.com] >Sent: Saturday, 5 May 2012 2:56 a.m. >To: Matthew Davidson >Cc: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Integrate with Samba > >On Fri, 04 May 2012, Matthew Davidson wrote: >> >>Hello, >>Does anyone have any pointers or documentation on integrating Samba or >>"file" shares with IPA? >http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >Some aspects of this instruction could be done a bit better and also >IPAv3 will have a bit different schema (supported by native IPA passdb >module for Samba) but the state as it is at least should work as a stop >gap for file server cases. > >-- >/ Alexander Bokovoy > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Mon May 7 00:22:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 7 May 2012 00:22:48 +0000 Subject: [Freeipa-users] dead in the water IPA server Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> Interesting memory message.....as attached.... I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-memory-error-01.jpeg Type: image/jpeg Size: 21397 bytes Desc: ipa-memory-error-01.jpeg URL: From djuran at redhat.com Mon May 7 09:30:28 2012 From: djuran at redhat.com (David Juran) Date: Mon, 07 May 2012 11:30:28 +0200 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1336383028.4432.12.camel@localhost.localdomain> On m?n, 2012-05-07 at 00:22 +0000, Steven Jones wrote: > Interesting memory message.....as attached.... > > I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... Nope, your machine ran out of memory and the directory server fell victim for the OOM-killer )-. At this point you need to reboot the machine to recover but with some luck, the syslog should contain some hints of where the memory went. -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jcholast at redhat.com Mon May 7 09:32:52 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 07 May 2012 11:32:52 +0200 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA796C4.2060202@redhat.com> Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: > Interesting memory message.....as attached.... > > I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > -- Jan Cholasta From sigbjorn at nixtra.com Mon May 7 09:45:45 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 7 May 2012 11:45:45 +0200 (CEST) Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <4FA796C4.2060202@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com> Message-ID: <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: > Hi, > > > It seems that your system ate all the available memory and the kernel > decided to kill a directory server instance to free some. The kernel agent responsible for this is > called the out-of-memory killer, you can read more about it and how to configure it not to kill > important processes here: http://lwn.net/Articles/317814/ > > On 7.5.2012 02:22, Steven Jones wrote: > >> Interesting memory message.....as attached.... >> >> >> I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead >> if nothing else... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> > > -- > Jan Cholasta > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From Steven.Jones at vuw.ac.nz Mon May 7 20:55:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 7 May 2012 20:55:13 +0000 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com>, <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes I have a memory leak see attached graphs.... Yes looks like the killer killed slapd.......dont know what caused this yet........if its the "killer" looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. Looks like I have 3 days between reboots if i dont IPA losses the plot big time....very bad news..........I will I think slow IPA deployment here at this time........this cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. :/ Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Monday, 7 May 2012 9:45 p.m. To: Steven Jones Cc: Jan Cholasta; freeipa-users at redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: > Hi, > > > It seems that your system ate all the available memory and the kernel > decided to kill a directory server instance to free some. The kernel agent responsible for this is > called the out-of-memory killer, you can read more about it and how to configure it not to kill > important processes here: http://lwn.net/Articles/317814/ > > On 7.5.2012 02:22, Steven Jones wrote: > >> Interesting memory message.....as attached.... >> >> >> I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead >> if nothing else... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> > > -- > Jan Cholasta > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa1-memory-error-02.jpeg Type: image/jpeg Size: 63255 bytes Desc: ipa1-memory-error-02.jpeg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa2-memory-error-02.jpeg Type: image/jpeg Size: 49850 bytes Desc: ipa2-memory-error-02.jpeg URL: From rmeggins at redhat.com Mon May 7 21:05:35 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 May 2012 15:05:35 -0600 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com>, <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FA8391F.1080706@redhat.com> On 05/07/2012 02:55 PM, Steven Jones wrote: > Hi, > > Yes I have a memory leak see attached graphs.... > > Yes looks like the killer killed slapd.......dont know what caused this yet........if its the "killer" looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. > > Looks like I have 3 days between reboots if i dont IPA losses the plot big time....very bad news..........I will I think slow IPA deployment here at this time........this cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. > > :/ > > Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot..... Right. See https://fedorahosted.org/389/ticket/51 and especially all of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 You will need to closely monitor your entry cache usage. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Monday, 7 May 2012 9:45 p.m. > To: Steven Jones > Cc: Jan Cholasta; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] dead in the water IPA server > > This sound very much the same as the issue I've been having. Did you check to see if it was the > directory server that consumed all of your memory too? > > https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html > > > Regards, > Siggi > > > > > On Mon, May 7, 2012 11:32, Jan Cholasta wrote: >> Hi, >> >> >> It seems that your system ate all the available memory and the kernel >> decided to kill a directory server instance to free some. The kernel agent responsible for this is >> called the out-of-memory killer, you can read more about it and how to configure it not to kill >> important processes here: http://lwn.net/Articles/317814/ >> >> On 7.5.2012 02:22, Steven Jones wrote: >> >>> Interesting memory message.....as attached.... >>> >>> >>> I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead >>> if nothing else... >>> >>> >>> regards >>> >>> Steven Jones >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> 0064 4 463 6272 >>> >>> >> -- >> Jan Cholasta >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon May 7 22:26:28 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 15:26:28 -0700 (PDT) Subject: [Freeipa-users] No Dogtag certificate system installed on slave IPA servers installed Message-ID: <1336429588.52755.YahooMailNeo@web125705.mail.ne1.yahoo.com> Hi, ?I installed a master IPA server with dogtag certificate system installed; then use ipa-replica-prepare and ipa-replica-install to install two IPA replica servers. The two replicas are installed and 'ipa-replica-manage' commands shows that user/group data replication link is established between master and replicas. But the problem is, although dogtag certificate system was installed on Master, it (the dogtag) is not installed onto replicas by default with ipa-replica commands, let alone the certificate replication. Another finding is that, all the masters and replicas servers doesn't have host certificates created automatically. Is this normal and intended, or there is something wrong? I'am running ipa-server-2.1.3-9 on red hat 6.2. ?Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 8 01:01:39 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 18:01:39 -0700 (PDT) Subject: [Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else? Message-ID: <1336438899.98101.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi, ?Can I change the default user group for new users to something else? and disable automatically creation of private groups? ?Basically I migrates hundreds of Linux accounts from openldap to IPA, and those users have a default group 'exampleGroup' with GID <500. And it is company policy to have all users to use the same container user group, and disable private groups. ?So can I change the IPA policy to change the default user group from 'ipausers' to some thing else to 'exampleGroup'? what's the immediately and potential effect on adjustment? Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 8 01:55:18 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 18:55:18 -0700 (PDT) Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? Message-ID: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> Hi folks, ?Are there any way to turn off IPA automatic creation of private user group? We use a common user group like ?nis-wheel?, and completely disabled private groups in openldap before migration. Thanks. --David? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 8 03:38:57 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 20:38:57 -0700 (PDT) Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. Message-ID: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root at ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... ? [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 ?- LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 8 03:41:54 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 20:41:54 -0700 (PDT) Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <1336448514.80434.YahooMailNeo@web125701.mail.ne1.yahoo.com> Debug output is attached as well. .... root ? ? ? ?: DEBUG ? ? ?[21/29]: setting up initial replication ? [21/29]: setting up initial replication root ? ? ? ?: DEBUG ? ?args=/sbin/service dirsrv restart JIGSAW-COM root ? ? ? ?: DEBUG ? ?stdout=Shutting down dirsrv:? ? ? JIGSAW-COM... ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?OK ?] Starting dirsrv:? ? ? JIGSAW-COM... ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?OK ?] root ? ? ? ?: DEBUG ? ?stderr= Starting replication, please wait until this has completed. [ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 ?- LDAP error: Invalid credentials] creation of replica failed: Failed to start replication root ? ? ? ?: DEBUG ? ?Failed to start replication ? File "/usr/sbin/ipa-replica-install", line 482, in ? ? main() ? File "/usr/sbin/ipa-replica-install", line 433, in main ? ? ds = install_replica_ds(config) ? File "/usr/sbin/ipa-replica-install", line 135, in install_replica_ds ? ? pkcs12_info) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 284, in create_replica ? ? self.start_creation("Configuring directory server", 60) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 248, in start_creation ? ? method() ? File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 297, in __setup_replica ? ? r_bindpw=self.dm_password) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 694, in setup_replication ? ? raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. --Guolin ________________________________ From: David Copperfield To: "freeipa-users at redhat.com" Sent: Monday, May 7, 2012 8:38 PM Subject: IPA replica server rebuilding failed with 'Invalid credentials' error. I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root at ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... ? [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 ?- LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 8 04:01:18 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 7 May 2012 21:01:18 -0700 (PDT) Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336448514.80434.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1336448514.80434.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <1336449678.53241.YahooMailNeo@web125704.mail.ne1.yahoo.com> Temporarily fixed by myself. -- remove replica ipareplica02 by FORCE again and again on IPA master, until the replica doesn't show up when run 'ipa-replica-manage list'.? Could some one at Redhat IPA project please give a step-by-step how to remove a IPA replica, and how to add it back ?-- reimage and rebuild --. Thanks. [root at ipamaster .ssh]# ipa-replica-manage list ipareplica01.example.com: master ipareplica02.example.com: master ipamaster.example.com: master [root at ipamaster .ssh]# [root at ipamaster .ssh]# ipa-replica-manage del ipareplica02.example.com --force Unable to connect to replica ipareplica02.example.com, forcing removal 'ipamaster.example.com' has no replication agreement for 'ipareplica02.example.com' 'ipareplica01.example.com' has no replication agreement for 'ipareplica02.example.com' [root at ipamaster .ssh]# ipa-replica-manage list ipareplica01.example.com: master ipamaster.example.com: master [root at ipamaster .ssh]# --David ________________________________ From: David Copperfield To: "freeipa-users at redhat.com" ; "dpal at redhat.com" ; E Deon Lackey Sent: Monday, May 7, 2012 8:41 PM Subject: Re: IPA replica server rebuilding failed with 'Invalid credentials' error. Debug output is attached as well. .... root ? ? ? ?: DEBUG ? ? ?[21/29]: setting up initial replication ? [21/29]: setting up initial replication root ? ? ? ?: DEBUG ? ?args=/sbin/service dirsrv restart JIGSAW-COM root ? ? ? ?: DEBUG ? ?stdout=Shutting down dirsrv:? ? ? JIGSAW-COM... ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?OK ?] Starting dirsrv:? ? ? JIGSAW-COM... ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?OK ?] root ? ? ? ?: DEBUG ? ?stderr= Starting replication, please wait until this has completed. [ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 ?- LDAP error: Invalid credentials] creation of replica failed: Failed to start replication root ? ? ? ?: DEBUG ? ?Failed to start replication ? File "/usr/sbin/ipa-replica-install", line 482, in ? ? main() ? File "/usr/sbin/ipa-replica-install", line 433, in main ? ? ds = install_replica_ds(config) ? File "/usr/sbin/ipa-replica-install", line 135, in install_replica_ds ? ? pkcs12_info) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 284, in create_replica ? ? self.start_creation("Configuring directory server", 60) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 248, in start_creation ? ? method() ? File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 297, in __setup_replica ? ? r_bindpw=self.dm_password) ? File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 694, in setup_replication ? ? raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. --Guolin ________________________________ From: David Copperfield To: "freeipa-users at redhat.com" Sent: Monday, May 7, 2012 8:38 PM Subject: IPA replica server rebuilding failed with 'Invalid credentials' error. I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root at ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... ? [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 ?- LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at noboost.org Tue May 8 05:55:45 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 8 May 2012 09:55:45 +0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? Message-ID: <20120508055545.GA8139@noboost.org> Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 99999; [root at sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 99999 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 99999 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting "password will expire in XX days" messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. cya Craig From simo at redhat.com Tue May 8 12:55:55 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 08:55:55 -0400 Subject: [Freeipa-users] No Dogtag certificate system installed on slave IPA servers installed In-Reply-To: <1336429588.52755.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: <1336429588.52755.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <1336481755.5722.194.camel@willson.li.ssimo.org> On Mon, 2012-05-07 at 15:26 -0700, David Copperfield wrote: > Hi, > > > I installed a master IPA server with dogtag certificate system > installed; then use ipa-replica-prepare and ipa-replica-install to > install two IPA replica servers. The two replicas are installed and > 'ipa-replica-manage' commands shows that user/group data replication > link is established between master and replicas. But the problem is, > although dogtag certificate system was installed on Master, it (the > dogtag) is not installed onto replicas by default with ipa-replica > commands, let alone the certificate replication. In 2.2 we do not replicate the CA by default. Just like we do not install the DNS server by default. Use ipa-ca-install and ipa-csreplica-manage to manage the CA and it's replication topology. > > Another finding is that, all the masters and replicas servers doesn't > have host certificates created automatically. Is this normal and > intended, or there is something wrong? I'am running ipa-server-2.1.3-9 > on red hat 6.2. All replica have certificates, but they may not be associated to the host object, that may be considered a bug, but it is that way for historical reasons I think. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue May 8 13:03:42 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 8 May 2012 15:03:42 +0200 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC89A87@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> <201205010843.49685.jzeleny@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120501210412.GF19576@hendrix.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A87@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120508130342.GA11109@hendrix.redhat.com> On Tue, May 01, 2012 at 10:12:48PM +0000, Steven Jones wrote: > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 The logs only say "[ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [desktop-admins-test]". The error must be elsewhere, can you also attach or paste what does the /var/log/secure and /var/log/sssd/sssd_pam.log files have to say when the System Error occurs? Does the System Error occur with both 6.2 and 6.3 packages? > Does by any chance your sssd.conf include a debug_level directive in the > [sssd] section and not in the others? > > I think that was a case that only worked by accident and we removed it > in 1.7 > > The "fix" is to specify debug_level in all the sections you'd like to > print debug information from. In your case, that would be the [domain/*] > section and perhaps the [pam] section. > Did you have a chance to take a look at the debug logging? From simo at redhat.com Tue May 8 13:05:50 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 09:05:50 -0400 Subject: [Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else? In-Reply-To: <1336438899.98101.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <1336438899.98101.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <1336482350.5722.201.camel@willson.li.ssimo.org> On Mon, 2012-05-07 at 18:01 -0700, David Copperfield wrote: > Hi, > > > Can I change the default user group for new users to something else? > and disable automatically creation of private groups? Yes, and yes, although I wouldn't recommend so if you have more than a couple hundred users as that group will become enormous and will slow down clients trying to fetch and cache all the memberships. Having a common primary group is also often a security problem because the default netmask on Linux machines is 220 meaning that all users can read/write each other user' files by default if they all share the same group. > > Basically I migrates hundreds of Linux accounts from openldap to IPA, > and those users have a default group 'exampleGroup' with GID <500. And > it is company policy to have all users to use the same container user > group, and disable private groups. To change the default primary group you can simply locate the ipaDefaultPrimaryGroup attribute and change it from ipausers to whatever you want to use. > So can I change the IPA policy to change the default user group from > 'ipausers' to some thing else to 'exampleGroup'? what's the > immediately and potential effect on adjustment? Thanks. > See above. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue May 8 13:08:05 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 09:08:05 -0400 Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <1336482485.5722.203.camel@willson.li.ssimo.org> On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: > I have a IPA replica server with disk problems, and then it is > reimaged and rebuild. But when the IPA replica function is rebuilt, it > reports the following problem: > > > [root at ipareplica02 ipa]# ipa-replica-install > --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg > > ... > [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP > error: Invalid credentials] > ... > > > Before I run the replica rebuilding step on IPA replica, I already run > 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, > and delete the host entry for ipareplica02 as well. > > > Did I missed any steps above? Please help. Thanks. Due to the way kerberos ticket are built you need to restart the master this replica was replicating to before you rebuild a replica with the exact same name. This is because krb tickets are cached but you will change the long term key with a full reinstall, so the current master will have a ticket the replica cannot decrypt. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue May 8 13:10:07 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 09:10:07 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <20120508055545.GA8139@noboost.org> References: <20120508055545.GA8139@noboost.org> Message-ID: <1336482607.5722.205.camel@willson.li.ssimo.org> On Tue, 2012-05-08 at 09:55 +0400, freeipa at noboost.org wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 99999; > [root at sysvm-ipa ~]# ipa pwpolicy-show > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while. Password policies are applied at password change time, if you want to change the password expiration time of a specific user w/o forcing a password change then you need to change the krbPasswordExpiration attribute on the user. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue May 8 13:10:51 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 09:10:51 -0400 Subject: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed In-Reply-To: <4FA5D82D.6080800@redhat.com> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> <4FA4396D.9010109@redhat.com> <4FA5BF4A.6010604@redhat.com> <4FA5CF20.8080201@redhat.com> <4FA5D82D.6080800@redhat.com> Message-ID: <1336482651.5722.206.camel@willson.li.ssimo.org> On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: > On 05/05/2012 09:08 PM, Chris Evich wrote: > > On 05/05/2012 08:01 PM, Chris Evich wrote: > >> On 05/04/2012 04:17 PM, Chris Evich wrote: > >> That makes me think maybe there's just a missing service principal or > >> something I can add? I'll see if I can remove that request and try > >> running ipa-replica-prepare again to see if it still gives that error > >> (systems have been restarted since then). Though any other > >> suggestions/ideas of what I can try or look at are much appreciated. > >> Thanks. > >> > > > > Replying to myself again, bad-form, but maybe it'll help someone else if > > they have a similar problem.... > > ...cut... > > I'm guessing there's something going on with this 'caIPAserviceCert' > > thing. Granted I didn't try requesting any certs prior to the update, > > however I can click the 'view' button in the web UI on some service > > certs from the install, so it was generating them at some point. > > Google was kind to me and I found > https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly > confirmed was a problem: > > [root@ ~]# find /var/lib -name caIPAserviceCert.cfg > /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg > [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ > [root@ ca]# ll > total 424 > -rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg > -rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg > ...cut... > -rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42 > caInternalAuthServerCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42 > caInternalAuthSubsystemCert.cfg > -rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42 > caInternalAuthTransportCert.cfg > -rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg > ...cut... > [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg > [root@ ca]# fixfiles restore * > [root@ ~]# systemctl restart pki-cad at pki-ca.service > certmonger.service ipa.service > > (Probably only needed to restart ipa.service) Now generating the cert > works like a champ! with a whole boat-load more stuff showing up in the > debug log: > > [root@ ~]# ipa cert-request --principal=imap/ fqdn>@ dovecot.pem.csr > Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE > ...blahblahblah... > fXlqt7LmHUSbfg== > Subject: CN=,O= > Issuer: CN=Certificate Authority,O= > Not Before: Sun May 06 01:20:26 2012 UTC > Not After: Wed May 07 01:20:26 2014 UTC > Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 > Fingerprint (SHA1): > e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b > > Feeling confident, I tried ipa-replica-prepare and it worked! > [root@ ca]# ipa-replica-prepare king.yewess.us > Directory Manager (existing master) password: > > Preparing replica for from > Creating SSL certificate for the Directory Server > Creating SSL certificate for the dogtag Directory Server > Creating SSL certificate for the Web Server > Exporting RA certificate > Copying additional files > Finalizing configuration > Packaging replica information into /var/lib/ipa/replica-info- fqdn>.gpg > > I'm guessing what happened was I got bit by BZ 675742 or similar before > or after the upgrade but never noticed b/c I haven't used the cert > system until now. Maybe whatever the fix for this bug was should be > revisited, or the upgrade process should make sure this file gets reset > with the correct ownership. Otherwise, hopefully this exercise will be > helpful to someone else, and thanks Rob for responding so quickly the > other day. Chris, thanks a lot for getting back with your solution, it is very valuable for all users that may end up in the same weird situation. Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Tue May 8 13:28:17 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 8 May 2012 09:28:17 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <20120508055545.GA8139@noboost.org> References: <20120508055545.GA8139@noboost.org> Message-ID: On Tue, May 8, 2012 at 1:55 AM, wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ?ipa-admintools-2.1.3-9.el6.x86_64 > ?ipa-client-2.1.3-9.el6.x86_64 > ?ipa-pki-ca-theme-9.0.3-7.el6.noarch > ?ipa-pki-common-theme-9.0.3-7.el6.noarch > ?ipa-python-2.1.3-9.el6.x86_64 > ?ipa-server-2.1.3-9.el6.x86_64 > ?ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 99999; > [root at sysvm-ipa ~]# ipa pwpolicy-show > ?Group: global_policy > ?Max lifetime (days): 99999 > ?Min lifetime (hours): 1 > ?History size: 0 > ?Character classes: 0 > ?Min length: 6 > ?Max failures: 6 > ?Failure reset interval: 60 > ?Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > ?Group: global_policy > ?Max lifetime (days): 99999 > ?Min lifetime (hours): 1 > ?History size: 0 > ?Character classes: 0 > ?Min length: 6 > ?Max failures: 6 > ?Failure reset interval: 60 > ?Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while. A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. Hope this helps, Dan From rcritten at redhat.com Tue May 8 13:29:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 May 2012 09:29:07 -0400 Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <4FA91FA3.1070106@redhat.com> David Copperfield wrote: > Hi folks, > > Are there any way to turn off IPA automatic creation of private user > group? We use a common user group like ?nis-wheel?, and completely > disabled private groups in openldap before migration. If you disable private groups then the primary group of users is going to be the default IPA users group. This group will need to be POSIX. If it isn't you can promote it with: $ ipa group-mod --posix ipausers To disable private groups run: $ ipa-managed-entries disable -e 'UPG Definition' rob From rcritten at redhat.com Tue May 8 13:36:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 May 2012 09:36:51 -0400 Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336482485.5722.203.camel@willson.li.ssimo.org> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1336482485.5722.203.camel@willson.li.ssimo.org> Message-ID: <4FA92173.4010906@redhat.com> Simo Sorce wrote: > On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: >> I have a IPA replica server with disk problems, and then it is >> reimaged and rebuild. But when the IPA replica function is rebuilt, it >> reports the following problem: >> >> >> [root at ipareplica02 ipa]# ipa-replica-install >> --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg >> >> ... >> [21/29]: setting up initial replication >> Starting replication, please wait until this has completed. >> [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP >> error: Invalid credentials] >> ... >> >> >> Before I run the replica rebuilding step on IPA replica, I already run >> 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, >> and delete the host entry for ipareplica02 as well. >> >> >> Did I missed any steps above? Please help. Thanks. > > Due to the way kerberos ticket are built you need to restart the master > this replica was replicating to before you rebuild a replica with the > exact same name. > This is because krb tickets are cached but you will change the long term > key with a full reinstall, so the current master will have a ticket the > replica cannot decrypt. > > Simo. > The connect/disconnect commands for ipa-replica-manage are used to manage the replication agreements between masters. To completely remove a master you want the delete command. We improved the man page documentation of this a bit in the 2.2. release. rob From rcritten at redhat.com Tue May 8 13:43:13 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 May 2012 09:43:13 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: References: <20120508055545.GA8139@noboost.org> Message-ID: <4FA922F1.3040502@redhat.com> Dan Scott wrote: > On Tue, May 8, 2012 at 1:55 AM, wrote: >> Hi, >> >> Spec: >> Red Hat Enterprise Linux Server release 6.2 (Santiago) >> ipa-admintools-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-python-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> >> Issue: >> Firstly I'll declare someone must have seen this by now? >> >> I've set the password policy to 99999; >> [root at sysvm-ipa ~]# ipa pwpolicy-show >> Group: global_policy >> Max lifetime (days): 99999 >> Min lifetime (hours): 1 >> History size: 0 >> Character classes: 0 >> Min length: 6 >> Max failures: 6 >> Failure reset interval: 60 >> Lockout duration: 600 >> >> But old accounts are not getting the change at the ldap level, even >> though IPA claims the expiry date has updated. >> e.g. >> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john >> Group: global_policy >> Max lifetime (days): 99999 >> Min lifetime (hours): 1 >> History size: 0 >> Character classes: 0 >> Min length: 6 >> Max failures: 6 >> Failure reset interval: 60 >> Lockout duration: 600 >> >> >> ldapsearch (command chopped) >> # john, users, accounts, teratext.saic.com.au >> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >> krbPasswordExpiration: 20120506011529Z >> >> >> So now when the user(s) logs in, I'm getting "password will expire in XX >> days" messages. >> >> Any ideas? >> Can I globally update this somehow, otherwise I'll be re-typing >> passwords for a while. > > A password reset by admin always expires the password. I think once > the user first changes their password it will have the lifetime that > you specified. > > You can force the expiration date using an ldapmodify command: > > ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > -f update_krbpasswordexpiration.ldif > > Where the update_krbpasswordexpiration.ldif file contains: > > dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbpasswordexpiration > krbpasswordexpiration: 20140202203734Z > > You could do this as admin if you have a ticket so that you don't have > to enter the directory manager password. This is great, thanks Dan. BTW the equivalent command using a Kerberos ticket is: $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif rob From cevich at redhat.com Tue May 8 14:32:30 2012 From: cevich at redhat.com (Chris Evich) Date: Tue, 08 May 2012 10:32:30 -0400 Subject: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed In-Reply-To: <1336482651.5722.206.camel@willson.li.ssimo.org> References: <4FA42A18.7090707@redhat.com> <4FA42B9A.5050106@redhat.com> <4FA4396D.9010109@redhat.com> <4FA5BF4A.6010604@redhat.com> <4FA5CF20.8080201@redhat.com> <4FA5D82D.6080800@redhat.com> <1336482651.5722.206.camel@willson.li.ssimo.org> Message-ID: <4FA92E7E.50004@redhat.com> On 05/08/2012 09:10 AM, Simo Sorce wrote: > On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: >> On 05/05/2012 09:08 PM, Chris Evich wrote: >>> On 05/05/2012 08:01 PM, Chris Evich wrote: >>>> On 05/04/2012 04:17 PM, Chris Evich wrote: >>>> That makes me think maybe there's just a missing service principal or >>>> something I can add? I'll see if I can remove that request and try >>>> running ipa-replica-prepare again to see if it still gives that error >>>> (systems have been restarted since then). Though any other >>>> suggestions/ideas of what I can try or look at are much appreciated. >>>> Thanks. >>>> >>> >>> Replying to myself again, bad-form, but maybe it'll help someone else if >>> they have a similar problem.... >>> ...cut... >>> I'm guessing there's something going on with this 'caIPAserviceCert' >>> thing. Granted I didn't try requesting any certs prior to the update, >>> however I can click the 'view' button in the web UI on some service >>> certs from the install, so it was generating them at some point. >> >> Google was kind to me and I found >> https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly >> confirmed was a problem: >> >> [root@ ~]# find /var/lib -name caIPAserviceCert.cfg >> /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg >> [root@ ~]# cd /var/lib/pki-ca/profiles/ca/ >> [root@ ca]# ll >> total 424 >> -rw-rw----. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg >> -rw-rw----. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg >> -rw-rw----. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg >> ...cut... >> -rw-rw----. 1 pkiuser pkiuser 5548 Apr 22 16:42 >> caInternalAuthServerCert.cfg >> -rw-rw----. 1 pkiuser pkiuser 5580 Apr 22 16:42 >> caInternalAuthSubsystemCert.cfg >> -rw-rw----. 1 pkiuser pkiuser 5784 Apr 22 16:42 >> caInternalAuthTransportCert.cfg >> -rw-rw----. 1 root root 6220 May 4 10:18 caIPAserviceCert.cfg >> ...cut... >> [root@ ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg >> [root@ ca]# fixfiles restore * >> [root@ ~]# systemctl restart pki-cad at pki-ca.service >> certmonger.service ipa.service >> >> (Probably only needed to restart ipa.service) Now generating the cert >> works like a champ! with a whole boat-load more stuff showing up in the >> debug log: >> >> [root@ ~]# ipa cert-request --principal=imap/> fqdn>@ dovecot.pem.csr >> Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE >> ...blahblahblah... >> fXlqt7LmHUSbfg== >> Subject: CN=,O= >> Issuer: CN=Certificate Authority,O= >> Not Before: Sun May 06 01:20:26 2012 UTC >> Not After: Wed May 07 01:20:26 2014 UTC >> Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 >> Fingerprint (SHA1): >> e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b >> >> Feeling confident, I tried ipa-replica-prepare and it worked! >> [root@ ca]# ipa-replica-prepare >> Directory Manager (existing master) password: >> >> Preparing replica for from >> Creating SSL certificate for the Directory Server >> Creating SSL certificate for the dogtag Directory Server >> Creating SSL certificate for the Web Server >> Exporting RA certificate >> Copying additional files >> Finalizing configuration >> Packaging replica information into /var/lib/ipa/replica-info-> fqdn>.gpg >> >> I'm guessing what happened was I got bit by BZ 675742 or similar before >> or after the upgrade but never noticed b/c I haven't used the cert >> system until now. Maybe whatever the fix for this bug was should be >> revisited, or the upgrade process should make sure this file gets reset >> with the correct ownership. Otherwise, hopefully this exercise will be >> helpful to someone else, and thanks Rob for responding so quickly the >> other day. > > Chris, > thanks a lot for getting back with your solution, it is very valuable > for all users that may end up in the same weird situation. > > Simo. > Sure thing. If y'all think of it, it might be good to put some more error reporting into the ipa-replica-prepare tool. The debug log didn't seem to be much help (to my n00b eyes). Ultimately it was the error message from "ipa cert-request", "Profile caIPAserviceCert Not Found" which lead me to the solution. If it's hard to add it to the tool, then tossing stuff like that into the logs would help too. Just a suggestion, since with such awesome tooling (graphical and CLI) on a project like this, it's bound to attract more n00bs like me. The DNS/Kerberos stuff is straight forward because there's lots of deployments and a long history of mailing list posts to find answers on. The cert. system seems to be a different story entirely, it's (arguably) as powerful as kerberos but doesn't get nearly as much "press" coverage :D From cao2dan at yahoo.com Tue May 8 19:20:21 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Tue, 8 May 2012 12:20:21 -0700 (PDT) Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336482485.5722.203.camel@willson.li.ssimo.org> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1336482485.5722.203.camel@willson.li.ssimo.org> Message-ID: <1336504821.29571.YahooMailNeo@web125706.mail.ne1.yahoo.com> HI Simo and all, ?Thanks for your reply. do you mean restarting ipa service on ipa master like 'service ipa restart'? or run 'kdestroy' on ipamaster to remove kerberos tickets? ?It will be great if you could elaborate on this: like which IPA replica Kerberos principal, replica Kerberos tickets are involved, and where they are stored. Thanks. --David - ________________________________ From: Simo Sorce To: David Copperfield Cc: "freeipa-users at redhat.com" Sent: Tuesday, May 8, 2012 6:08 AM Subject: Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. On Mon, 2012-05-07 at 20:38 -0700, David Copperfield wrote: > I have a IPA replica server with disk problems, and then it is > reimaged and rebuild. But when the IPA replica function is rebuilt, it > reports the following problem: > > > [root at ipareplica02 ipa]# ipa-replica-install > --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg > > ... >? [21/29]: setting up initial replication > Starting replication, please wait until this has completed. > [ipamaster.example.com] reports: Update failed! Status: [49? - LDAP > error: Invalid credentials] > ... > > > Before I run the replica rebuilding step on IPA replica, I already run > 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, > and delete the host entry for ipareplica02 as well. > > > Did I missed any steps above? Please help. Thanks. Due to the way kerberos ticket are built you need to restart the master this replica was replicating to before you rebuild a replica with the exact same name. This is because krb tickets are cached but you will change the long term key with a full reinstall, so the current master will have a ticket the replica cannot decrypt. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue May 8 19:42:51 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 May 2012 15:42:51 -0400 Subject: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error. In-Reply-To: <1336504821.29571.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1336448337.94227.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1336482485.5722.203.camel@willson.li.ssimo.org> <1336504821.29571.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <1336506171.5722.210.camel@willson.li.ssimo.org> On Tue, 2012-05-08 at 12:20 -0700, David Copperfield wrote: > HI Simo and all, > > > Thanks for your reply. > > > do you mean restarting ipa service on ipa master like 'service ipa > restart'? or run 'kdestroy' on ipamaster to remove kerberos tickets? > It will be great if you could elaborate on this: like which IPA > replica Kerberos principal, replica Kerberos tickets are involved, and > where they are stored. I meant service ipa restart The ccache involved is a memory ccache that lives in the ns-slapd process, so it can only be cleared with a restart for now. I am opening a ticket to try to handle that automatically in 389ds, but for now you have to go that route. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue May 8 21:47:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 8 May 2012 21:47:41 +0000 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <20120508130342.GA11109@hendrix.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> <201205010843.49685.jzeleny@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120501210412.GF19576@hendrix.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A87@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120508130342.GA11109@hendrix.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC903C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Attached is a munin graph of what looks like a memory leak.....I suspect (if you look at the munin monthly month graph) we had no issue until I think we patched......I need to ask my admins if they did patch .......(they are not in yet)..... Looking at the CPU and memory graphs in VMware the change in stability and leak is also most noticable, yet apart from uping the nsslapd-cachememsize: 10485760 to 18900000 I know of no changes to the system......attached is a vmware graph..... It now looks like I have to set a cronjob to reboot the IPA servers nightly........ So since ipa2 crashed (or rather the memory-killer killed slapd), this isnt why 1/2 the users could login....that workstation points at ipa2 while others point at ipa1....is my best guess. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, 9 May 2012 1:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client On Tue, May 01, 2012 at 10:12:48PM +0000, Steven Jones wrote: > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 The logs only say "[ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [desktop-admins-test]". The error must be elsewhere, can you also attach or paste what does the /var/log/secure and /var/log/sssd/sssd_pam.log files have to say when the System Error occurs? Does the System Error occur with both 6.2 and 6.3 packages? > Does by any chance your sssd.conf include a debug_level directive in the > [sssd] section and not in the others? > > I think that was a case that only worked by accident and we removed it > in 1.7 > > The "fix" is to specify debug_level in all the sections you'd like to > print debug information from. In your case, that would be the [domain/*] > section and perhaps the [pam] section. > Did you have a chance to take a look at the debug logging? -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa2-memory-error-month07.jpeg Type: image/jpeg Size: 170067 bytes Desc: ipa2-memory-error-month07.jpeg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa2-memory-error-06.jpeg Type: image/jpeg Size: 40506 bytes Desc: ipa2-memory-error-06.jpeg URL: From freeipa at noboost.org Wed May 9 00:45:20 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Wed, 9 May 2012 04:45:20 +0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <4FA922F1.3040502@redhat.com> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> Message-ID: <20120509004520.GA8180@noboost.org> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > Dan Scott wrote: > >On Tue, May 8, 2012 at 1:55 AM, wrote: > >>Hi, > >> > >>Spec: > >>Red Hat Enterprise Linux Server release 6.2 (Santiago) > >> ipa-admintools-2.1.3-9.el6.x86_64 > >> ipa-client-2.1.3-9.el6.x86_64 > >> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >> ipa-pki-common-theme-9.0.3-7.el6.noarch > >> ipa-python-2.1.3-9.el6.x86_64 > >> ipa-server-2.1.3-9.el6.x86_64 > >> ipa-server-selinux-2.1.3-9.el6.x86_64 > >> > >>Issue: > >>Firstly I'll declare someone must have seen this by now? > >> > >>I've set the password policy to 99999; > >>[root at sysvm-ipa ~]# ipa pwpolicy-show > >> Group: global_policy > >> Max lifetime (days): 99999 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >>But old accounts are not getting the change at the ldap level, even > >>though IPA claims the expiry date has updated. > >>e.g. > >>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > >> Group: global_policy > >> Max lifetime (days): 99999 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >> > >>ldapsearch (command chopped) > >># john, users, accounts, teratext.saic.com.au > >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>krbPasswordExpiration: 20120506011529Z > >> > >> > >>So now when the user(s) logs in, I'm getting "password will expire in XX > >>days" messages. > >> > >>Any ideas? > >>Can I globally update this somehow, otherwise I'll be re-typing > >>passwords for a while. > > > >A password reset by admin always expires the password. I think once > >the user first changes their password it will have the lifetime that > >you specified. > > > >You can force the expiration date using an ldapmodify command: > > > >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >-f update_krbpasswordexpiration.ldif > > > >Where the update_krbpasswordexpiration.ldif file contains: > > > >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >changetype: modify > >replace: krbpasswordexpiration > >krbpasswordexpiration: 20140202203734Z > > > >You could do this as admin if you have a ticket so that you don't have > >to enter the directory manager password. > > This is great, thanks Dan. > > BTW the equivalent command using a Kerberos ticket is: > > $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > update_krbpasswordexpiration.ldif > > rob > Thanks great advice, so just to clarify, do the rear numbers just represent hours, seconds etc? e.g. krbpasswordexpiration: 20150101203734Z krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? cya Craig From danieljamesscott at gmail.com Wed May 9 01:31:29 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 8 May 2012 21:31:29 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <20120509004520.GA8180@noboost.org> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> Message-ID: On Tue, May 8, 2012 at 8:45 PM, wrote: > On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: >> Dan Scott wrote: >> >On Tue, May 8, 2012 at 1:55 AM, ?wrote: >> >>Hi, >> >> >> >>Spec: >> >>Red Hat Enterprise Linux Server release 6.2 (Santiago) >> >> ?ipa-admintools-2.1.3-9.el6.x86_64 >> >> ?ipa-client-2.1.3-9.el6.x86_64 >> >> ?ipa-pki-ca-theme-9.0.3-7.el6.noarch >> >> ?ipa-pki-common-theme-9.0.3-7.el6.noarch >> >> ?ipa-python-2.1.3-9.el6.x86_64 >> >> ?ipa-server-2.1.3-9.el6.x86_64 >> >> ?ipa-server-selinux-2.1.3-9.el6.x86_64 >> >> >> >>Issue: >> >>Firstly I'll declare someone must have seen this by now? >> >> >> >>I've set the password policy to 99999; >> >>[root at sysvm-ipa ~]# ipa pwpolicy-show >> >> ?Group: global_policy >> >> ?Max lifetime (days): 99999 >> >> ?Min lifetime (hours): 1 >> >> ?History size: 0 >> >> ?Character classes: 0 >> >> ?Min length: 6 >> >> ?Max failures: 6 >> >> ?Failure reset interval: 60 >> >> ?Lockout duration: 600 >> >> >> >>But old accounts are not getting the change at the ldap level, even >> >>though IPA claims the expiry date has updated. >> >>e.g. >> >>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john >> >> ?Group: global_policy >> >> ?Max lifetime (days): 99999 >> >> ?Min lifetime (hours): 1 >> >> ?History size: 0 >> >> ?Character classes: 0 >> >> ?Min length: 6 >> >> ?Max failures: 6 >> >> ?Failure reset interval: 60 >> >> ?Lockout duration: 600 >> >> >> >> >> >>ldapsearch (command chopped) >> >># john, users, accounts, teratext.saic.com.au >> >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >> >>krbPasswordExpiration: 20120506011529Z >> >> >> >> >> >>So now when the user(s) logs in, I'm getting "password will expire in XX >> >>days" messages. >> >> >> >>Any ideas? >> >>Can I globally update this somehow, otherwise I'll be re-typing >> >>passwords for a while. >> > >> >A password reset by admin always expires the password. I think once >> >the user first changes their password it will have the lifetime that >> >you specified. >> > >> >You can force the expiration date using an ldapmodify command: >> > >> >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv >> >-f update_krbpasswordexpiration.ldif >> > >> >Where the update_krbpasswordexpiration.ldif file contains: >> > >> >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com >> >changetype: modify >> >replace: krbpasswordexpiration >> >krbpasswordexpiration: 20140202203734Z >> > >> >You could do this as admin if you have a ticket so that you don't have >> >to enter the directory manager password. >> >> This is great, thanks Dan. >> >> BTW the equivalent command using a Kerberos ticket is: >> >> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f >> update_krbpasswordexpiration.ldif >> >> rob >> > Thanks great advice, so just to clarify, do the rear numbers just > represent hours, seconds etc? > e.g. krbpasswordexpiration: 20150101203734Z > ? ? krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? Yep, and Z indicates GMT. From sbingram at gmail.com Wed May 9 01:52:30 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 8 May 2012 18:52:30 -0700 Subject: [Freeipa-users] host name too long for Web interface Message-ID: Perhaps this is already corrected in 2.2.0, but I'm currently using 2.1.3 and when using a long hostname (like amazon ec2 names ec2-50-xx-xxx-xxx.us-1-east.compute.amazonaws.com), once you click on the hostname in the Identity/Hosts tab, you can no longer return to the hosts listing because the hostname is so long that it somehow overwrites the "hosts" breadcrumb link. Is there a way around this without just removing some of the URL in the location bar and hitting return? Steve From pvoborni at redhat.com Wed May 9 07:43:07 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 09 May 2012 09:43:07 +0200 Subject: [Freeipa-users] host name too long for Web interface In-Reply-To: References: Message-ID: <4FAA200B.40004@redhat.com> On 05/09/2012 03:52 AM, Stephen Ingram wrote: > Perhaps this is already corrected in 2.2.0, but I'm currently using > 2.1.3 and when using a long hostname (like amazon ec2 names > ec2-50-xx-xxx-xxx.us-1-east.compute.amazonaws.com), once you click on > the hostname in the Identity/Hosts tab, you can no longer return to > the hosts listing because the hostname is so long that it somehow > overwrites the "hosts" breadcrumb link. Is there a way around this > without just removing some of the URL in the location bar and hitting > return? > > Steve > Yes, it's corrected in 2.2. To work with the problem in older versions I would suggest one of following methods: 1) create a bookmark to search page - probably good only if you hit the problem in one page. The url for hosts is: https://test.example.com/ipa/ui/#identity=host&navigation=identity&host-facet=search 2) personally I would edit the URL - it's fast if you know how it should look. 3) in browser JavaScript console execute: IPA.nav.show_page('host', 'search') Note: the params are: entity name, page name, primary key. -- Petr Vobornik From pspacek at redhat.com Wed May 9 11:02:35 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 09 May 2012 13:02:35 +0200 Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <4FA91FA3.1070106@redhat.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FA91FA3.1070106@redhat.com> Message-ID: <4FAA4ECB.8070701@redhat.com> On 05/08/2012 03:29 PM, Rob Crittenden wrote: > David Copperfield wrote: >> Hi folks, >> >> Are there any way to turn off IPA automatic creation of private user >> group? We use a common user group like ?nis-wheel?, and completely >> disabled private groups in openldap before migration. > > If you disable private groups then the primary group of users is going to be > the default IPA users group. This group will need to be POSIX. If it isn't you > can promote it with: > > $ ipa group-mod --posix ipausers > > To disable private groups run: > > $ ipa-managed-entries disable -e 'UPG Definition' > > rob For record && Google: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#user-private-groups Petr^2 Spacek From pspacek at redhat.com Wed May 9 11:21:39 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 09 May 2012 13:21:39 +0200 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> Message-ID: <4FAA5343.6030208@redhat.com> On 05/09/2012 03:31 AM, Dan Scott wrote: > On Tue, May 8, 2012 at 8:45 PM, wrote: >> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: >>> Dan Scott wrote: >>>> On Tue, May 8, 2012 at 1:55 AM, wrote: >>>>> Hi, >>>>> >>>>> Spec: >>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago) >>>>> ipa-admintools-2.1.3-9.el6.x86_64 >>>>> ipa-client-2.1.3-9.el6.x86_64 >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>> ipa-python-2.1.3-9.el6.x86_64 >>>>> ipa-server-2.1.3-9.el6.x86_64 >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 >>>>> >>>>> Issue: >>>>> Firstly I'll declare someone must have seen this by now? >>>>> >>>>> I've set the password policy to 99999; >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show >>>>> Group: global_policy >>>>> Max lifetime (days): 99999 >>>>> Min lifetime (hours): 1 >>>>> History size: 0 >>>>> Character classes: 0 >>>>> Min length: 6 >>>>> Max failures: 6 >>>>> Failure reset interval: 60 >>>>> Lockout duration: 600 >>>>> >>>>> But old accounts are not getting the change at the ldap level, even >>>>> though IPA claims the expiry date has updated. >>>>> e.g. >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john >>>>> Group: global_policy >>>>> Max lifetime (days): 99999 >>>>> Min lifetime (hours): 1 >>>>> History size: 0 >>>>> Character classes: 0 >>>>> Min length: 6 >>>>> Max failures: 6 >>>>> Failure reset interval: 60 >>>>> Lockout duration: 600 >>>>> >>>>> >>>>> ldapsearch (command chopped) >>>>> # john, users, accounts, teratext.saic.com.au >>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >>>>> krbPasswordExpiration: 20120506011529Z >>>>> >>>>> >>>>> So now when the user(s) logs in, I'm getting "password will expire in XX >>>>> days" messages. >>>>> >>>>> Any ideas? >>>>> Can I globally update this somehow, otherwise I'll be re-typing >>>>> passwords for a while. >>>> >>>> A password reset by admin always expires the password. I think once >>>> the user first changes their password it will have the lifetime that >>>> you specified. >>>> >>>> You can force the expiration date using an ldapmodify command: >>>> >>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv >>>> -f update_krbpasswordexpiration.ldif >>>> >>>> Where the update_krbpasswordexpiration.ldif file contains: >>>> >>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com >>>> changetype: modify >>>> replace: krbpasswordexpiration >>>> krbpasswordexpiration: 20140202203734Z >>>> >>>> You could do this as admin if you have a ticket so that you don't have >>>> to enter the directory manager password. >>> >>> This is great, thanks Dan. >>> >>> BTW the equivalent command using a Kerberos ticket is: >>> >>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f >>> update_krbpasswordexpiration.ldif >>> >>> rob >>> >> Thanks great advice, so just to clarify, do the rear numbers just >> represent hours, seconds etc? >> e.g. krbpasswordexpiration: 20150101203734Z >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > Yep, and Z indicates GMT. Question is: 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? OR 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to prevent confusion? I like variant 2, because variant 1 seems to be confusing to me. Craig, what is user opinion? Petr^2 Spacek From pspacek at redhat.com Wed May 9 11:26:14 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 09 May 2012 13:26:14 +0200 Subject: [Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else? In-Reply-To: <1336482350.5722.201.camel@willson.li.ssimo.org> References: <1336438899.98101.YahooMailNeo@web125703.mail.ne1.yahoo.com> <1336482350.5722.201.camel@willson.li.ssimo.org> Message-ID: <4FAA5456.9010601@redhat.com> On 05/08/2012 03:05 PM, Simo Sorce wrote: > On Mon, 2012-05-07 at 18:01 -0700, David Copperfield wrote: >> Hi, >> >> >> Can I change the default user group for new users to something else? >> and disable automatically creation of private groups? > > Yes, and yes, although I wouldn't recommend so if you have more than a > couple hundred users as that group will become enormous and will slow > down clients trying to fetch and cache all the memberships. > > Having a common primary group is also often a security problem because > the default netmask on Linux machines is 220 meaning that all users can > read/write each other user' files by default if they all share the same > group. >> >> Basically I migrates hundreds of Linux accounts from openldap to IPA, >> and those users have a default group 'exampleGroup' with GID<500. And >> it is company policy to have all users to use the same container user >> group, and disable private groups. > > To change the default primary group you can simply locate the > ipaDefaultPrimaryGroup attribute and change it from ipausers to whatever > you want to use. > >> So can I change the IPA policy to change the default user group from >> 'ipausers' to some thing else to 'exampleGroup'? what's the >> immediately and potential effect on adjustment? Thanks. >> > See above. > > Simo. > Just for completeness: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#Configuring_IPA_Users-Specifying_Default_User_Settings Petr^2 Spacek From simo at redhat.com Wed May 9 12:19:59 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 May 2012 08:19:59 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <4FAA5343.6030208@redhat.com> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> <4FAA5343.6030208@redhat.com> Message-ID: <1336565999.5722.214.camel@willson.li.ssimo.org> On Wed, 2012-05-09 at 13:21 +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > > On Tue, May 8, 2012 at 8:45 PM, wrote: > >> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>> Dan Scott wrote: > >>>> On Tue, May 8, 2012 at 1:55 AM, wrote: > >>>>> Hi, > >>>>> > >>>>> Spec: > >>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago) > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > >>>>> ipa-client-2.1.3-9.el6.x86_64 > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>> ipa-python-2.1.3-9.el6.x86_64 > >>>>> ipa-server-2.1.3-9.el6.x86_64 > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > >>>>> > >>>>> Issue: > >>>>> Firstly I'll declare someone must have seen this by now? > >>>>> > >>>>> I've set the password policy to 99999; > >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> But old accounts are not getting the change at the ldap level, even > >>>>> though IPA claims the expiry date has updated. > >>>>> e.g. > >>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> > >>>>> ldapsearch (command chopped) > >>>>> # john, users, accounts, teratext.saic.com.au > >>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>>>> krbPasswordExpiration: 20120506011529Z > >>>>> > >>>>> > >>>>> So now when the user(s) logs in, I'm getting "password will expire in XX > >>>>> days" messages. > >>>>> > >>>>> Any ideas? > >>>>> Can I globally update this somehow, otherwise I'll be re-typing > >>>>> passwords for a while. > >>>> > >>>> A password reset by admin always expires the password. I think once > >>>> the user first changes their password it will have the lifetime that > >>>> you specified. > >>>> > >>>> You can force the expiration date using an ldapmodify command: > >>>> > >>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >>>> -f update_krbpasswordexpiration.ldif > >>>> > >>>> Where the update_krbpasswordexpiration.ldif file contains: > >>>> > >>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >>>> changetype: modify > >>>> replace: krbpasswordexpiration > >>>> krbpasswordexpiration: 20140202203734Z > >>>> > >>>> You could do this as admin if you have a ticket so that you don't have > >>>> to enter the directory manager password. > >>> > >>> This is great, thanks Dan. > >>> > >>> BTW the equivalent command using a Kerberos ticket is: > >>> > >>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>> update_krbpasswordexpiration.ldif > >>> > >>> rob > >>> > >> Thanks great advice, so just to clarify, do the rear numbers just > >> represent hours, seconds etc? > >> e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > > > Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? Yes. > 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to > prevent confusion? No. > I like variant 2, because variant 1 seems to be confusing to me. May not be what the user wants to do, and would cause a lot of changes all over the directory and a lot of replication. Simo. -- Simo Sorce * Red Hat, Inc * New York From cao2dan at yahoo.com Wed May 9 16:31:48 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 9 May 2012 09:31:48 -0700 (PDT) Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <4FAA4ECB.8070701@redhat.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FA91FA3.1070106@redhat.com> <4FAA4ECB.8070701@redhat.com> Message-ID: <1336581108.51312.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi Petr and all, ?Thanks for your reply. ?After the automatic creation of the private user group is turned off, does the user creation Web page still show the GID field? and pre-filled with the same number(or the next available GID) as the UID number? or the filed is completely disappeared? Thanks. ? --David ? ________________________________ From: Petr Spacek To: freeipa-users at redhat.com Sent: Wednesday, May 9, 2012 4:02 AM Subject: Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? On 05/08/2012 03:29 PM, Rob Crittenden wrote: > David Copperfield wrote: >> Hi folks, >> >> Are there any way to turn off IPA automatic creation of private user >> group? We use a common user group like ?nis-wheel?, and completely >> disabled private groups in openldap before migration. > > If you disable private groups then the primary group of users is going to be > the default IPA users group. This group will need to be POSIX. If it isn't you > can promote it with: > > $ ipa group-mod --posix ipausers > > To disable private groups run: > > $ ipa-managed-entries disable -e 'UPG Definition' > > rob For record && Google: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#user-private-groups Petr^2 Spacek _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 9 17:08:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 May 2012 13:08:32 -0400 Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <1336581108.51312.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FA91FA3.1070106@redhat.com> <4FAA4ECB.8070701@redhat.com> <1336581108.51312.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <4FAAA490.9050408@redhat.com> David Copperfield wrote: > Hi Petr and all, > > Thanks for your reply. > > After the automatic creation of the private user group is turned off, > does the user creation Web page still show the GID field? and pre-filled > with the same number(or the next available GID) as the UID number? or > the filed is completely disappeared? Thanks. Disabling UPG has no effect on what appears in the UI or CLI. The assignment is done on the server. If either of the UID or GID number is not provided one is assigned. In the case of GID if one is not provided and UPG is enabled then it gets assigned the same value as the UID, otherwise it gets the GID of the default users group if it is POSIX. If it is not POSIX the creation request is denied. In 2.2 anyway. In 2.1.3 it may well allow it and try to create a user with no GID (which should fail). rob > > --David > > ------------------------------------------------------------------------ > *From:* Petr Spacek > *To:* freeipa-users at redhat.com > *Sent:* Wednesday, May 9, 2012 4:02 AM > *Subject:* Re: [Freeipa-users] Please help: Any way to turn off IPA > creation of private user group? > > On 05/08/2012 03:29 PM, Rob Crittenden wrote: > > David Copperfield wrote: > >> Hi folks, > >> > >> Are there any way to turn off IPA automatic creation of private user > >> group? We use a common user group like ?nis-wheel?, and completely > >> disabled private groups in openldap before migration. > > > > If you disable private groups then the primary group of users is > going to be > > the default IPA users group. This group will need to be POSIX. If it > isn't you > > can promote it with: > > > > $ ipa group-mod --posix ipausers > > > > To disable private groups run: > > > > $ ipa-managed-entries disable -e 'UPG Definition' > > > > rob > > For record && Google: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#user-private-groups > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From cao2dan at yahoo.com Wed May 9 17:21:39 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 9 May 2012 10:21:39 -0700 (PDT) Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <4FAAA490.9050408@redhat.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FA91FA3.1070106@redhat.com> <4FAA4ECB.8070701@redhat.com> <1336581108.51312.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4FAAA490.9050408@redhat.com> Message-ID: <1336584099.47729.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi Rob and all, The??ipa-managed-entries command is not available on freeIPA 2.1.3 version comes with Redhat 6.2. Is there any other comparable ways to disable private user groups generation at global/system wide, instead of ''--noprivate" option to 'ups user-add' which is user by user? ?Thanks a lot. --David ________________________________ From: Rob Crittenden To: David Copperfield Cc: Petr Spacek ; "freeipa-users at redhat.com" Sent: Wednesday, May 9, 2012 10:08 AM Subject: Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? David Copperfield wrote: > Hi Petr and all, > > Thanks for your reply. > > After the automatic creation of the private user group is turned off, > does the user creation Web page still show the GID field? and pre-filled > with the same number(or the next available GID) as the UID number? or > the filed is completely disappeared? Thanks. Disabling UPG has no effect on what appears in the UI or CLI. The assignment is done on the server. If either of the UID or GID number is not provided one is assigned. In the case of GID if one is not provided and UPG is enabled then it gets assigned the same value as the UID, otherwise it gets the GID of the default users group if it is POSIX. If it is not POSIX the creation request is denied. In 2.2 anyway. In 2.1.3 it may well allow it and try to create a user with no GID (which should fail). rob > > --David > > ------------------------------------------------------------------------ > *From:* Petr Spacek > *To:* freeipa-users at redhat.com > *Sent:* Wednesday, May 9, 2012 4:02 AM > *Subject:* Re: [Freeipa-users] Please help: Any way to turn off IPA > creation of private user group? > > On 05/08/2012 03:29 PM, Rob Crittenden wrote: >? > David Copperfield wrote: >? >> Hi folks, >? >> >? >> Are there any way to turn off IPA automatic creation of private user >? >> group? We use a common user group like ?nis-wheel?, and completely >? >> disabled private groups in openldap before migration. >? > >? > If you disable private groups then the primary group of users is > going to be >? > the default IPA users group. This group will need to be POSIX. If it > isn't you >? > can promote it with: >? > >? > $ ipa group-mod --posix ipausers >? > >? > To disable private groups run: >? > >? > $ ipa-managed-entries disable -e 'UPG Definition' >? > >? > rob > > For record && Google: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#user-private-groups > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 9 17:45:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 May 2012 13:45:03 -0400 Subject: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group? In-Reply-To: <1336584099.47729.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1336442118.93506.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FA91FA3.1070106@redhat.com> <4FAA4ECB.8070701@redhat.com> <1336581108.51312.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4FAAA490.9050408@redhat.com> <1336584099.47729.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4FAAAD1F.1010809@redhat.com> David Copperfield wrote: > Hi Rob and all, > > The ipa-managed-entries command is not available on freeIPA 2.1.3 > version comes with Redhat 6.2. Is there any other comparable ways to > disable private user groups generation at global/system wide, instead of > ''--noprivate" option to 'ups user-add' which is user by user? Thanks a lot. > Yes, I sent you this yesterday privately: Ah, right, the 2.1.3 in RHEL 6.2 didn't ship this tool. You'll need to use ldapmodify to disable the plugin, something like: $ kinit admin $ ldapmodify -Y GSSAPI dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: modify replace: originfilter originfilter: (objectclass=disabled) Or you can delete the entry cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX where $SUFFIX is your basedn. rob From sylvainangers at gmail.com Wed May 9 18:19:14 2012 From: sylvainangers at gmail.com (Sylvain Angers) Date: Wed, 9 May 2012 14:19:14 -0400 Subject: [Freeipa-users] proxy with Active Directory Message-ID: Hello Our security group have concern with copying username/password from from AD and might not allow this synchronisation to even happen. Is there a way to configure ipa to go get username/password via kind of proxy? Thank you! -- Sylvain Angers -------------- next part -------------- An HTML attachment was scrubbed... URL: From sylvainangers at gmail.com Wed May 9 19:58:37 2012 From: sylvainangers at gmail.com (Sylvain Angers) Date: Wed, 9 May 2012 15:58:37 -0400 Subject: [Freeipa-users] admin account deleted from webui Message-ID: Hello Someone did delete the admin account by mistake, how can we recover from this? Thank you! -- Sylvain Angers -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 9 20:24:17 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 May 2012 16:24:17 -0400 Subject: [Freeipa-users] admin account deleted from webui In-Reply-To: References: Message-ID: <4FAAD271.7010405@redhat.com> Sylvain Angers wrote: > Hello > Someone did delete the admin account by mistake, how can we recover from > this? Fortunately there is nothing really special about the admin account except that they are a member of the admins group, that is the important bit. You can use ldapmodify to add another user into the admins group: $ ldapmodify -x -D 'cn=directory manager' -W dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com changetype: modify add: member member: uid=youruser,cn=users,cn=accounts,dc=example,dc=com ^D You can decide to re-create the admin user if you'd like. We have a bug open to prevent the last member of the admins group to be removed. rob From Steven.Jones at vuw.ac.nz Wed May 9 21:11:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 21:11:19 +0000 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC90AF4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, My understanding is passync intercepts the password before its encrypted in AD and written to the AD's ldap db/disk it cant be decrypted thereafter. It then sends the plain text password via an encrypted link to IPA, so its pretty safe. No there is no easy way I know of, though its possible to use AD for Kerberos ie password and an LDAP for control, dont think that is practical in IPA.....but AD and say Openldap, yes. We have a setup here, but ordinary bods like me couldnt maintain / modify / patch it. The other possibility is Oracle's OVD which is an open virtual directory that sits in front of (multiple if necessary) LDAPs and gives a LDAPv3 output but that is expensive...ie when oracle say "open" they mean open your wallet and we'll take all we want...its also awful....2 of use tried for 3 weeks to make it work and gave up, too unstable. The last way I know of, which we have is a web based application called Psync which allows users to reset their own password via a https web page that then injects into AD, it can do LDAPs as well in parallel...but thats really the same thing as passync.... Or just use AD, then you use something like Centrify or Likewise and that cost hurts as well. So depends who is paying....get them to "chat" to your security group. Ours are A OK with Passync as the gains of IPA and centralised control far outstrip the Passsync minor concern. Besides which a decently sized and complex AD is a swiss cheese for security anyway. Ask your security how the last external pen test on AD went..if they have never done one.....its a bit rich for them to comment on Passync..... ;] regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sylvain Angers [sylvainangers at gmail.com] Sent: Thursday, 10 May 2012 6:19 a.m. To: Freeipa-users at redhat.com Subject: [Freeipa-users] proxy with Active Directory Hello Our security group have concern with copying username/password from from AD and might not allow this synchronisation to even happen. Is there a way to configure ipa to go get username/password via kind of proxy? Thank you! -- Sylvain Angers -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed May 9 21:16:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 21:16:45 +0000 Subject: [Freeipa-users] insecure IPA'd NFS Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3beta....all good until I use a Ubuntu client to 'attack it" I find the non-IPA's ubuntu client can delete, alter and edit files......kind of Oops....I think there is a stage missing in the doc or a bug.......can someone have a look at that doc and tell me if a step is missing please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Wed May 9 21:38:17 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 May 2012 17:38:17 -0400 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FAAE3C9.6050909@redhat.com> Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3beta....all good until I use a Ubuntu client to 'attack it" I find the non-IPA's ubuntu client can delete, alter and edit files......kind of Oops....I think there is a stage missing in the doc or a bug.......can someone have a look at that doc and tell me if a step is missing please? I think more details are needed on what you set up. How is the Ubuntu client mounting the NFS mount? As what user are you changing files? rob From rcritten at redhat.com Wed May 9 21:40:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 May 2012 17:40:33 -0400 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: References: Message-ID: <4FAAE451.9000400@redhat.com> Sylvain Angers wrote: > Hello > Our security group have concern with copying username/password from from > AD and might not allow this synchronisation to even happen. > Is there a way to configure ipa to go get username/password via kind of > proxy? No, the Kerberos credentials don't use the password attribute, it is effectively its own password altogether. The password synchronization occurs over SSL/TLS. rob From nalin at redhat.com Wed May 9 21:43:17 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 9 May 2012 17:43:17 -0400 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120509214317.GA19647@redhat.com> On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 > workstation clients doing NFS via automount as per section 10.3 admin > guide 6.3beta....all good until I use a Ubuntu client to 'attack it" > I find the non-IPA's ubuntu client can delete, alter and edit > files......kind of Oops....I think there is a stage missing in the doc > or a bug.......can someone have a look at that doc and tell me if a > step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists "sys" as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin From rmeggins at redhat.com Wed May 9 21:45:30 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 May 2012 15:45:30 -0600 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC90AF4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90AF4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FAAE57A.4000704@redhat.com> On 05/09/2012 03:11 PM, Steven Jones wrote: > Hi, > > My understanding is passync intercepts the password before its > encrypted in AD Yes. > and written to the AD's ldap db/disk PassSync writes it to a log file on the windows machine, not to the ldap db. > it cant be decrypted thereafter. PassSync stores the password reversibly encrypted on the disk, so it is safely stored, and can be converted back to cleartext to send to IPA. > It then sends the plain text password via an encrypted link to IPA, so > its pretty safe. No there is no easy way I know of, though its > possible to use AD for Kerberos ie password and an LDAP for control, > dont think that is practical in IPA.....but AD and say Openldap, yes. > We have a setup here, but ordinary bods like me couldnt maintain / > modify / patch it. > > The other possibility is Oracle's OVD which is an open virtual > directory that sits in front of (multiple if necessary) LDAPs and > gives a LDAPv3 output but that is expensive...ie when oracle say > "open" they mean open your wallet and we'll take all we want...its > also awful....2 of use tried for 3 weeks to make it work and gave up, > too unstable. > > The last way I know of, which we have is a web based application > called Psync which allows users to reset their own password via a > https web page that then injects into AD, it can do LDAPs as well in > parallel...but thats really the same thing as passync.... > > Or just use AD, then you use something like Centrify or Likewise and > that cost hurts as well. So depends who is paying....get them to > "chat" to your security group. Ours are A OK with Passync as the gains > of IPA and centralised control far outstrip the Passsync minor > concern. Besides which a decently sized and complex AD is a swiss > cheese for security anyway. Ask your security how the last external > pen test on AD went..if they have never done one.....its a bit rich > for them to comment on Passync..... > > ;] > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Sylvain Angers > [sylvainangers at gmail.com] > *Sent:* Thursday, 10 May 2012 6:19 a.m. > *To:* Freeipa-users at redhat.com > *Subject:* [Freeipa-users] proxy with Active Directory > > Hello > Our security group have concern with copying username/password from > from AD and might not allow this synchronisation to even happen. > Is there a way to configure ipa to go get username/password via kind > of proxy? > Thank you! > > -- > Sylvain Angers > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed May 9 22:07:59 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 22:07:59 +0000 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <4FAAE3C9.6050909@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FAAE3C9.6050909@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC90FE2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Im mounting the mount point via an xterm su - 'd to root in the user's gui......I then open a new xterm and cd to the mount pount /nfs1 and then cd into the "user" and edit files as I want... I am editing files forged user that is in IPA with its forged UID.... So on the RHEL NFS server looking at the mount point /home which is exprted as /nfs1 and user home dir "thing2" I have file2....chmod'd to 0600 even.... ========= [root at vuwuniconfsipa1 thing2]# ls -aln total 12 drwx------. 2 125800040 125800040 4096 May 9 17:13 . drwxr-xr-x. 23 0 0 4096 May 9 14:40 .. -rw-rw-r--. 1 125800040 125800040 0 May 9 14:45 file -rw-------. 1 125800040 125800040 108 May 9 17:13 file2 -rw-rw-r--. 1 125800040 125800040 0 May 9 15:34 file3 [root at vuwuniconfsipa1 thing2]# ls -al total 12 drwx------. 2 thing2 thing2 4096 May 9 17:13 . drwxr-xr-x. 23 root root 4096 May 9 14:40 .. -rw-rw-r--. 1 thing2 thing2 0 May 9 14:45 file -rw-------. 1 thing2 thing2 108 May 9 17:13 file2 -rw-rw-r--. 1 thing2 thing2 0 May 9 15:34 file3 [root at vuwuniconfsipa1 thing2]# ========= On ubuntu, ========= thing2 at thing-KVM:~$ cd /nfs1/ thing2 at thing-KVM:/nfs1$ ls -l total 0 thing2 at thing-KVM:/nfs1$ cd .. thing2 at thing-KVM:/$ su - Password: root at thing-KVM:~# mount -t nfs 130.195.53.203:/home/ /nfs1 root at thing-KVM:~# logout thing2 at thing-KVM:/$ cd /nfs1/ thing2 at thing-KVM:/nfs1$ ls -l total 96 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 buchanj1 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 irwinph drwxr-xr-x 4 4294967294 4294967294 4096 2012-05-10 09:27 jonesst1 drwx------ 2 4294967294 4294967294 16384 2012-02-08 03:10 lost+found drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 nelsonde drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 nfsnobody drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 sabitoan drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 share drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 smithsi drwx------ 8 4294967294 4294967294 4096 2012-02-13 15:18 ssj10 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj11 drwx------ 7 4294967294 4294967294 4096 2012-02-14 10:12 ssj12 drwx------ 2 4294967294 4294967294 4096 2012-02-13 14:23 ssj3 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:27 ssj4 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:39 ssj5 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj6 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj7 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj8 drwx------ 2 4294967294 4294967294 4096 2012-05-09 17:13 thing2 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 tranwa drwx------ 23 4294967294 4294967294 4096 2012-02-13 10:10 tthing thing2 at thing-KVM:/nfs1$ cd thign2 -bash: cd: thign2: No such file or directory thing2 at thing-KVM:/nfs1$ cd thing2 thing2 at thing-KVM:/nfs1/thing2$ ls -l total 4 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 14:45 file -rw------- 1 4294967294 4294967294 108 2012-05-09 17:13 file2 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 15:34 file3 thing2 at thing-KVM:/nfs1/thing2$ vi file2 thing2 at thing-KVM:/nfs1/thing2$ =========== and I can edit and save the file using vi.....kind of hard to show but the size changes, =========== thing2 at thing-KVM:/nfs1/thing2$ ls -l total 4 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 14:45 file -rw------- 1 4294967294 4294967294 112 2012-05-10 09:54 file2 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 15:34 file3 thing2 at thing-KVM:/nfs1/thing2$ ========== [jonesst1 at vuwunicorh6ws05 ~]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroupboot-LogVolroot 4.8G 755M 3.9G 17% / tmpfs 1004M 272K 1004M 1% /dev/shm /dev/sda1 194M 71M 114M 39% /boot /dev/mapper/VolGroupboot-LogVolhome 48G 184M 46G 1% /home /dev/mapper/VolGroupboot-LogVolopt 2.0G 35M 1.9G 2% /opt /dev/mapper/VolGroupboot-LogVoltmp 4.9G 140M 4.5G 3% /tmp /dev/mapper/VolGroupboot-LogVolusr 9.7G 2.3G 7.0G 25% /usr /dev/mapper/VolGroupboot-LogVolvar 3.9G 953M 2.8G 26% /var /dev/mapper/VolGroupboot-LogVolaudit 3.9G 91M 3.6G 3% /var/log/audit 130.195.53.203:/home/thing2 58G 182M 55G 1% /nfs1/thing2 [jonesst1 at vuwunicorh6ws05 ~]$ cd /nfs1/ [jonesst1 at vuwunicorh6ws05 nfs1]$ ls -al total 12 drwxr-xr-x. 3 root root 0 May 9 16:19 . dr-xr-xr-x. 36 root root 4096 May 9 16:17 .. drwx------. 2 thing2 thing2 4096 May 10 09:54 thing2 [jonesst1 at vuwunicorh6ws05 nfs1]$ ls -aln total 12 drwxr-xr-x. 3 0 0 0 May 9 16:19 . dr-xr-xr-x. 36 0 0 4096 May 9 16:17 .. drwx------. 2 125800040 125800040 4096 May 10 09:54 thing2 [jonesst1 at vuwunicorh6ws05 nfs1]$ cd thing2 -bash: cd: thing2: Permission denied [jonesst1 at vuwunicorh6ws05 nfs1]$ =========== So an IPA user jonesst1 getting into IPA user thing2 is denied.......so login as thing2, =========== [jonesst1 at 8kxl72s ~]$ ssh vuwunicorh6ws05.ods.vuw.ac.nz -l thing2 thing2 at vuwunicorh6ws05.ods.vuw.ac.nz's password: Last login: Thu May 10 10:05:46 2012 from 130.195.245.249 Kickstarted on 2012-02-08 [thing2 at vuwunicorh6ws05 ~]$ cd nfs1 [thing2 at vuwunicorh6ws05 nfs1]$ ls -l total 0 lrwxrwxrwx. 1 thing2 thing2 12 May 9 15:34 thing2 -> /nfs1/thing2 [thing2 at vuwunicorh6ws05 nfs1]$ cd thing2 [thing2 at vuwunicorh6ws05 thing2]$ ls -aln total 8 drwx------. 2 125800040 125800040 4096 May 10 09:54 . drwxr-xr-x. 3 0 0 0 May 9 16:19 .. -rw-rw-r--. 1 125800040 125800040 0 May 9 14:45 file -rw-------. 1 125800040 125800040 112 May 10 09:54 file2 -rw-rw-r--. 1 125800040 125800040 0 May 9 15:34 file3 [thing2 at vuwunicorh6ws05 thing2]$ tail file2 blah blah blah4 blah5 dddddubuntu ubuntu2 blah5 no2 ubuntu2 chmod is 0600 ubuntu via ssh add [thing2 at vuwunicorh6ws05 thing2]$ =========== so...Im confused.... =========== [root at vuwuniconfsipa1 thing2]# more /etc/exports #/home *(rw,sync,all_squash,insecure) /home *(rw,sec=sys:krb5:krb5i:krb5p) [root at vuwuniconfsipa1 thing2]# ========== Should sec=sys be there? No idea what Im doing wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 10 May 2012 9:38 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3beta....all good until I use a Ubuntu client to 'attack it" I find the non-IPA's ubuntu client can delete, alter and edit files......kind of Oops....I think there is a stage missing in the doc or a bug.......can someone have a look at that doc and tell me if a step is missing please? I think more details are needed on what you set up. How is the Ubuntu client mounting the NFS mount? As what user are you changing files? rob From Steven.Jones at vuw.ac.nz Wed May 9 22:10:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 22:10:52 +0000 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: <4FAAE57A.4000704@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC90AF4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FAAE57A.4000704@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC90FFD@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, What I meant was the AD ui / system is going to write the user's AD password into AD's db on the ad server's disk....not that passync does it.....sort of man in the middle attack.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 10 May 2012 9:45 a.m. To: Steven Jones Cc: Sylvain Angers; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] proxy with Active Directory On 05/09/2012 03:11 PM, Steven Jones wrote: Hi, My understanding is passync intercepts the password before its encrypted in AD Yes. and written to the AD's ldap db/disk PassSync writes it to a log file on the windows machine, not to the ldap db. it cant be decrypted thereafter. PassSync stores the password reversibly encrypted on the disk, so it is safely stored, and can be converted back to cleartext to send to IPA. It then sends the plain text password via an encrypted link to IPA, so its pretty safe. No there is no easy way I know of, though its possible to use AD for Kerberos ie password and an LDAP for control, dont think that is practical in IPA.....but AD and say Openldap, yes. We have a setup here, but ordinary bods like me couldnt maintain / modify / patch it. The other possibility is Oracle's OVD which is an open virtual directory that sits in front of (multiple if necessary) LDAPs and gives a LDAPv3 output but that is expensive...ie when oracle say "open" they mean open your wallet and we'll take all we want...its also awful....2 of use tried for 3 weeks to make it work and gave up, too unstable. The last way I know of, which we have is a web based application called Psync which allows users to reset their own password via a https web page that then injects into AD, it can do LDAPs as well in parallel...but thats really the same thing as passync.... Or just use AD, then you use something like Centrify or Likewise and that cost hurts as well. So depends who is paying....get them to "chat" to your security group. Ours are A OK with Passync as the gains of IPA and centralised control far outstrip the Passsync minor concern. Besides which a decently sized and complex AD is a swiss cheese for security anyway. Ask your security how the last external pen test on AD went..if they have never done one.....its a bit rich for them to comment on Passync..... ;] regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sylvain Angers [sylvainangers at gmail.com] Sent: Thursday, 10 May 2012 6:19 a.m. To: Freeipa-users at redhat.com Subject: [Freeipa-users] proxy with Active Directory Hello Our security group have concern with copying username/password from from AD and might not allow this synchronisation to even happen. Is there a way to configure ipa to go get username/password via kind of proxy? Thank you! -- Sylvain Angers _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed May 9 22:15:01 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 May 2012 18:15:01 -0400 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: References: Message-ID: <1336601701.5722.215.camel@willson.li.ssimo.org> On Wed, 2012-05-09 at 14:19 -0400, Sylvain Angers wrote: > Hello > > Our security group have concern with copying username/password from > from AD and might not allow this synchronisation to even happen. > Is there a way to configure ipa to go get username/password via kind > of proxy? Not really, your best bet in that situation is cross realm trust support schedule for the next FreeIPA version. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed May 9 22:18:25 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 22:18:25 +0000 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <20120509214317.GA19647@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120509214317.GA19647@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only..... However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense..... Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case. The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Nalin Dahyabhai [nalin at redhat.com] Sent: Thursday, 10 May 2012 9:43 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 > workstation clients doing NFS via automount as per section 10.3 admin > guide 6.3beta....all good until I use a Ubuntu client to 'attack it" > I find the non-IPA's ubuntu client can delete, alter and edit > files......kind of Oops....I think there is a stage missing in the doc > or a bug.......can someone have a look at that doc and tell me if a > step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists "sys" as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed May 9 22:19:18 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 May 2012 22:19:18 +0000 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: <1336601701.5722.215.camel@willson.li.ssimo.org> References: , <1336601701.5722.215.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC91027@STAWINCOX10MBX1.staff.vuw.ac.nz> That is possibly RHEl6.4? so year end? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com] Sent: Thursday, 10 May 2012 10:15 a.m. To: Sylvain Angers Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] proxy with Active Directory On Wed, 2012-05-09 at 14:19 -0400, Sylvain Angers wrote: > Hello > > Our security group have concern with copying username/password from > from AD and might not allow this synchronisation to even happen. > Is there a way to configure ipa to go get username/password via kind > of proxy? Not really, your best bet in that situation is cross realm trust support schedule for the next FreeIPA version. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From cao2dan at yahoo.com Wed May 9 23:04:54 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 9 May 2012 16:04:54 -0700 (PDT) Subject: [Freeipa-users] How to rebuild IPA master? In-Reply-To: <4FAAE451.9000400@redhat.com> References: <4FAAE451.9000400@redhat.com> Message-ID: <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi all, ?I've a IPA master/replica setup in our development environment. Unfortunately our IPA master crashed, the replica is working fine.?Now I have the IPA master re-imaged. ?What are the steps I have to follow to re-create the IPA master from running IPA replica? Before crash the IPA master ran dogtag certificate system, while the IPA replica didn't ?-- created normally without the --setup-ca option. ? Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at noboost.org Wed May 9 23:58:58 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Thu, 10 May 2012 03:58:58 +0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <4FAA5343.6030208@redhat.com> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> <4FAA5343.6030208@redhat.com> Message-ID: <20120509235858.GB8180@noboost.org> On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > >On Tue, May 8, 2012 at 8:45 PM, wrote: > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>>Dan Scott wrote: > >>>>On Tue, May 8, 2012 at 1:55 AM, wrote: > >>>>>Hi, > >>>>> > >>>>>Spec: > >>>>>Red Hat Enterprise Linux Server release 6.2 (Santiago) > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > >>>>> ipa-client-2.1.3-9.el6.x86_64 > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>> ipa-python-2.1.3-9.el6.x86_64 > >>>>> ipa-server-2.1.3-9.el6.x86_64 > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > >>>>> > >>>>>Issue: > >>>>>Firstly I'll declare someone must have seen this by now? > >>>>> > >>>>>I've set the password policy to 99999; > >>>>>[root at sysvm-ipa ~]# ipa pwpolicy-show > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>>But old accounts are not getting the change at the ldap level, even > >>>>>though IPA claims the expiry date has updated. > >>>>>e.g. > >>>>>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> > >>>>>ldapsearch (command chopped) > >>>>># john, users, accounts, teratext.saic.com.au > >>>>>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>>>>krbPasswordExpiration: 20120506011529Z > >>>>> > >>>>> > >>>>>So now when the user(s) logs in, I'm getting "password will expire in XX > >>>>>days" messages. > >>>>> > >>>>>Any ideas? > >>>>>Can I globally update this somehow, otherwise I'll be re-typing > >>>>>passwords for a while. > >>>> > >>>>A password reset by admin always expires the password. I think once > >>>>the user first changes their password it will have the lifetime that > >>>>you specified. > >>>> > >>>>You can force the expiration date using an ldapmodify command: > >>>> > >>>>ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >>>>-f update_krbpasswordexpiration.ldif > >>>> > >>>>Where the update_krbpasswordexpiration.ldif file contains: > >>>> > >>>>dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >>>>changetype: modify > >>>>replace: krbpasswordexpiration > >>>>krbpasswordexpiration: 20140202203734Z > >>>> > >>>>You could do this as admin if you have a ticket so that you don't have > >>>>to enter the directory manager password. > >>> > >>>This is great, thanks Dan. > >>> > >>>BTW the equivalent command using a Kerberos ticket is: > >>> > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>>update_krbpasswordexpiration.ldif > >>> > >>>rob > >>> > >>Thanks great advice, so just to clarify, do the rear numbers just > >>represent hours, seconds etc? > >>e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > > >Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > OR > 2) Should ipa pwpolicy do update for all affected principals in > LDAP? Just to prevent confusion? > > I like variant 2, because variant 1 seems to be confusing to me. > > Craig, what is user opinion? > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can modify directly, then I fixed the issue for the whole company in about 10min :) Documentation (my opinion): * Full meaning for this attribute krbPasswordExpiration * The difference between Max lifetime (days) & krbPasswordExpiration * How to change ldap expiration entries. cya Craig From Steven.Jones at vuw.ac.nz Thu May 10 00:24:50 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 May 2012 00:24:50 +0000 Subject: [Freeipa-users] How to rebuild IPA master? In-Reply-To: <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <4FAAE451.9000400@redhat.com>, <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, In case everyone else is asleep now...... Do you have access to RH documentation? the 6.3beta admin guide section 18.8 talks about why and how to make a replicate a master. eg., "NOTE All servers and replicas which host a CA are peers in the topology. They can all issue certificates and keys to IPA clients, and they all replicate information amongst themselves. The only reason to promote a replica or server to be a master server is if the master server is being taken offline. There has to be a root CA which can issue CRLs and ultimately validate certificate checks. Aside from that, replicas, servers, and the master server are all equal peers." regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of David Copperfield [cao2dan at yahoo.com] Sent: Thursday, 10 May 2012 11:04 a.m. To: Rob Crittenden; Freeipa-users at redhat.com Subject: [Freeipa-users] How to rebuild IPA master? Hi all, I've a IPA master/replica setup in our development environment. Unfortunately our IPA master crashed, the replica is working fine. Now I have the IPA master re-imaged. What are the steps I have to follow to re-create the IPA master from running IPA replica? Before crash the IPA master ran dogtag certificate system, while the IPA replica didn't -- created normally without the --setup-ca option. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Thu May 10 00:31:23 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 09 May 2012 20:31:23 -0400 Subject: [Freeipa-users] How to rebuild IPA master? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4FAAE451.9000400@redhat.com> , <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1336609883.2323.88.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-05-10 at 00:24 +0000, Steven Jones wrote: > Hi, > > In case everyone else is asleep now...... > > Do you have access to RH documentation? the 6.3beta admin guide > section 18.8 talks about why and how to make a replicate a master. The problem seems to be that David had only a single server providing the dogtag CA, and that was the machine that died. > > I've a IPA master/replica setup in our development environment. > Unfortunately our IPA master crashed, the replica is working fine. Now > I have the IPA master re-imaged. > > > What are the steps I have to follow to re-create the IPA master from > running IPA replica? Before crash the IPA master ran dogtag > certificate system, while the IPA replica didn't -- created normally > without the --setup-ca option. You'll have to check with the FreeIPA/Dogtag dev team (I'm a client-side guy, so I don't have all the data here), but you're probably not going to be in good shape. If you kept a separate backup of the private root certificate for the CA, you may be able to stand up a new CA instance and then issue new signed certs from the restored private root cert. Otherwise, you're probably in trouble. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Steven.Jones at vuw.ac.nz Thu May 10 00:47:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 May 2012 00:47:45 +0000 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120509214317.GA19647@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC91115@STAWINCOX10MBX1.staff.vuw.ac.nz> Removed the sys: and now no IPA'd client can mount.....oh joy.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 10 May 2012 10:18 a.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only..... However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense..... Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case. The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Nalin Dahyabhai [nalin at redhat.com] Sent: Thursday, 10 May 2012 9:43 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 > workstation clients doing NFS via automount as per section 10.3 admin > guide 6.3beta....all good until I use a Ubuntu client to 'attack it" > I find the non-IPA's ubuntu client can delete, alter and edit > files......kind of Oops....I think there is a stage missing in the doc > or a bug.......can someone have a look at that doc and tell me if a > step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists "sys" as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From arpittolani at gmail.com Thu May 10 09:45:22 2012 From: arpittolani at gmail.com (Arpit Tolani) Date: Thu, 10 May 2012 15:15:22 +0530 Subject: [Freeipa-users] admin account deleted from webui In-Reply-To: <4FAAD271.7010405@redhat.com> References: <4FAAD271.7010405@redhat.com> Message-ID: Sylvain Angers wrote: > >> Hello >> Someone did delete the admin account by mistake, how can we recover from >> this? >> > > > You might want to have a look on this, There is a RFE which will prompt you before you delete some important things. https://fedorahosted.org/freeipa/ticket/2560 https://fedorahosted.org/freeipa/ticket/2564 Regards Arpit Tolani -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu May 10 09:45:28 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 May 2012 11:45:28 +0200 Subject: [Freeipa-users] How to rebuild IPA master? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4FAAE451.9000400@redhat.com>, <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FAB8E38.9020608@redhat.com> On 05/10/2012 02:24 AM, Steven Jones wrote: > Hi, > > In case everyone else is asleep now...... > > Do you have access to RH documentation? the 6.3beta admin guide section 18.8 > talks about why and how to make a replicate a master. Just for completeness: Documentation is publicly available: http://docs.redhat.com/ Documentation for IPA beta: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html Documentation for latest stable IPA: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > eg., > > "NOTE > All servers and replicas which host a CA are peers in the topology. They can > all issue certificates > and keys to IPA clients, and they all replicate information amongst themselves. > The only reason to promote a replica or server to be a master server is if the > master server is > being taken offline. There has to be a root CA which can issue CRLs and > ultimately validate > certificate checks. > Aside from that, replicas, servers, and the master server are all equal peers." > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on > behalf of David Copperfield [cao2dan at yahoo.com] > *Sent:* Thursday, 10 May 2012 11:04 a.m. > *To:* Rob Crittenden; Freeipa-users at redhat.com > *Subject:* [Freeipa-users] How to rebuild IPA master? > > Hi all, > > I've a IPA master/replica setup in our development environment. Unfortunately > our IPA master crashed, the replica is working fine. Now I have the IPA master > re-imaged. > > What are the steps I have to follow to re-create the IPA master from running > IPA replica? Before crash the IPA master ran dogtag certificate system, while > the IPA replica didn't -- created normally without the --setup-ca option. > > Thanks. > > --David > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Thu May 10 10:58:31 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 May 2012 12:58:31 +0200 Subject: [Freeipa-users] Trying to trace why a user cannot login to a client In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC903C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8809C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC880FE@STAWINCOX10MBX1.staff.vuw.ac.nz> <201205010843.49685.jzeleny@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC896A4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC896D5@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120501210412.GF19576@hendrix.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC89A87@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120508130342.GA11109@hendrix.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC903C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120510105831.GE3370@zeppelin.brq.redhat.com> On Tue, May 08, 2012 at 09:47:41PM +0000, Steven Jones wrote: > Hi, > > Attached is a munin graph of what looks like a memory leak.....I suspect (if you look at the munin monthly month graph) we had no issue until I think we patched......I need to ask my admins if they did patch .......(they are not in yet)..... > > Looking at the CPU and memory graphs in VMware the change in stability and leak is also most noticable, yet apart from uping the nsslapd-cachememsize: 10485760 to 18900000 I know of no changes to the system......attached is a vmware graph..... > > It now looks like I have to set a cronjob to reboot the IPA servers nightly........ > > So since ipa2 crashed (or rather the memory-killer killed slapd), this isnt why 1/2 the users could login....that workstation points at ipa2 while others point at ipa1....is my best guess. > These are all real issues, but server side issues, which is outside my domain of expertise, sorry. I also believe they are being discussed in a separate thread? If you happen to reproduce the System Error again, please attach sssd_pam.log and sssd_domain.log. Thank you! From simo at redhat.com Thu May 10 13:11:17 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 May 2012 09:11:17 -0400 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <20120509235858.GB8180@noboost.org> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> <4FAA5343.6030208@redhat.com> <20120509235858.GB8180@noboost.org> Message-ID: <1336655477.5722.221.camel@willson.li.ssimo.org> On Thu, 2012-05-10 at 03:58 +0400, freeipa at noboost.org wrote: > On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > > On 05/09/2012 03:31 AM, Dan Scott wrote: > > >On Tue, May 8, 2012 at 8:45 PM, wrote: > > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > > >>>Dan Scott wrote: > > >>>>On Tue, May 8, 2012 at 1:55 AM, wrote: > > >>>>>Hi, > > >>>>> > > >>>>>Spec: > > >>>>>Red Hat Enterprise Linux Server release 6.2 (Santiago) > > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > > >>>>> ipa-client-2.1.3-9.el6.x86_64 > > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>>>> ipa-python-2.1.3-9.el6.x86_64 > > >>>>> ipa-server-2.1.3-9.el6.x86_64 > > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > > >>>>> > > >>>>>Issue: > > >>>>>Firstly I'll declare someone must have seen this by now? > > >>>>> > > >>>>>I've set the password policy to 99999; > > >>>>>[root at sysvm-ipa ~]# ipa pwpolicy-show > > >>>>> Group: global_policy > > >>>>> Max lifetime (days): 99999 > > >>>>> Min lifetime (hours): 1 > > >>>>> History size: 0 > > >>>>> Character classes: 0 > > >>>>> Min length: 6 > > >>>>> Max failures: 6 > > >>>>> Failure reset interval: 60 > > >>>>> Lockout duration: 600 > > >>>>> > > >>>>>But old accounts are not getting the change at the ldap level, even > > >>>>>though IPA claims the expiry date has updated. > > >>>>>e.g. > > >>>>>[root at sysvm-ipa ~]# ipa pwpolicy-show --user=john > > >>>>> Group: global_policy > > >>>>> Max lifetime (days): 99999 > > >>>>> Min lifetime (hours): 1 > > >>>>> History size: 0 > > >>>>> Character classes: 0 > > >>>>> Min length: 6 > > >>>>> Max failures: 6 > > >>>>> Failure reset interval: 60 > > >>>>> Lockout duration: 600 > > >>>>> > > >>>>> > > >>>>>ldapsearch (command chopped) > > >>>>># john, users, accounts, teratext.saic.com.au > > >>>>>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > > >>>>>krbPasswordExpiration: 20120506011529Z > > >>>>> > > >>>>> > > >>>>>So now when the user(s) logs in, I'm getting "password will expire in XX > > >>>>>days" messages. > > >>>>> > > >>>>>Any ideas? > > >>>>>Can I globally update this somehow, otherwise I'll be re-typing > > >>>>>passwords for a while. > > >>>> > > >>>>A password reset by admin always expires the password. I think once > > >>>>the user first changes their password it will have the lifetime that > > >>>>you specified. > > >>>> > > >>>>You can force the expiration date using an ldapmodify command: > > >>>> > > >>>>ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > > >>>>-f update_krbpasswordexpiration.ldif > > >>>> > > >>>>Where the update_krbpasswordexpiration.ldif file contains: > > >>>> > > >>>>dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > > >>>>changetype: modify > > >>>>replace: krbpasswordexpiration > > >>>>krbpasswordexpiration: 20140202203734Z > > >>>> > > >>>>You could do this as admin if you have a ticket so that you don't have > > >>>>to enter the directory manager password. > > >>> > > >>>This is great, thanks Dan. > > >>> > > >>>BTW the equivalent command using a Kerberos ticket is: > > >>> > > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > > >>>update_krbpasswordexpiration.ldif > > >>> > > >>>rob > > >>> > > >>Thanks great advice, so just to clarify, do the rear numbers just > > >>represent hours, seconds etc? > > >>e.g. krbpasswordexpiration: 20150101203734Z > > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > > > > >Yep, and Z indicates GMT. > > > > Question is: > > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > > OR > > 2) Should ipa pwpolicy do update for all affected principals in > > LDAP? Just to prevent confusion? > > > > I like variant 2, because variant 1 seems to be confusing to me. > > > > Craig, what is user opinion? > > > > Petr^2 Spacek > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. > Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can > modify directly, then I fixed the issue for the whole company in about 10min :) > > Documentation (my opinion): > * Full meaning for this attribute krbPasswordExpiration > * The difference between Max lifetime (days) & krbPasswordExpiration > * How to change ldap expiration entries. It would be nice if you could open a ticket so we can track this RFE and not forget about it. Thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York From cevich at redhat.com Thu May 10 13:37:02 2012 From: cevich at redhat.com (Chris Evich) Date: Thu, 10 May 2012 09:37:02 -0400 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC91115@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120509214317.GA19647@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC91115@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FABC47E.1030003@redhat.com> On 05/09/2012 08:47 PM, Steven Jones wrote: > Removed the sys: and now no IPA'd client can mount.....oh joy.... Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups. it's very easy to miss a little detail and not get much back as to why it's not working. I'd suggest going through the setup step-by-step again to see what's missing. Does both client and server have valid nfs/@DOMAIN keys in /etc/krb5.keytab? Is /etc/krb5.keytab accessible (i.e. no SELinux problems)? Is port 2049 open on firewall? What's the state of rpc.svcgssd process on server and rpc.gssd process on client? Can you manually mount the export on the server? What shows in krb5kdc.log when trying to manually mount on client? If none of those localize the problem area further, you can go down the road of bumping the rpc debug levels on both sides to see where the issue is. Hope that helps. From cevich at redhat.com Thu May 10 13:37:28 2012 From: cevich at redhat.com (Chris Evich) Date: Thu, 10 May 2012 09:37:28 -0400 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120509214317.GA19647@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FABC498.60901@redhat.com> On 05/09/2012 06:18 PM, Steven Jones wrote: > Hi, > > Thanks so I will remove the sec=sys bit and re-test..and then I > assume it will be kerberos only..... This is not true, it's documented in the exports man page how you can assign different permissions depending on the security type. For example: /nfsroot/stuff *(crossmnt,no_subtree_check,async,sec=krb5p,rw,root_squash,sec=sys,ro,all_squash) This makes it so users with valid kerberos creds have rw access (though root is squashed). W/o a kerberos ticket, a user can still read stuff, but all ownership information is squashed. From pspacek at redhat.com Thu May 10 13:50:20 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 May 2012 15:50:20 +0200 Subject: [Freeipa-users] krbPasswordExpiration field not updating? In-Reply-To: <1336655477.5722.221.camel@willson.li.ssimo.org> References: <20120508055545.GA8139@noboost.org> <4FA922F1.3040502@redhat.com> <20120509004520.GA8180@noboost.org> <4FAA5343.6030208@redhat.com> <20120509235858.GB8180@noboost.org> <1336655477.5722.221.camel@willson.li.ssimo.org> Message-ID: <4FABC79C.1010505@redhat.com> On 05/10/2012 03:11 PM, Simo Sorce wrote: > On Thu, 2012-05-10 at 03:58 +0400, freeipa at noboost.org wrote: >> On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: >>> On 05/09/2012 03:31 AM, Dan Scott wrote: >>>> On Tue, May 8, 2012 at 8:45 PM, wrote: >>>>> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: >>>>>> Dan Scott wrote: >>>>>>> On Tue, May 8, 2012 at 1:55 AM, wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Spec: >>>>>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago) >>>>>>>> ipa-admintools-2.1.3-9.el6.x86_64 >>>>>>>> ipa-client-2.1.3-9.el6.x86_64 >>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>> ipa-python-2.1.3-9.el6.x86_64 >>>>>>>> ipa-server-2.1.3-9.el6.x86_64 >>>>>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 >>>>>>>> >>>>>>>> Issue: >>>>>>>> Firstly I'll declare someone must have seen this by now? >>>>>>>> >>>>>>>> I've set the password policy to 99999; >>>>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show >>>>>>>> Group: global_policy >>>>>>>> Max lifetime (days): 99999 >>>>>>>> Min lifetime (hours): 1 >>>>>>>> History size: 0 >>>>>>>> Character classes: 0 >>>>>>>> Min length: 6 >>>>>>>> Max failures: 6 >>>>>>>> Failure reset interval: 60 >>>>>>>> Lockout duration: 600 >>>>>>>> >>>>>>>> But old accounts are not getting the change at the ldap level, even >>>>>>>> though IPA claims the expiry date has updated. >>>>>>>> e.g. >>>>>>>> [root at sysvm-ipa ~]# ipa pwpolicy-show --user=john >>>>>>>> Group: global_policy >>>>>>>> Max lifetime (days): 99999 >>>>>>>> Min lifetime (hours): 1 >>>>>>>> History size: 0 >>>>>>>> Character classes: 0 >>>>>>>> Min length: 6 >>>>>>>> Max failures: 6 >>>>>>>> Failure reset interval: 60 >>>>>>>> Lockout duration: 600 >>>>>>>> >>>>>>>> >>>>>>>> ldapsearch (command chopped) >>>>>>>> # john, users, accounts, teratext.saic.com.au >>>>>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >>>>>>>> krbPasswordExpiration: 20120506011529Z >>>>>>>> >>>>>>>> >>>>>>>> So now when the user(s) logs in, I'm getting "password will expire in XX >>>>>>>> days" messages. >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> Can I globally update this somehow, otherwise I'll be re-typing >>>>>>>> passwords for a while. >>>>>>> >>>>>>> A password reset by admin always expires the password. I think once >>>>>>> the user first changes their password it will have the lifetime that >>>>>>> you specified. >>>>>>> >>>>>>> You can force the expiration date using an ldapmodify command: >>>>>>> >>>>>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv >>>>>>> -f update_krbpasswordexpiration.ldif >>>>>>> >>>>>>> Where the update_krbpasswordexpiration.ldif file contains: >>>>>>> >>>>>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com >>>>>>> changetype: modify >>>>>>> replace: krbpasswordexpiration >>>>>>> krbpasswordexpiration: 20140202203734Z >>>>>>> >>>>>>> You could do this as admin if you have a ticket so that you don't have >>>>>>> to enter the directory manager password. >>>>>> >>>>>> This is great, thanks Dan. >>>>>> >>>>>> BTW the equivalent command using a Kerberos ticket is: >>>>>> >>>>>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f >>>>>> update_krbpasswordexpiration.ldif >>>>>> >>>>>> rob >>>>>> >>>>> Thanks great advice, so just to clarify, do the rear numbers just >>>>> represent hours, seconds etc? >>>>> e.g. krbpasswordexpiration: 20150101203734Z >>>>> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? >>>> >>>> Yep, and Z indicates GMT. >>> >>> Question is: >>> 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? >>> OR >>> 2) Should ipa pwpolicy do update for all affected principals in >>> LDAP? Just to prevent confusion? >>> >>> I like variant 2, because variant 1 seems to be confusing to me. >>> >>> Craig, what is user opinion? >>> >>> Petr^2 Spacek >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >> The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. >> Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can >> modify directly, then I fixed the issue for the whole company in about 10min :) >> >> Documentation (my opinion): >> * Full meaning for this attribute krbPasswordExpiration >> * The difference between Max lifetime (days)& krbPasswordExpiration >> * How to change ldap expiration entries. > > It would be nice if you could open a ticket so we can track this RFE and > not forget about it. Done 2 hours ago, I forget to report it :-) https://fedorahosted.org/freeipa/ticket/2745 > > Thanks. > Simo. > From pspacek at redhat.com Thu May 10 13:52:13 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 May 2012 15:52:13 +0200 Subject: [Freeipa-users] admin account deleted from webui In-Reply-To: <4FAAD271.7010405@redhat.com> References: <4FAAD271.7010405@redhat.com> Message-ID: <4FABC80D.2050705@redhat.com> On 05/09/2012 10:24 PM, Rob Crittenden wrote: > Sylvain Angers wrote: >> Hello >> Someone did delete the admin account by mistake, how can we recover from >> this? > > Fortunately there is nothing really special about the admin account except > that they are a member of the admins group, that is the important bit. > > You can use ldapmodify to add another user into the admins group: > > $ ldapmodify -x -D 'cn=directory manager' -W > dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com > changetype: modify > add: member > member: uid=youruser,cn=users,cn=accounts,dc=example,dc=com > > ^D > > You can decide to re-create the admin user if you'd like. > > We have a bug open to prevent the last member of the admins group to be removed. I think we should document recovery procedure also: https://fedorahosted.org/freeipa/ticket/2746 Petr^2 Spacek > > rob From bcook at redhat.com Thu May 10 16:27:23 2012 From: bcook at redhat.com (Brian Cook) Date: Thu, 10 May 2012 09:27:23 -0700 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC91027@STAWINCOX10MBX1.staff.vuw.ac.nz> References: , <1336601701.5722.215.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CC91027@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: THe problem with the cross realm trust support as I understand it is that it requires you to populate posix attributes in AD, which many AD admins are hesitant to do. You have to install the AD services for unix pack and create metadata object in the directory for tracking UID and GID and then manage users via the ADSFU snap in. I have run in to significant resistance to this and the Linux guys usually do not have access. Brian On May 9, 2012, at 3:19 PM, Steven Jones wrote: > That is possibly RHEl6.4? so year end? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com] > Sent: Thursday, 10 May 2012 10:15 a.m. > To: Sylvain Angers > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] proxy with Active Directory > > On Wed, 2012-05-09 at 14:19 -0400, Sylvain Angers wrote: >> Hello >> >> Our security group have concern with copying username/password from >> from AD and might not allow this synchronisation to even happen. >> Is there a way to configure ipa to go get username/password via kind >> of proxy? > > Not really, your best bet in that situation is cross realm trust support > schedule for the next FreeIPA version. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Thu May 10 16:33:33 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 May 2012 12:33:33 -0400 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: References: , <1336601701.5722.215.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CC91027@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1336667613.5722.225.camel@willson.li.ssimo.org> On Thu, 2012-05-10 at 09:27 -0700, Brian Cook wrote: > THe problem with the cross realm trust support as I understand it is > that it requires you to populate posix attributes in AD, which many AD > admins are hesitant to do. You have to install the AD services for > unix pack and create metadata object in the directory for tracking UID > and GID and then manage users via the ADSFU snap in. I have run in to > significant resistance to this and the Linux guys usually do not have > access. Sorry Brian but this is not true at all. We perform SID mapping in case of Forest Trusts with AD. Simo. -- Simo Sorce * Red Hat, Inc * New York From cao2dan at yahoo.com Thu May 10 20:31:07 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 10 May 2012 13:31:07 -0700 (PDT) Subject: [Freeipa-users] Please help: Re: How to rebuild IPA master? In-Reply-To: <4FAB8E38.9020608@redhat.com> References: <4FAAE451.9000400@redhat.com>, <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FAB8E38.9020608@redhat.com> Message-ID: <1336681867.14016.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi Petr and all, ?All the chapter your have pointed out is read many times, but that doesn't help at all. ?My problem is: the Dogtag system ran on the IPA master ONLY before the IPA Master crashes. Now I have to do the following: 1, install and run Dogtag system on IPA replica ?-- the document mentioned it -- 'ipa-ca-install' and etc. 2, promote the IPA replica into new IPA Master -- document mentioned it but not clear -- regarding the /root/cacert.p12 key file and the replica file under /var/lib/ipa. ? ? ? ? 3, how to recover the dogtag systems' data (different LDAP backend) existed on the IPA master before it crashes? Other close questions include: what are included in the replica definition file?/var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the signing key and how to open the .gpg file? Thanks. --David ________________________________ From: Petr Spacek To: freeipa-users at redhat.com Sent: Thursday, May 10, 2012 2:45 AM Subject: Re: [Freeipa-users] How to rebuild IPA master? On 05/10/2012 02:24 AM, Steven Jones wrote: > Hi, > > In case everyone else is asleep now...... > > Do you have access to RH documentation? the 6.3beta admin guide section 18.8 > talks about why and how to make a replicate a master. Just for completeness: Documentation is publicly available: http://docs.redhat.com/ Documentation for IPA beta: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html Documentation for latest stable IPA: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > eg., > > "NOTE > All servers and replicas which host a CA are peers in the topology. They can > all issue certificates > and keys to IPA clients, and they all replicate information amongst themselves. > The only reason to promote a replica or server to be a master server is if the > master server is > being taken offline. There has to be a root CA which can issue CRLs and > ultimately validate > certificate checks. > Aside from that, replicas, servers, and the master server are all equal peers." > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on > behalf of David Copperfield [cao2dan at yahoo.com] > *Sent:* Thursday, 10 May 2012 11:04 a.m. > *To:* Rob Crittenden; Freeipa-users at redhat.com > *Subject:* [Freeipa-users] How to rebuild IPA master? > > Hi all, > > I've a IPA master/replica setup in our development environment. Unfortunately > our IPA master crashed, the replica is working fine. Now I have the IPA master > re-imaged. > > What are the steps I have to follow to re-create the IPA master from running > IPA replica? Before crash the IPA master ran dogtag certificate system, while > the IPA replica didn't -- created normally without the --setup-ca option. > > Thanks. > > --David > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From janfrode at tanso.net Thu May 10 20:36:01 2012 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 10 May 2012 22:36:01 +0200 Subject: [Freeipa-users] DogTag PKI uses ? Message-ID: <20120510203601.GA12024@dibs.tanso.net> We're finally implementing IPA in our company (migrating from Sun Identity Manager populated LDAP + manually maintained netgroups and sudoers also in LDAP). I think I understand how to migrate these parts to IPA, but the dogtag part is quite foreign currently.. We already has two private PKI infrastructures implemented. One for managing user certificates for about 250 openvpn users, and another for managing certificates for a few internal web services. Should we look into re-using one of these CA's in IPA? I think it would be marvelous if IPA/dogtag could create certs/keys for the users, and keep a copy of the users csr's so that it could automatically send the user an updated certificate with an expiry matching the password lifetime. Is this something that's possible currently, or on the roadmap maybe? -jf From rcritten at redhat.com Thu May 10 20:50:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 May 2012 16:50:42 -0400 Subject: [Freeipa-users] Please help: Re: How to rebuild IPA master? In-Reply-To: <1336681867.14016.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <4FAAE451.9000400@redhat.com>, <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FAB8E38.9020608@redhat.com> <1336681867.14016.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4FAC2A22.5030307@redhat.com> David Copperfield wrote: > Hi Petr and all, > > All the chapter your have pointed out is read many times, but that > doesn't help at all. > > My problem is: the Dogtag system ran on the IPA master ONLY before the > IPA Master crashes. Now I have to do the following: > > 1, install and run Dogtag system on IPA replica -- the document > mentioned it -- 'ipa-ca-install' and etc. > > 2, promote the IPA replica into new IPA Master -- document mentioned it > but not clear -- regarding the /root/cacert.p12 key file and the replica > file under /var/lib/ipa. > > 3, how to recover the dogtag systems' data (different LDAP backend) > existed on the IPA master before it crashes? > > Other close questions include: > > what are included in the replica definition file > /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the > signing key and how to open the .gpg file? # gpg -d /path/to/replica.gpg | tar xf - The password is the Directory Manager password. You have limited options since your CA was a single point of failure and it failed. The root CA private keys should be in the replica file so there may be ways to recover, all of them will require significant manual effort. We have no way to add a new CA to an existing IPA installation outside of ipa-ca-install so we'll need to give that some thought. I think the simplest way to fix this is to create a new CA as a subordinate of the original one. The existing certs should still be trusted (except for the agent cert) so mass rekeying won't be necessary. Another option is to install a new CA and try to replace key with the original. We'd need to think long-term about this effort and you'd want to renew all issued certificates so they will be revokable. rob > > Thanks. > > --David > > ------------------------------------------------------------------------ > *From:* Petr Spacek > *To:* freeipa-users at redhat.com > *Sent:* Thursday, May 10, 2012 2:45 AM > *Subject:* Re: [Freeipa-users] How to rebuild IPA master? > > On 05/10/2012 02:24 AM, Steven Jones wrote: > > Hi, > > > > In case everyone else is asleep now...... > > > > Do you have access to RH documentation? the 6.3beta admin guide > section 18.8 > > talks about why and how to make a replicate a master. > > Just for completeness: > Documentation is publicly available: http://docs.redhat.com/ > > Documentation for IPA beta: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html > > Documentation for latest stable IPA: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > > > > eg., > > > > "NOTE > > All servers and replicas which host a CA are peers in the topology. > They can > > all issue certificates > > and keys to IPA clients, and they all replicate information amongst > themselves. > > The only reason to promote a replica or server to be a master server > is if the > > master server is > > being taken offline. There has to be a root CA which can issue CRLs and > > ultimately validate > > certificate checks. > > Aside from that, replicas, servers, and the master server are all > equal peers." > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > > ------------------------------------------------------------------------------ > > *From:* freeipa-users-bounces at redhat.com > > [freeipa-users-bounces at redhat.com > ] on > > behalf of David Copperfield [cao2dan at yahoo.com > ] > > *Sent:* Thursday, 10 May 2012 11:04 a.m. > > *To:* Rob Crittenden; Freeipa-users at redhat.com > > > *Subject:* [Freeipa-users] How to rebuild IPA master? > > > > Hi all, > > > > I've a IPA master/replica setup in our development environment. > Unfortunately > > our IPA master crashed, the replica is working fine. Now I have the > IPA master > > re-imaged. > > > > What are the steps I have to follow to re-create the IPA master from > running > > IPA replica? Before crash the IPA master ran dogtag certificate > system, while > > the IPA replica didn't -- created normally without the --setup-ca option. > > > > Thanks. > > > > --David > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu May 10 20:52:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 May 2012 16:52:54 -0400 Subject: [Freeipa-users] DogTag PKI uses ? In-Reply-To: <20120510203601.GA12024@dibs.tanso.net> References: <20120510203601.GA12024@dibs.tanso.net> Message-ID: <4FAC2AA6.8080004@redhat.com> Jan-Frode Myklebust wrote: > We're finally implementing IPA in our company (migrating from Sun > Identity Manager populated LDAP + manually maintained netgroups and > sudoers also in LDAP). I think I understand how to migrate these parts > to IPA, but the dogtag part is quite foreign currently.. > > We already has two private PKI infrastructures implemented. One for > managing user certificates for about 250 openvpn users, and another for > managing certificates for a few internal web services. Should we look > into re-using one of these CA's in IPA? You could install IPA as a subordinate CA of one of them. IPA requires its own CA. > I think it would be marvelous if IPA/dogtag could create certs/keys for > the users, and keep a copy of the users csr's so that it could automatically > send the user an updated certificate with an expiry matching the password > lifetime. Is this something that's possible currently, or on the roadmap maybe? Right now the CA is used only to issue server certificates. We have user certs on the roadmap but that won't be ready for quite some time (year or more, realistically). rob From Steven.Jones at vuw.ac.nz Thu May 10 21:40:33 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 May 2012 21:40:33 +0000 Subject: [Freeipa-users] insecure IPA'd NFS In-Reply-To: <4FABC47E.1030003@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC90B19@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120509214317.GA19647@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC9100C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC91115@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4FABC47E.1030003@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC9164F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Pretty sure I followed the RH 6.3beta doc exactly...it all worked until I found that non-IPA'd clients could also connect....so if I put sys: back it should be fine....so its the kerberos bit or export options. I have raised a case with RH support for help and also the IPA NFS will need updating if something is missing....thanks. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chris Evich [cevich at redhat.com] Sent: Friday, 11 May 2012 1:37 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On 05/09/2012 08:47 PM, Steven Jones wrote: > Removed the sys: and now no IPA'd client can mount.....oh joy.... Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups. it's very easy to miss a little detail and not get much back as to why it's not working. I'd suggest going through the setup step-by-step again to see what's missing. Does both client and server have valid nfs/@DOMAIN keys in /etc/krb5.keytab? Is /etc/krb5.keytab accessible (i.e. no SELinux problems)? Is port 2049 open on firewall? What's the state of rpc.svcgssd process on server and rpc.gssd process on client? Can you manually mount the export on the server? What shows in krb5kdc.log when trying to manually mount on client? If none of those localize the problem area further, you can go down the road of bumping the rpc debug levels on both sides to see where the issue is. Hope that helps. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From alee at redhat.com Thu May 10 21:42:32 2012 From: alee at redhat.com (Ade Lee) Date: Thu, 10 May 2012 17:42:32 -0400 Subject: [Freeipa-users] Please help: Re: How to rebuild IPA master? In-Reply-To: <4FAC2A22.5030307@redhat.com> References: <4FAAE451.9000400@redhat.com> , <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FAB8E38.9020608@redhat.com> <1336681867.14016.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC2A22.5030307@redhat.com> Message-ID: <1336686153.2247.110.camel@aleeredhat.laptop> David, The simplest solution may be as Rob suggests - which is to create a new CA as a subordinate of the old. The other solution would be doable but would require a few more manual steps. That is, you could: 1. install a new ca 2. switch out the certs in that ca with the ones in your gpg file. The certificate database is in /var/lib/pki-ca/alias 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but as the nicknames should be the same, you might be ok. 4. If you go this route, you probably want to change the lower point of the serial number ranges used for certs/ requests in CS.cfg to not reuse serial numbers for certs you have already issued. 4. Switch out the ipa agent cert/keys in the IPA cert database. You will run into problems later though because you have lost the data in the dogtag database. In particular, because the renewal process uses the original requests (which are stored in the dogtag database), you will likely be unable to renew the certs you have already issued unless you rekey those certs. That may be OK for most certs, but you may not want to do that for the CA signing cert. In that case, you will likely need to instrument something to reconstruct the original request. Ade On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote: > David Copperfield wrote: > > Hi Petr and all, > > > > All the chapter your have pointed out is read many times, but that > > doesn't help at all. > > > > My problem is: the Dogtag system ran on the IPA master ONLY before the > > IPA Master crashes. Now I have to do the following: > > > > 1, install and run Dogtag system on IPA replica -- the document > > mentioned it -- 'ipa-ca-install' and etc. > > > > 2, promote the IPA replica into new IPA Master -- document mentioned it > > but not clear -- regarding the /root/cacert.p12 key file and the replica > > file under /var/lib/ipa. > > > > 3, how to recover the dogtag systems' data (different LDAP backend) > > existed on the IPA master before it crashes? > > > > Other close questions include: > > > > what are included in the replica definition file > > /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the > > signing key and how to open the .gpg file? > > # gpg -d /path/to/replica.gpg | tar xf - > > The password is the Directory Manager password. > > You have limited options since your CA was a single point of failure and > it failed. The root CA private keys should be in the replica file so > there may be ways to recover, all of them will require significant > manual effort. > > We have no way to add a new CA to an existing IPA installation outside > of ipa-ca-install so we'll need to give that some thought. I think the > simplest way to fix this is to create a new CA as a subordinate of the > original one. The existing certs should still be trusted (except for the > agent cert) so mass rekeying won't be necessary. > > Another option is to install a new CA and try to replace key with the > original. We'd need to think long-term about this effort and you'd want > to renew all issued certificates so they will be revokable. > > rob > > > > > > Thanks. > > > > --David > > > > ------------------------------------------------------------------------ > > *From:* Petr Spacek > > *To:* freeipa-users at redhat.com > > *Sent:* Thursday, May 10, 2012 2:45 AM > > *Subject:* Re: [Freeipa-users] How to rebuild IPA master? > > > > On 05/10/2012 02:24 AM, Steven Jones wrote: > > > Hi, > > > > > > In case everyone else is asleep now...... > > > > > > Do you have access to RH documentation? the 6.3beta admin guide > > section 18.8 > > > talks about why and how to make a replicate a master. > > > > Just for completeness: > > Documentation is publicly available: http://docs.redhat.com/ > > > > Documentation for IPA beta: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html > > > > Documentation for latest stable IPA: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > > > > > > > eg., > > > > > > "NOTE > > > All servers and replicas which host a CA are peers in the topology. > > They can > > > all issue certificates > > > and keys to IPA clients, and they all replicate information amongst > > themselves. > > > The only reason to promote a replica or server to be a master server > > is if the > > > master server is > > > being taken offline. There has to be a root CA which can issue CRLs and > > > ultimately validate > > > certificate checks. > > > Aside from that, replicas, servers, and the master server are all > > equal peers." > > > > > > regards > > > > > > Steven Jones > > > > > > Technical Specialist - Linux RHCE > > > > > > Victoria University, Wellington, NZ > > > > > > 0064 4 463 6272 > > > > > > > > ------------------------------------------------------------------------------ > > > *From:* freeipa-users-bounces at redhat.com > > > > [freeipa-users-bounces at redhat.com > > ] on > > > behalf of David Copperfield [cao2dan at yahoo.com > > ] > > > *Sent:* Thursday, 10 May 2012 11:04 a.m. > > > *To:* Rob Crittenden; Freeipa-users at redhat.com > > > > > *Subject:* [Freeipa-users] How to rebuild IPA master? > > > > > > Hi all, > > > > > > I've a IPA master/replica setup in our development environment. > > Unfortunately > > > our IPA master crashed, the replica is working fine. Now I have the > > IPA master > > > re-imaged. > > > > > > What are the steps I have to follow to re-create the IPA master from > > running > > > IPA replica? Before crash the IPA master ran dogtag certificate > > system, while > > > the IPA replica didn't -- created normally without the --setup-ca option. > > > > > > Thanks. > > > > > > --David > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From cao2dan at yahoo.com Thu May 10 21:57:01 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 10 May 2012 14:57:01 -0700 (PDT) Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? Message-ID: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi Rob, Petr and all, Because recently crashes of my IPA master and IPA replicas servers, I'm thinking of methods of backup/restore IPA user data: users, groups, host and server certificates etc. ? It's said that the only official way is to create an extra IPA replica and backup/snapshot that replica all the way. But there still has a big chance that some mistakes propagate for a to whole IPA domain/realm before the IAP administrator find it and data got lost forever and some may not even be recovered. What I think is because both Dogtag and IPA store data in backend 389 directory servers separately, then if I freeze the change on one IPA replica for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze the IPA replica to get sync from master. ?When data needs to be restored because of disasters, the backup files(in LDIF format -- for easy to read) can be restored to the two 389 LDAP backends on IPA replica with command ldap2db.pl during the freezing period. ?Have anyone tried this solution yet? Is there any limitations? My experiences showed that the IPA replica did get data restored successfully (no dogtag is involved so only one LDAP backend is saved/restored). But the IPA master some times didn't get the data synced from IPA replica ( 1/3 times it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync ?--from ' ). Please shed a light in this area, as backup/restore of IPA master/replica is even not mentioned on the IPA document at all.? Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 10 22:19:34 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 May 2012 16:19:34 -0600 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4FAC3EF6.1040904@redhat.com> On 05/10/2012 03:57 PM, David Copperfield wrote: > Hi Rob, Petr and all, > > Because recently crashes of my IPA master and IPA replicas servers, > I'm thinking of methods of backup/restore IPA user data: users, > groups, host and server certificates etc. > > It's said that the only official way is to create an extra IPA replica > and backup/snapshot that replica all the way. But there still has a > big chance that some mistakes propagate for a to whole IPA > domain/realm before the IAP administrator find it and data got lost > forever and some may not even be recovered. > > What I think is because both Dogtag and IPA store data in backend 389 > directory servers separately, then if I freeze the change on one IPA > replica for a few minutes first, then run db2ldap.pl for both 389 ldap > backends, then un-freeze the IPA replica to get sync from master. > > When data needs to be restored because of disasters, the backup > files(in LDIF format -- for easy to read) can be restored to the two > 389 LDAP backends on IPA replica with command ldap2db.pl during the > freezing period. It's ldif2db.pl db2ldif.pl not ldap > > Have anyone tried this solution yet? Is there any limitations? > > My experiences showed that the IPA replica did get data restored > successfully (no dogtag is involved so only one LDAP backend is > saved/restored). But the IPA master some times didn't get the data > synced from IPA replica ( 1/3 times it is synced, 2/3 times needs > manual command 'ipa-replica-manage force-sync --from > ' ). How did you verify that the data was synced? Note that if a server has been down for a while, it will take the supplier up to 5 minutes to recognize that the consumer is up again, without force sync. > > Please shed a light in this area, as backup/restore of IPA > master/replica is even not mentioned on the IPA document at all. > > Thanks a lot. > > --David > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Thu May 10 22:37:51 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 10 May 2012 15:37:51 -0700 (PDT) Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <4FAC3EF6.1040904@redhat.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> Message-ID: <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> Hi Rich and all, Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are originally for 389 Directory Servers' backup and restore purposes.? There are no IPA tools for IPA system backup and restore.?Is there a plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it is in IPA roadmap? For the second question: I use the simple way: ipa user-add/user-delete/user-find to see whether data is propagated. My testing steps are like this: ?1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes. ?2, run 'db2ldif.pl on IPA replica to save a backup. ?3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA replica, and ?it shows that the user is deleted. ?4, double check 'ipa user-find test user' on IPA master, and it is found deleted, which is as expected and it is propagated in just a few seconds. ?5, run 'ldif2db.pl' on the same IPA replica where the backup was created. ?6, run 'ipa user-find testuser' on IPA replica and it is found that the user testuser is alive again. ?7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find it -- and in just a few seconds. other 2/3 times it could not be found even after HALF HOUR. Please have a quick duplicate tests at your side and advice what normal users should do, because a reliable backup/restore solution is definitely one of the key criteria. Thanks a lot. --David ? ? ________________________________ From: Rich Megginson To: David Copperfield Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek Sent: Thursday, May 10, 2012 3:19 PM Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? On 05/10/2012 03:57 PM, David Copperfield wrote: Hi Rob, Petr and all, > > >Because recently crashes of my IPA master and IPA replicas servers, I'm thinking of methods of backup/restore IPA user data: users, groups, host and server certificates etc. ? > > >It's said that the only official way is to create an extra IPA replica and backup/snapshot that replica all the way. But there still has a big chance that some mistakes propagate for a to whole IPA domain/realm before the IAP administrator find it and data got lost forever and some may not even be recovered. > > >What I think is because both Dogtag and IPA store data in backend 389 directory servers separately, then if I freeze the change on one IPA replica for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze the IPA replica to get sync from master. > > >?When data needs to be restored because of disasters, the backup files(in LDIF format -- for easy to read) can be restored to the two 389 LDAP backends on IPA replica with command ldap2db.pl during the freezing period. It's ldif2db.pl db2ldif.pl not ldap > >?Have anyone tried this solution yet? Is there any limitations? > > >My experiences showed that the IPA replica did get data restored successfully (no dogtag is involved so only one LDAP backend is saved/restored). But the IPA master some times didn't get the data synced from IPA replica ( 1/3 times it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync ?--from ' ). How did you verify that the data was synced?? Note that if a server has been down for a while, it will take the supplier up to 5 minutes to recognize that the consumer is up again, without force sync. > >Please shed a light in this area, as backup/restore of IPA master/replica is even not mentioned on the IPA document at all.? > > >Thanks a lot. > > >--David > > > > > > > > > > > > > > > > >_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 11 00:28:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 May 2012 18:28:59 -0600 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <4FAC5D4B.50907@redhat.com> On 05/10/2012 04:37 PM, David Copperfield wrote: > Hi Rich and all, > > Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, > which are originally for 389 Directory Servers' backup and restore > purposes. > > There are no IPA tools for IPA system backup and restore. Is there a > plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at > least, whether it is in IPA roadmap? > > For the second question: I use the simple way: ipa > user-add/user-delete/user-find to see whether data is propagated. My > testing steps are like this: > > 1, run 'ipa user-add testuser' on IPA replica, check it on IPA master > with 'ipa user-find testuser' and it is found in a few seconds -- not > 5 minutes. > > 2, run 'db2ldif.pl on IPA replica to save a backup. > > 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' > on IPA replica, and it shows that the user is deleted. > > 4, double check 'ipa user-find test user' on IPA master, and it is > found deleted, which is as expected and it is propagated in just a few > seconds. > > 5, run 'ldif2db.pl' on the same IPA replica where the backup was created. > > 6, run 'ipa user-find testuser' on IPA replica and it is found that > the user testuser is alive again. > > 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find > it -- and in just a few seconds. other 2/3 times it could not be found > even after HALF HOUR. > > Please have a quick duplicate tests at your side and advice what > normal users should do, because a reliable backup/restore solution is > definitely one of the key criteria. Thanks a lot. > Ok, I see. The problem is that a regular db2ldif[.pl] does not save the replication meta-data. You must use the -r option to generate an ldif file with the replication meta-data. ldif2db[.pl] is destructive - it wipes out your database completely and replaces it, wiping out any replication meta-data in the process. If you ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace the replication meta-data too. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line > --David > > > > > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" ; Rob > Crittenden ; Petr Spacek > *Sent:* Thursday, May 10, 2012 3:19 PM > *Subject:* Re: [Freeipa-users] backup/restore IPA servers with > db2ldap.pl, ldap2db.pl ??? > > On 05/10/2012 03:57 PM, David Copperfield wrote: >> Hi Rob, Petr and all, >> >> Because recently crashes of my IPA master and IPA replicas servers, >> I'm thinking of methods of backup/restore IPA user data: users, >> groups, host and server certificates etc. >> >> It's said that the only official way is to create an extra IPA >> replica and backup/snapshot that replica all the way. But there still >> has a big chance that some mistakes propagate for a to whole IPA >> domain/realm before the IAP administrator find it and data got lost >> forever and some may not even be recovered. >> >> What I think is because both Dogtag and IPA store data in backend 389 >> directory servers separately, then if I freeze the change on one IPA >> replica for a few minutes first, then run db2ldap.pl >> for both 389 ldap backends, then un-freeze the >> IPA replica to get sync from master. >> >> When data needs to be restored because of disasters, the backup >> files(in LDIF format -- for easy to read) can be restored to the two >> 389 LDAP backends on IPA replica with command ldap2db.pl >> during the freezing period. > > It's ldif2db.pl db2ldif.pl not > ldap > >> >> Have anyone tried this solution yet? Is there any limitations? >> >> My experiences showed that the IPA replica did get data restored >> successfully (no dogtag is involved so only one LDAP backend is >> saved/restored). But the IPA master some times didn't get the data >> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs >> manual command 'ipa-replica-manage force-sync --from >> ' ). > > How did you verify that the data was synced? Note that if a server > has been down for a while, it will take the supplier up to 5 minutes > to recognize that the consumer is up again, without force sync. > >> >> Please shed a light in this area, as backup/restore of IPA >> master/replica is even not mentioned on the IPA document at all. >> >> Thanks a lot. >> >> --David >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri May 11 01:32:25 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 10 May 2012 18:32:25 -0700 (PDT) Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <4FAC5D4B.50907@redhat.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> Message-ID: <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> Hi Rich and all, the '-r' option to db2ldif.pl doesn't work neither, it make few difference.? My command, backup and restore commands on the IPA replica are: db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' ldif2db.pl -D 'cn=Directory Manager' -w - -i The only difference is: after IPA master restart (restart happens after IPA replica's restore operation), the changes -- which applied on IPA master before backup -- are propagated to IPA replica.?Which is in fact, make the restoration test end up with a result completely unusable on IPA replica, an result that is different from backup, and different from IPA master.? Please let me know if there are any other options/steps to follow. Thanks. --David ________________________________ From: Rich Megginson To: David Copperfield Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek Sent: Thursday, May 10, 2012 5:28 PM Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? On 05/10/2012 04:37 PM, David Copperfield wrote: Hi Rich and all, > > >Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are originally for 389 Directory Servers' backup and restore purposes.? > > >There are no IPA tools for IPA system backup and restore.?Is there a plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it is in IPA roadmap? > > >For the second question: I use the simple way: ipa user-add/user-delete/user-find to see whether data is propagated. My testing steps are like this: > > >?1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes. > > >?2, run 'db2ldif.pl on IPA replica to save a backup. > > >?3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA replica, and ?it shows that the user is deleted. > > >?4, double check 'ipa user-find test user' on IPA master, and it is found deleted, which is as expected and it is propagated in just a few seconds. > > >?5, run 'ldif2db.pl' on the same IPA replica where the backup was created. > > >?6, run 'ipa user-find testuser' on IPA replica and it is found that the user testuser is alive again. > >?7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find it -- and in just a few seconds. other 2/3 times it could not be found even after HALF HOUR. > > >Please have a quick duplicate tests at your side and advice what normal users should do, because a reliable backup/restore solution is definitely one of the key criteria. Thanks a lot. > > Ok, I see.? The problem is that a regular db2ldif[.pl] does not save the replication meta-data.? You must use the -r option to generate an ldif file with the replication meta-data.? ldif2db[.pl] is destructive - it wipes out your database completely and replaces it, wiping out any replication meta-data in the process.? If you ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace the replication meta-data too. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line --David >? > > > > >? > > > > > > > >________________________________ > From: Rich Megginson >To: David Copperfield >Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek >Sent: Thursday, May 10, 2012 3:19 PM >Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? > > >On 05/10/2012 03:57 PM, David Copperfield wrote: >Hi Rob, Petr and all, >> >> >>Because recently crashes of my IPA master and IPA replicas servers, I'm thinking of methods of backup/restore IPA user data: users, groups, host and server certificates etc. ? >> >> >>It's said that the only official way is to create an extra IPA replica and backup/snapshot that replica all the way. But there still has a big chance that some mistakes propagate for a to whole IPA domain/realm before the IAP administrator find it and data got lost forever and some may not even be recovered. >> >> >>What I think is because both Dogtag and IPA store data in backend 389 directory servers separately, then if I freeze the change on one IPA replica for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze the IPA replica to get sync from master. >> >> >>?When data needs to be restored because of disasters, the backup files(in LDIF format -- for easy to read) can be restored to the two 389 LDAP backends on IPA replica with command ldap2db.pl during the freezing period. >It's ldif2db.pl db2ldif.pl not ldap > > > >> >>?Have anyone tried this solution yet? Is there any limitations? >> >> >>My experiences showed that the IPA replica did get data restored successfully (no dogtag is involved so only one LDAP backend is saved/restored). But the IPA master some times didn't get the data synced from IPA replica ( 1/3 times it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync ?--from ' ). >How did you verify that the data was synced?? Note that if a server has been down for a while, it will take the supplier up to 5 minutes to recognize that the consumer is up again, without force sync. > > > >> >>Please shed a light in this area, as backup/restore of IPA master/replica is even not mentioned on the IPA document at all.? >> >> >>Thanks a lot. >> >> >>--David >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 11 01:37:07 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 May 2012 19:37:07 -0600 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <4FAC6D43.9000105@redhat.com> On 05/10/2012 07:32 PM, David Copperfield wrote: > Hi Rich and all, > > the '-r' option to db2ldif.pl doesn't work neither, it make few > difference. > > My command, backup and restore commands on the IPA replica are: > > db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' > > ldif2db.pl -D 'cn=Directory Manager' -w - -i > > > The only difference is: after IPA master restart (restart happens > after IPA replica's restore operation), the changes -- which applied > on IPA master before backup -- are propagated to IPA replica. Which is > in fact, make the restoration test end up with a result completely > unusable on IPA replica, an result that is different from backup, and > different from IPA master. I don't quite understand what you mean. > > Please let me know if there are any other options/steps to follow. Thanks. Not sure what else to try. > > --David > > > > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" ; Rob > Crittenden ; Petr Spacek > *Sent:* Thursday, May 10, 2012 5:28 PM > *Subject:* Re: [Freeipa-users] backup/restore IPA servers with > db2ldap.pl, ldap2db.pl ??? > > On 05/10/2012 04:37 PM, David Copperfield wrote: >> Hi Rich and all, >> >> Thanks for correction. They are db2ldif.pl and >> ldif2db.pl scripts, which are originally for 389 >> Directory Servers' backup and restore purposes. >> >> There are no IPA tools for IPA system backup and restore. Is there a >> plan to develop tools like ipa2ldif.pl and >> ldif2ipa.pl soon? or, at least, whether it is in >> IPA roadmap? >> >> For the second question: I use the simple way: ipa >> user-add/user-delete/user-find to see whether data is propagated. My >> testing steps are like this: >> >> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA >> master with 'ipa user-find testuser' and it is found in a few seconds >> -- not 5 minutes. >> >> 2, run 'db2ldif.pl on IPA replica to save a backup. >> >> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' >> on IPA replica, and it shows that the user is deleted. >> >> 4, double check 'ipa user-find test user' on IPA master, and it is >> found deleted, which is as expected and it is propagated in just a >> few seconds. >> >> 5, run 'ldif2db.pl' on the same IPA replica where the backup was >> created. >> >> 6, run 'ipa user-find testuser' on IPA replica and it is found that >> the user testuser is alive again. >> >> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find >> it -- and in just a few seconds. other 2/3 times it could not be >> found even after HALF HOUR. >> >> Please have a quick duplicate tests at your side and advice what >> normal users should do, because a reliable backup/restore solution is >> definitely one of the key criteria. Thanks a lot. >> > > Ok, I see. The problem is that a regular db2ldif[.pl] does not save > the replication meta-data. You must use the -r option to generate an > ldif file with the replication meta-data. ldif2db[.pl] is destructive > - it wipes out your database completely and replaces it, wiping out > any replication meta-data in the process. If you ldif2db[.pl] a file > exported with db2ldif[.pl] -r, it will replace the replication > meta-data too. > > See > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line > >> --David >> >> >> >> >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* "freeipa-users at redhat.com" >> ; Rob >> Crittenden ; Petr >> Spacek >> *Sent:* Thursday, May 10, 2012 3:19 PM >> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >> db2ldap.pl , ldap2db.pl ??? >> >> On 05/10/2012 03:57 PM, David Copperfield wrote: >>> Hi Rob, Petr and all, >>> >>> Because recently crashes of my IPA master and IPA replicas servers, >>> I'm thinking of methods of backup/restore IPA user data: users, >>> groups, host and server certificates etc. >>> >>> It's said that the only official way is to create an extra IPA >>> replica and backup/snapshot that replica all the way. But there >>> still has a big chance that some mistakes propagate for a to whole >>> IPA domain/realm before the IAP administrator find it and data got >>> lost forever and some may not even be recovered. >>> >>> What I think is because both Dogtag and IPA store data in backend >>> 389 directory servers separately, then if I freeze the change on one >>> IPA replica for a few minutes first, then run db2ldap.pl >>> for both 389 ldap backends, then un-freeze the >>> IPA replica to get sync from master. >>> >>> When data needs to be restored because of disasters, the backup >>> files(in LDIF format -- for easy to read) can be restored to the two >>> 389 LDAP backends on IPA replica with command ldap2db.pl >>> during the freezing period. >> >> It's ldif2db.pl db2ldif.pl >> not ldap >> >>> >>> Have anyone tried this solution yet? Is there any limitations? >>> >>> My experiences showed that the IPA replica did get data restored >>> successfully (no dogtag is involved so only one LDAP backend is >>> saved/restored). But the IPA master some times didn't get the data >>> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs >>> manual command 'ipa-replica-manage force-sync --from >>> ' ). >> >> How did you verify that the data was synced? Note that if a server >> has been down for a while, it will take the supplier up to 5 minutes >> to recognize that the consumer is up again, without force sync. >> >>> >>> Please shed a light in this area, as backup/restore of IPA >>> master/replica is even not mentioned on the IPA document at all. >>> >>> Thanks a lot. >>> >>> --David >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri May 11 01:54:34 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 10 May 2012 18:54:34 -0700 (PDT) Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <4FAC6D43.9000105@redhat.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4FAC6D43.9000105@redhat.com> Message-ID: <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> OK, ?that means the steps below: 1) on IPA replica, lets create 4 IPA users: A,B,C and D. ?Now make a backup with 'db2ldif.pl -r ...' 2) on IPA replica, delete the user D. 'ipa user-del D'. 3, on IPA master, delete the user C. 'ipa user-del C'. 4, now check on other IPA master and IPA replica, both shows only two users 'A' and 'B'. this is expected. 5, now on IPA replica, restore the backup with 'ldif2db.pl' 6, check on IPA replica immediately, 'ipa user-find' shows 4 users 'A, B, C, D' at the beginning. 7, check IPA Master, 'ipa user-find' shows still only two users 'A, B'. 8, wait 3 minutes or so, check on IPA replica, and found that there are only THREE users 'A, B, D'. The users 'C' is deleted now -- change propagated from IPA Master. 9, check on IPA Master again and again, there are still only two users 'A, B'. 10, check on IPA Replica again and again, there are still three users 'A, B,D'. --- this status is different from IPA Master's 'A,B', or backup's ?'A, B, C, D'. If backup was created without '-r' option, then the step 8 above will always show 'A,B,C,D', the same as backup. ?with '-r' option make the final result between. Hope I have explained it clearly. Please advice something like ipa2ldif.pl and ldif2ipa.pl tools. There are really the key useful feature for serious production IPA deployment, which is definitely of much higher priority than dogtag. Thanks a lot. --David ________________________________ From: Rich Megginson To: David Copperfield Cc: E Deon Lackey ; Petr Spacek ; Rob Crittenden ; "freeipa-users at redhat.com" Sent: Thursday, May 10, 2012 6:37 PM Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? On 05/10/2012 07:32 PM, David Copperfield wrote: Hi Rich and all, > > >the '-r' option to db2ldif.pl doesn't work neither, it make few difference.? > > >My command, backup and restore commands on the IPA replica are: > > >db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' > > >ldif2db.pl -D 'cn=Directory Manager' -w - -i > > >The only difference is: after IPA master restart (restart happens after IPA replica's restore operation), the changes -- which applied on IPA master before backup -- are propagated to IPA replica.?Which is in fact, make the restoration test end up with a result completely unusable on IPA replica, an result that is different from backup, and different from IPA master. > I don't quite understand what you mean. > >Please let me know if there are any other options/steps to follow. Thanks. Not sure what else to try. > >--David > > > > > > > > > >________________________________ > From: Rich Megginson >To: David Copperfield >Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek >Sent: Thursday, May 10, 2012 5:28 PM >Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? > > >On 05/10/2012 04:37 PM, David Copperfield wrote: >Hi Rich and all, >> >> >>Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are originally for 389 Directory Servers' backup and restore purposes.? >> >> >>There are no IPA tools for IPA system backup and restore.?Is there a plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it is in IPA roadmap? >> >> >>For the second question: I use the simple way: ipa user-add/user-delete/user-find to see whether data is propagated. My testing steps are like this: >> >> >>?1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes. >> >> >>?2, run 'db2ldif.pl on IPA replica to save a backup. >> >> >>?3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA replica, and ?it shows that the user is deleted. >> >> >>?4, double check 'ipa user-find test user' on IPA master, and it is found deleted, which is as expected and it is propagated in just a few seconds. >> >> >>?5, run 'ldif2db.pl' on the same IPA replica where the backup was created. >> >> >>?6, run 'ipa user-find testuser' on IPA replica and it is found that the user testuser is alive again. >> >>?7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find it -- and in just a few seconds. other 2/3 times it could not be found even after HALF HOUR. >> >> >>Please have a quick duplicate tests at your side and advice what normal users should do, because a reliable backup/restore solution is definitely one of the key criteria. Thanks a lot. >> >> >Ok, I see.? The problem is that a regular db2ldif[.pl] does not save the replication meta-data.? You must use the -r option to generate an ldif file with the replication meta-data.? ldif2db[.pl] is destructive - it wipes out your database completely and replaces it, wiping out any replication meta-data in the process.? If you ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace the replication meta-data too. > >See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line > > >--David >>? >> >> >> >> >>? >> >> >> >> >> >> >> >>________________________________ >> From: Rich Megginson >>To: David Copperfield >>Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek >>Sent: Thursday, May 10, 2012 3:19 PM >>Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? >> >> >>On 05/10/2012 03:57 PM, David Copperfield wrote: >>Hi Rob, Petr and all, >>> >>> >>>Because recently crashes of my IPA master and IPA replicas servers, I'm thinking of methods of backup/restore IPA user data: users, groups, host and server certificates etc. ? >>> >>> >>>It's said that the only official way is to create an extra IPA replica and backup/snapshot that replica all the way. But there still has a big chance that some mistakes propagate for a to whole IPA domain/realm before the IAP administrator find it and data got lost forever and some may not even be recovered. >>> >>> >>>What I think is because both Dogtag and IPA store data in backend 389 directory servers separately, then if I freeze the change on one IPA replica for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze the IPA replica to get sync from master. >>> >>> >>>?When data needs to be restored because of disasters, the backup files(in LDIF format -- for easy to read) can be restored to the two 389 LDAP backends on IPA replica with command ldap2db.pl during the freezing period. >>It's ldif2db.pl db2ldif.pl not ldap >> >> >> >>> >>>?Have anyone tried this solution yet? Is there any limitations? >>> >>> >>>My experiences showed that the IPA replica did get data restored successfully (no dogtag is involved so only one LDAP backend is saved/restored). But the IPA master some times didn't get the data synced from IPA replica ( 1/3 times it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync ?--from ' ). >>How did you verify that the data was synced?? Note that if a server has been down for a while, it will take the supplier up to 5 minutes to recognize that the consumer is up again, without force sync. >> >> >> >>> >>>Please shed a light in this area, as backup/restore of IPA master/replica is even not mentioned on the IPA document at all.? >>> >>> >>>Thanks a lot. >>> >>> >>>--David >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at noboost.org Fri May 11 02:49:22 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Fri, 11 May 2012 06:49:22 +0400 Subject: [Freeipa-users] Acrobat Reader errors on Centos 5.8 (getpwuid_r(): failed due to unknown user id) Message-ID: <20120511024922.GE8180@noboost.org> Hi, Acrobat reader & Firefox won't load on Centos 5.8 (odd) Server: Red Hat Enterprise Linux Server release 6.2 (Santiago) - ipa-admintools-2.1.3-9.el6.x86_64 - ipa-client-2.1.3-9.el6.x86_64 - ipa-pki-ca-theme-9.0.3-7.el6.noarch - ipa-pki-common-theme-9.0.3-7.el6.noarch - ipa-python-2.1.3-9.el6.x86_64 - ipa-server-2.1.3-9.el6.x86_64 - ipa-server-selinux-2.1.3-9.el6.x86_64 Client: - ipa-client-2.1.3-1.el5 Since installing the ipa-client and configuring with central auth, one of our Centos 5.8 clients won't start up firefox or acrobat reader. Acrobat Error: * With IPA configured [craig at mypc ~]$ id uid=366(craig) gid=132(corp) groups=132(corp),721000000(admins),721000001(ipausers) [craig at mypc ~]$ acroread (acroread:12739): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (366) Firefox Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: IOR file '/tmp/gconfd-somebody/lock/ior' not opened successfully, no gconfd located: Permission denied 2: IOR file '/tmp/gconfd-somebody/lock/ior' not opened successfully, no gconfd located: Permission denied) Troubeshooting: 1) If I then simply add my user into the /etc/passwd file the program works perfectly. 2)firefox I managed to wip up a workaround for this one by creating a symlink: $ mkdir /tmp/gconfd-somebody/lock $ cd /tmp/gconfd-somebody $ ln -s /tmp/gconfd-craig/lock/ior cya Craig From rmeggins at redhat.com Fri May 11 02:54:57 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 May 2012 20:54:57 -0600 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4FAC6D43.9000105@redhat.com> <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4FAC7F81.709@redhat.com> On 05/10/2012 07:54 PM, David Copperfield wrote: > OK, > > that means the steps below: > > 1) on IPA replica, lets create 4 IPA users: A,B,C and D. Now make a > backup with 'db2ldif.pl -r ...' > > 2) on IPA replica, delete the user D. 'ipa user-del D'. > > 3, on IPA master, delete the user C. 'ipa user-del C'. > > 4, now check on other IPA master and IPA replica, both shows only two > users 'A' and 'B'. this is expected. > > 5, now on IPA replica, restore the backup with 'ldif2db.pl' > > 6, check on IPA replica immediately, 'ipa user-find' shows 4 users 'A, > B, C, D' at the beginning. > > 7, check IPA Master, 'ipa user-find' shows still only two users 'A, B'. > > 8, wait 3 minutes or so, check on IPA replica, and found that there > are only THREE users 'A, B, D'. The users 'C' is deleted now -- change > propagated from IPA Master. > > 9, check on IPA Master again and again, there are still only two users > 'A, B'. > > 10, check on IPA Replica again and again, there are still three users > 'A, B,D'. --- this status is different from IPA Master's 'A,B', or > backup's 'A, B, C, D'. > > > If backup was created without '-r' option, then the step 8 above will > always show 'A,B,C,D', the same as backup. with '-r' option make the > final result between. > > > Hope I have explained it clearly. Please advice something like > ipa2ldif.pl and ldif2ipa.pl tools. There are really the key useful > feature for serious production IPA deployment, which is definitely of > much higher priority than dogtag. Sounds like a bug. What should happen is that the deletion of C and D should be propagated to replica. > > Thanks a lot. > > --David > > > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* David Copperfield > *Cc:* E Deon Lackey ; Petr Spacek > ; Rob Crittenden ; > "freeipa-users at redhat.com" > *Sent:* Thursday, May 10, 2012 6:37 PM > *Subject:* Re: [Freeipa-users] backup/restore IPA servers with > db2ldap.pl, ldap2db.pl ??? > > On 05/10/2012 07:32 PM, David Copperfield wrote: >> Hi Rich and all, >> >> the '-r' option to db2ldif.pl doesn't work >> neither, it make few difference. >> >> My command, backup and restore commands on the IPA replica are: >> >> db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' >> >> ldif2db.pl -D 'cn=Directory Manager' -w - -i >> >> >> The only difference is: after IPA master restart (restart happens >> after IPA replica's restore operation), the changes -- which applied >> on IPA master before backup -- are propagated to IPA replica. Which >> is in fact, make the restoration test end up with a result completely >> unusable on IPA replica, an result that is different from backup, and >> different from IPA master. > > I don't quite understand what you mean. > >> >> Please let me know if there are any other options/steps to follow. >> Thanks. > > Not sure what else to try. > >> >> --David >> >> >> >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* "freeipa-users at redhat.com" >> ; Rob >> Crittenden ; Petr >> Spacek >> *Sent:* Thursday, May 10, 2012 5:28 PM >> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >> db2ldap.pl , ldap2db.pl ??? >> >> On 05/10/2012 04:37 PM, David Copperfield wrote: >>> Hi Rich and all, >>> >>> Thanks for correction. They are db2ldif.pl and >>> ldif2db.pl scripts, which are originally for 389 >>> Directory Servers' backup and restore purposes. >>> >>> There are no IPA tools for IPA system backup and restore. Is there a >>> plan to develop tools like ipa2ldif.pl and >>> ldif2ipa.pl soon? or, at least, whether it is >>> in IPA roadmap? >>> >>> For the second question: I use the simple way: ipa >>> user-add/user-delete/user-find to see whether data is propagated. My >>> testing steps are like this: >>> >>> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA >>> master with 'ipa user-find testuser' and it is found in a few >>> seconds -- not 5 minutes. >>> >>> 2, run 'db2ldif.pl on IPA replica to save a backup. >>> >>> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' >>> on IPA replica, and it shows that the user is deleted. >>> >>> 4, double check 'ipa user-find test user' on IPA master, and it is >>> found deleted, which is as expected and it is propagated in just a >>> few seconds. >>> >>> 5, run 'ldif2db.pl' on the same IPA replica where the backup was >>> created. >>> >>> 6, run 'ipa user-find testuser' on IPA replica and it is found that >>> the user testuser is alive again. >>> >>> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can >>> find it -- and in just a few seconds. other 2/3 times it could not >>> be found even after HALF HOUR. >>> >>> Please have a quick duplicate tests at your side and advice what >>> normal users should do, because a reliable backup/restore solution >>> is definitely one of the key criteria. Thanks a lot. >>> >> >> Ok, I see. The problem is that a regular db2ldif[.pl] does not save >> the replication meta-data. You must use the -r option to generate an >> ldif file with the replication meta-data. ldif2db[.pl] is >> destructive - it wipes out your database completely and replaces it, >> wiping out any replication meta-data in the process. If you >> ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace >> the replication meta-data too. >> >> See >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >> >>> --David >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson >>> >>> *To:* David Copperfield >>> *Cc:* "freeipa-users at redhat.com" >>> ; Rob >>> Crittenden ; Petr >>> Spacek >>> *Sent:* Thursday, May 10, 2012 3:19 PM >>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>> db2ldap.pl , ldap2db.pl ??? >>> >>> On 05/10/2012 03:57 PM, David Copperfield wrote: >>>> Hi Rob, Petr and all, >>>> >>>> Because recently crashes of my IPA master and IPA replicas servers, >>>> I'm thinking of methods of backup/restore IPA user data: users, >>>> groups, host and server certificates etc. >>>> >>>> It's said that the only official way is to create an extra IPA >>>> replica and backup/snapshot that replica all the way. But there >>>> still has a big chance that some mistakes propagate for a to whole >>>> IPA domain/realm before the IAP administrator find it and data got >>>> lost forever and some may not even be recovered. >>>> >>>> What I think is because both Dogtag and IPA store data in backend >>>> 389 directory servers separately, then if I freeze the change on >>>> one IPA replica for a few minutes first, then run db2ldap.pl >>>> for both 389 ldap backends, then un-freeze the >>>> IPA replica to get sync from master. >>>> >>>> When data needs to be restored because of disasters, the backup >>>> files(in LDIF format -- for easy to read) can be restored to the >>>> two 389 LDAP backends on IPA replica with command ldap2db.pl >>>> during the freezing period. >>> >>> It's ldif2db.pl db2ldif.pl >>> not ldap >>> >>>> >>>> Have anyone tried this solution yet? Is there any limitations? >>>> >>>> My experiences showed that the IPA replica did get data restored >>>> successfully (no dogtag is involved so only one LDAP backend is >>>> saved/restored). But the IPA master some times didn't get the data >>>> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs >>>> manual command 'ipa-replica-manage force-sync --from >>>> ' ). >>> >>> How did you verify that the data was synced? Note that if a server >>> has been down for a while, it will take the supplier up to 5 minutes >>> to recognize that the consumer is up again, without force sync. >>> >>>> >>>> Please shed a light in this area, as backup/restore of IPA >>>> master/replica is even not mentioned on the IPA document at all. >>>> >>>> Thanks a lot. >>>> >>>> --David >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri May 11 03:12:58 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 May 2012 23:12:58 -0400 Subject: [Freeipa-users] Acrobat Reader errors on Centos 5.8 (getpwuid_r(): failed due to unknown user id) In-Reply-To: <20120511024922.GE8180@noboost.org> References: <20120511024922.GE8180@noboost.org> Message-ID: <1336705978.5722.295.camel@willson.li.ssimo.org> On Fri, 2012-05-11 at 06:49 +0400, freeipa at noboost.org wrote: > Hi, > > Acrobat reader & Firefox won't load on Centos 5.8 (odd) > > Server: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > - ipa-admintools-2.1.3-9.el6.x86_64 > - ipa-client-2.1.3-9.el6.x86_64 > - ipa-pki-ca-theme-9.0.3-7.el6.noarch > - ipa-pki-common-theme-9.0.3-7.el6.noarch > - ipa-python-2.1.3-9.el6.x86_64 > - ipa-server-2.1.3-9.el6.x86_64 > - ipa-server-selinux-2.1.3-9.el6.x86_64 > > Client: > - ipa-client-2.1.3-1.el5 > > > Since installing the ipa-client and configuring with central auth, one > of our Centos 5.8 clients won't start up firefox or acrobat reader. > > > Acrobat Error: > * With IPA configured > [craig at mypc ~]$ id > uid=366(craig) gid=132(corp) > groups=132(corp),721000000(admins),721000001(ipausers) > > [craig at mypc ~]$ acroread > (acroread:12739): GLib-WARNING **: getpwuid_r(): failed due to unknown > user id (366) > > > Firefox Error: > Failed to contact configuration server; some possible causes are that > you need to enable TCP/IP networking for ORBit, or you have stale NFS > locks due to a system crash. See http://www.gnome.org/projects/gconf/ > for information. (Details - 1: IOR file '/tmp/gconfd-somebody/lock/ior' > not opened successfully, no gconfd located: Permission denied 2: IOR > file '/tmp/gconfd-somebody/lock/ior' not opened successfully, no gconfd > located: Permission denied) > > > Troubeshooting: > 1) If I then simply add my user into the /etc/passwd file the program works > perfectly. > > 2)firefox > I managed to wip up a workaround for this one by creating a symlink: > $ mkdir /tmp/gconfd-somebody/lock > $ cd /tmp/gconfd-somebody > $ ln -s /tmp/gconfd-craig/lock/ior I am going to assume you are using 32bit versions of Adobe Acrobat and Firefox. In this case you need to install also the 32bit version of the sssd-client package. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa at noboost.org Fri May 11 03:45:40 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Fri, 11 May 2012 07:45:40 +0400 Subject: [Freeipa-users] Acrobat Reader errors on Centos 5.8 (getpwuid_r(): failed due to unknown user id) In-Reply-To: <1336705978.5722.295.camel@willson.li.ssimo.org> References: <20120511024922.GE8180@noboost.org> <1336705978.5722.295.camel@willson.li.ssimo.org> Message-ID: <20120511034540.GF8180@noboost.org> On Thu, May 10, 2012 at 11:12:58PM -0400, Simo Sorce wrote: > On Fri, 2012-05-11 at 06:49 +0400, freeipa at noboost.org wrote: > > Hi, > > > > Acrobat reader & Firefox won't load on Centos 5.8 (odd) > > > > Server: > > Red Hat Enterprise Linux Server release 6.2 (Santiago) > > - ipa-admintools-2.1.3-9.el6.x86_64 > > - ipa-client-2.1.3-9.el6.x86_64 > > - ipa-pki-ca-theme-9.0.3-7.el6.noarch > > - ipa-pki-common-theme-9.0.3-7.el6.noarch > > - ipa-python-2.1.3-9.el6.x86_64 > > - ipa-server-2.1.3-9.el6.x86_64 > > - ipa-server-selinux-2.1.3-9.el6.x86_64 > > > > Client: > > - ipa-client-2.1.3-1.el5 > > > > > > Since installing the ipa-client and configuring with central auth, one > > of our Centos 5.8 clients won't start up firefox or acrobat reader. > > > > > > Acrobat Error: > > * With IPA configured > > [craig at mypc ~]$ id > > uid=366(craig) gid=132(corp) > > groups=132(corp),721000000(admins),721000001(ipausers) > > > > [craig at mypc ~]$ acroread > > (acroread:12739): GLib-WARNING **: getpwuid_r(): failed due to unknown > > user id (366) > > > > > > Firefox Error: > > Failed to contact configuration server; some possible causes are that > > you need to enable TCP/IP networking for ORBit, or you have stale NFS > > locks due to a system crash. See http://www.gnome.org/projects/gconf/ > > for information. (Details - 1: IOR file '/tmp/gconfd-somebody/lock/ior' > > not opened successfully, no gconfd located: Permission denied 2: IOR > > file '/tmp/gconfd-somebody/lock/ior' not opened successfully, no gconfd > > located: Permission denied) > > > > > > Troubeshooting: > > 1) If I then simply add my user into the /etc/passwd file the program works > > perfectly. > > > > 2)firefox > > I managed to wip up a workaround for this one by creating a symlink: > > $ mkdir /tmp/gconfd-somebody/lock > > $ cd /tmp/gconfd-somebody > > $ ln -s /tmp/gconfd-craig/lock/ior > > I am going to assume you are using 32bit versions of Adobe Acrobat and > Firefox. In this case you need to install also the 32bit version of the > sssd-client package. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Brilliant! fixed the issue instantly. cya Craig From milvaques_pas at gva.es Fri May 11 11:16:53 2012 From: milvaques_pas at gva.es (pasqual milvaques) Date: Fri, 11 May 2012 13:16:53 +0200 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install Message-ID: <4FACF525.4070303@gva.es> I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the fail I have opened this ubuntu bug as freeipa now has a native client package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990 any idea? this is the log of the operation: pasqual at ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates [sudo] password for pasqual: root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG Domain not found DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): linux.gva.es root : DEBUG will use domain: linux.gva.es root : DEBUG [ipadnssearchldap] root : DEBUG IPA Server not found DNS discovery failed to find the IPA Server Provide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.es root : DEBUG will use server: freeipaserver.linux.gva.es root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2012-05-11 12:06:09-- http://freeipaserver.linux.gva.es/ipa/config/ca.crt Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99 S'est? connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat. HTTP: Petici? enviada, esperant resposta... 200 OK Longitud: 1325 (1.3K) [application/x-x509-ca-cert] S'est? desant a: ?/tmp/tmpWptXwb/ca.crt? 0K . 100% 38.4M=0s 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat ?/tmp/tmpWptXwb/ca.crt? [1325/1325] root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389 root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received. Failed to verify that freeipaserver.linux.gva.es is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. pasqual at ubuntuprovesfreeipa:~$ -------------- next part -------------- A non-text attachment was scrubbed... Name: milvaques_pas.vcf Type: text/x-vcard Size: 335 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5527 bytes Desc: Signatura criptogr??fica S/MIME URL: From sgallagh at redhat.com Fri May 11 14:31:40 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 11 May 2012 10:31:40 -0400 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install In-Reply-To: <4FACF525.4070303@gva.es> References: <4FACF525.4070303@gva.es> Message-ID: <1336746700.3038.12.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-05-11 at 13:16 +0200, pasqual milvaques wrote: > root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389 > root : ERROR LDAP Error: Connect error: A TLS packet with unexpected > length was received. > Failed to verify that freeipaserver.linux.gva.es is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. This error about the unexpected length can occur if your /etc/hosts file lists the short version of the hostname before the long version, e.g. 192.168.0.1 freeipaserver freeipaserver.linux.gva.es You want it to be: 192.168.0.1 freeipaserver.linux.gva.es freeipaserver -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From milvaques_pas at gva.es Fri May 11 14:40:44 2012 From: milvaques_pas at gva.es (pasqual milvaques) Date: Fri, 11 May 2012 16:40:44 +0200 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install In-Reply-To: <4FACF525.4070303@gva.es> References: <4FACF525.4070303@gva.es> Message-ID: <4FAD24EC.6090501@gva.es> I'have download and compiled some versions of gnutls and this is the result: gnutls-2.8.5: works gnutls-2.12.19: fail gnutls-3.0.19: fail this must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu). the problem can be tested with this command: gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es in you have a problematic gnutls version the command would end with these lines: ... |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes] |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151 |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156 |<2>| ASSERT: gnutls_buffers.c:640 |<2>| ASSERT: gnutls_record.c:969 |<2>| ASSERT: gnutls_handshake.c:2762 *** Fatal error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2 |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7 *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. |<4>| REC[0x9bb40d0]: Epoch #0 freed |<4>| REC[0x9bb40d0]: Epoch #1 freed pasqual at ubuntuprovesfreeipa:~/gnutls-2.12.19$ any idea in how to make this work? Al 11/05/12 13:16, En/na pasqual milvaques ha escrit: > I'm trying to join an ubuntu 12.04 machine to freeipa domain installed > in a centos 6.2 machine and it seems there is some problem with the > tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the > problem could be there but I don't know how to solve it. with the > ldapsearch command I can also reproduce the fail > > I have opened this ubuntu bug as freeipa now has a native client > package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990 > > any idea? > > this is the log of the operation: > > pasqual at ubuntuprovesfreeipa:~$ sudo ipa-client-install -d > --enable-dns-updates > [sudo] password for pasqual: > root : DEBUG /usr/sbin/ipa-client-install was invoked with options: > {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, > 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, > 'permit': False, 'server': None, 'prompt_password': False, > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, > 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': > None, 'unattended': None, 'principal': None} > root : DEBUG missing options might be asked for interactively later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG [ipadnssearchldap(linux.gva.es)] > root : DEBUG [ipadnssearchldap(gva.es)] > root : DEBUG [ipadnssearchldap(es)] > root : DEBUG [ipadnssearchldap(linux.gva.es)] > root : DEBUG [ipadnssearchldap(gva.es)] > root : DEBUG [ipadnssearchldap(es)] > root : DEBUG Domain not found > DNS discovery failed to determine your DNS domain > Provide the domain name of your IPA server (ex: example.com): > linux.gva.es > root : DEBUG will use domain: linux.gva.es > > root : DEBUG [ipadnssearchldap] > root : DEBUG IPA Server not found > DNS discovery failed to find the IPA Server > Provide your IPA server name (ex: ipa.example.com): > freeipaserver.linux.gva.es > root : DEBUG will use server: freeipaserver.linux.gva.es > > root : DEBUG [ipadnssearchkrb] > root : DEBUG [ipacheckldap] > root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 > http://freeipaserver.linux.gva.es/ipa/config/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=--2012-05-11 12:06:09-- > http://freeipaserver.linux.gva.es/ipa/config/ca.crt > Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... > 192.168.222.99 > S'est? connectant a freeipaserver.linux.gva.es > (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat. > HTTP: Petici? enviada, esperant resposta... 200 OK > Longitud: 1325 (1.3K) [application/x-x509-ca-cert] > S'est? desant a: ?/tmp/tmpWptXwb/ca.crt? > > 0K . 100% 38.4M=0s > > 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat ?/tmp/tmpWptXwb/ca.crt? > [1325/1325] > > root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389 > root : ERROR LDAP Error: Connect error: A TLS packet with unexpected > length was received. > Failed to verify that freeipaserver.linux.gva.es is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > pasqual at ubuntuprovesfreeipa:~$ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: milvaques_pas.vcf Type: text/x-vcard Size: 335 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5527 bytes Desc: Signatura criptogr??fica S/MIME URL: From milvaques_pas at gva.es Fri May 11 14:42:45 2012 From: milvaques_pas at gva.es (pasqual milvaques) Date: Fri, 11 May 2012 16:42:45 +0200 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install In-Reply-To: <1336746700.3038.12.camel@sgallagh520.sgallagh.bos.redhat.com> References: <4FACF525.4070303@gva.es> <1336746700.3038.12.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <4FAD2565.9010205@gva.es> it's in the second form, I think the issue is a bug of gnutls thanks On dv 11 mai 2012 16:31:40 CEST, Stephen Gallagher wrote: > On Fri, 2012-05-11 at 13:16 +0200, pasqual milvaques wrote: > >> root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389 >> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected >> length was received. >> Failed to verify that freeipaserver.linux.gva.es is an IPA Server. >> This may mean that the remote server is not up or is not reachable >> due to network or firewall settings. > > > This error about the unexpected length can occur if your /etc/hosts file > lists the short version of the hostname before the long version, e.g. > > 192.168.0.1 freeipaserver freeipaserver.linux.gva.es > > You want it to be: > > 192.168.0.1 freeipaserver.linux.gva.es freeipaserver -------------- next part -------------- A non-text attachment was scrubbed... Name: milvaques_pas.vcf Type: text/x-vcard Size: 345 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5527 bytes Desc: Signatura criptogr??fica S/MIME URL: From chandank.kumar at gmail.com Fri May 11 18:18:28 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Fri, 11 May 2012 11:18:28 -0700 Subject: [Freeipa-users] FreeIPA and others Message-ID: Hi All, I was considering different centralized authentication/authorization services such as FreeIPA, 389 and Open ldap to deploy into our network in order to have a good centralized user authentication/authorization machanism. I was wondering what are they key that FreeIPA provides as compared to other directory servies in terms of extra feature, ease of deployment and use etc. Thanks Chandan -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Fri May 11 19:23:01 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 11 May 2012 15:23:01 -0400 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: References: Message-ID: <4FAD6715.4000509@redhat.com> On 05/11/2012 02:18 PM, Chandan Kumar wrote: > Hi All, > > I was considering different centralized authentication/authorization > services such as FreeIPA, 389 and Open ldap to deploy into our network > in order to have a good centralized user authentication/authorization > machanism. I was wondering what are they key that FreeIPA provides as > compared to other directory servies in terms of extra feature, ease of > deployment and use etc. FreeIPA is an integrated solution that includes DNS, kerberos SSO, host management, HBAC, role based authorization, integration with SSSD, sophisticated group management, sudo support, certificate management, can replace NIS and netgroups, supports replication for redundant servers, etc. It supports both a scriptable command line utility set as well as a web based GUI. The next version will include support for cross realm trusts allowing for powerful integration with Active Directory. FreeIPA is built on top of 389 DS, MIT Kerberos KDC and the Dogtag certificate management system. Openldap is well, just an LDAP server (some assembly required). The whole idea of FreeIPA is to take the basic primitive services supplied by an LDAP server but make it vastly more powerful by layering a lot of sophisticated functionality on top it which is fully integrated and easy to use. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayik at freebsd.or.id Fri May 11 19:35:11 2012 From: ayik at freebsd.or.id (Sayid Munawar) Date: Sat, 12 May 2012 02:35:11 +0700 Subject: [Freeipa-users] freeipa 2.2.0 on Fedora 17 isnstall failure Message-ID: Hi, I've setup a VM which is Fedora 17 BETA, then install freeipa 2.2.0 by enabling fedora-update-testing repo first. but "ipa-server-install --no-ntp --setup-dns" failed with last progress line: "Applying LDAP updates" last debug lines: ipa : DEBUG cn: Write IPA Configuration ipa : DEBUG description: Write IPA Configuration <<---- it hangs here, no more response whatsoever Any clue what is causing this ? anyone has successfully installed freeipa 2.2.0 on F17 BETA ? Thank you Sayid Munawar -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 11 19:39:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 May 2012 15:39:29 -0400 Subject: [Freeipa-users] freeipa 2.2.0 on Fedora 17 isnstall failure In-Reply-To: References: Message-ID: <4FAD6AF1.2010303@redhat.com> Sayid Munawar wrote: > Hi, > > I've setup a VM which is Fedora 17 BETA, then install freeipa 2.2.0 by > enabling fedora-update-testing repo first. > > but "ipa-server-install --no-ntp --setup-dns" failed with last progress > line: "Applying LDAP updates" > > last debug lines: > > ipa : DEBUG cn: Write IPA Configuration > ipa : DEBUG description: Write IPA Configuration > > <<---- it hangs here, no more response whatsoever > > Any clue what is causing this ? anyone has successfully installed > freeipa 2.2.0 on F17 BETA ? > > Thank you > > Sayid Munawar There is a problem with the current build of 389-ds-base in F-17. Try doing a yum downgrade 389-ds-base until you get 1.2.10.4. rob From chandank.kumar at gmail.com Fri May 11 19:51:03 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Fri, 11 May 2012 12:51:03 -0700 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <4FAD6715.4000509@redhat.com> References: <4FAD6715.4000509@redhat.com> Message-ID: Thanks John for reply. Ok. So basically it integrate various subsystems required to have a full fledged AAA system and give the end user a single controlling interface to control various components. So will its webgui enable to control 389, Krb and Radius configurations too? Because if I see each of these components individually each needs to be setup separately with lot of pain. Thanks Chandan On Fri, May 11, 2012 at 12:23 PM, John Dennis wrote: > On 05/11/2012 02:18 PM, Chandan Kumar wrote: > >> Hi All, >> >> I was considering different centralized authentication/authorization >> services such as FreeIPA, 389 and Open ldap to deploy into our network >> in order to have a good centralized user authentication/authorization >> machanism. I was wondering what are they key that FreeIPA provides as >> compared to other directory servies in terms of extra feature, ease of >> deployment and use etc. >> > > FreeIPA is an integrated solution that includes DNS, kerberos SSO, host > management, HBAC, role based authorization, integration with SSSD, > sophisticated group management, sudo support, certificate management, can > replace NIS and netgroups, supports replication for redundant servers, etc. > It supports both a scriptable command line utility set as well as a web > based GUI. The next version will include support for cross realm trusts > allowing for powerful integration with Active Directory. > > FreeIPA is built on top of 389 DS, MIT Kerberos KDC and the Dogtag > certificate management system. Openldap is well, just an LDAP server (some > assembly required). > > The whole idea of FreeIPA is to take the basic primitive services supplied > by an LDAP server but make it vastly more powerful by layering a lot of > sophisticated functionality on top it which is fully integrated and easy to > use. > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Fri May 11 20:16:01 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 11 May 2012 16:16:01 -0400 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: References: <4FAD6715.4000509@redhat.com> Message-ID: <4FAD7381.7080508@redhat.com> On 05/11/2012 03:51 PM, Chandan Kumar wrote: > Thanks John for reply. > > Ok. So basically it integrate various subsystems required to have a full > fledged AAA system and give the end user a single controlling interface > to control various components. Excellent summary. > So will its webgui enable to control 389, Krb and Radius configurations > too? The web gui controls 389 and KRB configuration and the data those services operate on. We currently do not support radius, however it's on the roadmap. A fundamental problem with radius is many of the authentication protocols used in radius require access to a cleartext password or hash. So far we've been assiduous in not storing and exposing this material for security reasons. There are possible solutions but we've decided there are more import features to address first. > Because if I see each of these components individually each needs > to be setup separately with lot of pain. Absolutely, the pain threshold of setting those component up and getting them to play together is high. One of the primary design goals of FreeIPA is to eliminate those pain points so you can focus on administrating your user base. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From chandank.kumar at gmail.com Fri May 11 20:20:57 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Fri, 11 May 2012 13:20:57 -0700 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <4FAD7381.7080508@redhat.com> References: <4FAD6715.4000509@redhat.com> <4FAD7381.7080508@redhat.com> Message-ID: Thanks for the info. Now I will start working on to setup FreeIPA, hopefully it heals rather than aggravating the pains :-) Thanks Chandan On Fri, May 11, 2012 at 1:16 PM, John Dennis wrote: > On 05/11/2012 03:51 PM, Chandan Kumar wrote: > >> Thanks John for reply. >> >> Ok. So basically it integrate various subsystems required to have a full >> fledged AAA system and give the end user a single controlling interface >> to control various components. >> > > Excellent summary. > > > So will its webgui enable to control 389, Krb and Radius configurations >> too? >> > > The web gui controls 389 and KRB configuration and the data those services > operate on. > > We currently do not support radius, however it's on the roadmap. A > fundamental problem with radius is many of the authentication protocols > used in radius require access to a cleartext password or hash. So far we've > been assiduous in not storing and exposing this material for security > reasons. There are possible solutions but we've decided there are more > import features to address first. > > > Because if I see each of these components individually each needs >> to be setup separately with lot of pain. >> > > Absolutely, the pain threshold of setting those component up and getting > them to play together is high. One of the primary design goals of FreeIPA > is to eliminate those pain points so you can focus on administrating your > user base. > > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri May 11 21:29:53 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 May 2012 17:29:53 -0400 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <4FA8391F.1080706@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com>, <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA8391F.1080706@redhat.com> Message-ID: <4FAD84D1.6060103@redhat.com> On 05/07/2012 05:05 PM, Rich Megginson wrote: > On 05/07/2012 02:55 PM, Steven Jones wrote: >> Hi, >> >> Yes I have a memory leak see attached graphs.... >> >> Yes looks like the killer killed slapd.......dont know what caused this yet........if its the "killer" looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. >> >> Looks like I have 3 days between reboots if i dont IPA losses the plot big time....very bad news..........I will I think slow IPA deployment here at this time........this cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. >> >> :/ >> >> Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot..... > Right. See https://fedorahosted.org/389/ticket/51 and especially all > of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 > > You will need to closely monitor your entry cache usage. > As far as I see the ticket is fixed upstream and is in testing for 6.3. Is this the correct understanding? >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Monday, 7 May 2012 9:45 p.m. >> To: Steven Jones >> Cc: Jan Cholasta; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] dead in the water IPA server >> >> This sound very much the same as the issue I've been having. Did you check to see if it was the >> directory server that consumed all of your memory too? >> >> https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html >> >> >> Regards, >> Siggi >> >> >> >> >> On Mon, May 7, 2012 11:32, Jan Cholasta wrote: >>> Hi, >>> >>> >>> It seems that your system ate all the available memory and the kernel >>> decided to kill a directory server instance to free some. The kernel agent responsible for this is >>> called the out-of-memory killer, you can read more about it and how to configure it not to kill >>> important processes here: http://lwn.net/Articles/317814/ >>> >>> On 7.5.2012 02:22, Steven Jones wrote: >>> >>>> Interesting memory message.....as attached.... >>>> >>>> >>>> I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead >>>> if nothing else... >>>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> >>>> 0064 4 463 6272 >>>> >>>> >>> -- >>> Jan Cholasta >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri May 11 21:53:35 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 May 2012 17:53:35 -0400 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <4FAC7F81.709@redhat.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4FAC6D43.9000105@redhat.com> <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC7F81.709@redhat.com> Message-ID: <4FAD8A5F.7050406@redhat.com> On 05/10/2012 10:54 PM, Rich Megginson wrote: > On 05/10/2012 07:54 PM, David Copperfield wrote: >> OK, >> >> that means the steps below: >> >> 1) on IPA replica, lets create 4 IPA users: A,B,C and D. Now make a >> backup with 'db2ldif.pl -r ...' >> >> 2) on IPA replica, delete the user D. 'ipa user-del D'. >> >> 3, on IPA master, delete the user C. 'ipa user-del C'. >> >> 4, now check on other IPA master and IPA replica, both shows only two >> users 'A' and 'B'. this is expected. >> >> 5, now on IPA replica, restore the backup with 'ldif2db.pl' >> >> 6, check on IPA replica immediately, 'ipa user-find' shows 4 users >> 'A, B, C, D' at the beginning. >> >> 7, check IPA Master, 'ipa user-find' shows still only two users 'A, B'. >> >> 8, wait 3 minutes or so, check on IPA replica, and found that there >> are only THREE users 'A, B, D'. The users 'C' is deleted now -- >> change propagated from IPA Master. >> >> 9, check on IPA Master again and again, there are still only two >> users 'A, B'. >> >> 10, check on IPA Replica again and again, there are still three users >> 'A, B,D'. --- this status is different from IPA Master's 'A,B', or >> backup's 'A, B, C, D'. >> >> >> If backup was created without '-r' option, then the step 8 above will >> always show 'A,B,C,D', the same as backup. with '-r' option make the >> final result between. >> >> >> Hope I have explained it clearly. Please advice something like >> ipa2ldif.pl and ldif2ipa.pl tools. There are really the key useful >> feature for serious production IPA deployment, which is definitely of >> much higher priority than dogtag. > > Sounds like a bug. What should happen is that the deletion of C and D > should be propagated to replica. Was a bug or a ticket filed? > >> >> Thanks a lot. >> >> --David >> >> >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson >> *To:* David Copperfield >> *Cc:* E Deon Lackey ; Petr Spacek >> ; Rob Crittenden ; >> "freeipa-users at redhat.com" >> *Sent:* Thursday, May 10, 2012 6:37 PM >> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >> db2ldap.pl, ldap2db.pl ??? >> >> On 05/10/2012 07:32 PM, David Copperfield wrote: >>> Hi Rich and all, >>> >>> the '-r' option to db2ldif.pl doesn't work >>> neither, it make few difference. >>> >>> My command, backup and restore commands on the IPA replica are: >>> >>> db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' >>> >>> ldif2db.pl -D 'cn=Directory Manager' -w - -i >>> >>> >>> The only difference is: after IPA master restart (restart happens >>> after IPA replica's restore operation), the changes -- which applied >>> on IPA master before backup -- are propagated to IPA replica. Which >>> is in fact, make the restoration test end up with a result >>> completely unusable on IPA replica, an result that is different from >>> backup, and different from IPA master. >> >> I don't quite understand what you mean. >> >>> >>> Please let me know if there are any other options/steps to follow. >>> Thanks. >> >> Not sure what else to try. >> >>> >>> --David >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson >>> >>> *To:* David Copperfield >>> *Cc:* "freeipa-users at redhat.com" >>> ; Rob >>> Crittenden ; Petr >>> Spacek >>> *Sent:* Thursday, May 10, 2012 5:28 PM >>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>> db2ldap.pl , ldap2db.pl ??? >>> >>> On 05/10/2012 04:37 PM, David Copperfield wrote: >>>> Hi Rich and all, >>>> >>>> Thanks for correction. They are db2ldif.pl and >>>> ldif2db.pl scripts, which are originally for >>>> 389 Directory Servers' backup and restore purposes. >>>> >>>> There are no IPA tools for IPA system backup and restore. Is there >>>> a plan to develop tools like ipa2ldif.pl and >>>> ldif2ipa.pl soon? or, at least, whether it is >>>> in IPA roadmap? >>>> >>>> For the second question: I use the simple way: ipa >>>> user-add/user-delete/user-find to see whether data is propagated. >>>> My testing steps are like this: >>>> >>>> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA >>>> master with 'ipa user-find testuser' and it is found in a few >>>> seconds -- not 5 minutes. >>>> >>>> 2, run 'db2ldif.pl on IPA replica to save a backup. >>>> >>>> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa >>>> user-find' on IPA replica, and it shows that the user is deleted. >>>> >>>> 4, double check 'ipa user-find test user' on IPA master, and it is >>>> found deleted, which is as expected and it is propagated in just a >>>> few seconds. >>>> >>>> 5, run 'ldif2db.pl' on the same IPA replica where the backup was >>>> created. >>>> >>>> 6, run 'ipa user-find testuser' on IPA replica and it is found >>>> that the user testuser is alive again. >>>> >>>> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can >>>> find it -- and in just a few seconds. other 2/3 times it could not >>>> be found even after HALF HOUR. >>>> >>>> Please have a quick duplicate tests at your side and advice what >>>> normal users should do, because a reliable backup/restore solution >>>> is definitely one of the key criteria. Thanks a lot. >>>> >>> >>> Ok, I see. The problem is that a regular db2ldif[.pl] does not save >>> the replication meta-data. You must use the -r option to generate >>> an ldif file with the replication meta-data. ldif2db[.pl] is >>> destructive - it wipes out your database completely and replaces it, >>> wiping out any replication meta-data in the process. If you >>> ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace >>> the replication meta-data too. >>> >>> See >>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>> >>>> --David >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson >>>> >>>> *To:* David Copperfield >>>> *Cc:* "freeipa-users at redhat.com" >>>> ; Rob >>>> Crittenden ; Petr >>>> Spacek >>>> *Sent:* Thursday, May 10, 2012 3:19 PM >>>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>>> db2ldap.pl , ldap2db.pl ??? >>>> >>>> On 05/10/2012 03:57 PM, David Copperfield wrote: >>>>> Hi Rob, Petr and all, >>>>> >>>>> Because recently crashes of my IPA master and IPA replicas >>>>> servers, I'm thinking of methods of backup/restore IPA user data: >>>>> users, groups, host and server certificates etc. >>>>> >>>>> It's said that the only official way is to create an extra IPA >>>>> replica and backup/snapshot that replica all the way. But there >>>>> still has a big chance that some mistakes propagate for a to whole >>>>> IPA domain/realm before the IAP administrator find it and data got >>>>> lost forever and some may not even be recovered. >>>>> >>>>> What I think is because both Dogtag and IPA store data in backend >>>>> 389 directory servers separately, then if I freeze the change on >>>>> one IPA replica for a few minutes first, then run db2ldap.pl >>>>> for both 389 ldap backends, then un-freeze the >>>>> IPA replica to get sync from master. >>>>> >>>>> When data needs to be restored because of disasters, the backup >>>>> files(in LDIF format -- for easy to read) can be restored to the >>>>> two 389 LDAP backends on IPA replica with command ldap2db.pl >>>>> during the freezing period. >>>> >>>> It's ldif2db.pl db2ldif.pl >>>> not ldap >>>> >>>>> >>>>> Have anyone tried this solution yet? Is there any limitations? >>>>> >>>>> My experiences showed that the IPA replica did get data restored >>>>> successfully (no dogtag is involved so only one LDAP backend is >>>>> saved/restored). But the IPA master some times didn't get the data >>>>> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs >>>>> manual command 'ipa-replica-manage force-sync --from >>>>> ' ). >>>> >>>> How did you verify that the data was synced? Note that if a server >>>> has been down for a while, it will take the supplier up to 5 >>>> minutes to recognize that the consumer is up again, without force sync. >>>> >>>>> >>>>> Please shed a light in this area, as backup/restore of IPA >>>>> master/replica is even not mentioned on the IPA document at all. >>>>> >>>>> Thanks a lot. >>>>> >>>>> --David >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> >>> >>> >> >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri May 11 21:55:48 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 11 May 2012 14:55:48 -0700 (PDT) Subject: [Freeipa-users] the RUV problem is fixed for freeIPA 2.1.3? Message-ID: <1336773348.12003.YahooMailNeo@web125704.mail.ne1.yahoo.com> Hi all, ?There is a 389 Directory Server wiki page about cleaning RUV records,?http://directory.fedoraproject.org/wiki/Howto:CLEANRUV. The wiki says that it needs manual effort to clean the RUV records when decommission an IPA master. ?I run the ldap check? # ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' And it does show the old/decommissioned IPA Masters. But there are no error or warning messages inside? /var/log/dirsvr/slapd-example.com or under /var/log/sursvr/slapd-PKI-ISA/. Does this means that FreeIPA 2.1.3 already fixing the problem? and there is no need to clean the RUVs> Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri May 11 22:05:59 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 11 May 2012 15:05:59 -0700 (PDT) Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <4FAD8A5F.7050406@redhat.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4FAC6D43.9000105@redhat.com> <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC7F81.709@redhat.com> <4FAD8A5F.7050406@redhat.com> Message-ID: <1336773959.17164.YahooMailNeo@web125704.mail.ne1.yahoo.com> Please feel free to do it. Thanks. --David ________________________________ From: Dmitri Pal To: Rich Megginson Cc: David Copperfield ; Rob Crittenden ; E Deon Lackey ; "freeipa-users at redhat.com" Sent: Friday, May 11, 2012 2:53 PM Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? On 05/10/2012 10:54 PM, Rich Megginson wrote: On 05/10/2012 07:54 PM, David Copperfield wrote: >OK, >> >> >>?that means the steps below: >> >> >>1) on IPA replica, lets create 4 IPA users: A,B,C and D. ?Now make a backup with 'db2ldif.pl -r ...' >> >> >>2) on IPA replica, delete the user D. 'ipa user-del D'. >> >> >>3, on IPA master, delete the user C. 'ipa user-del C'. >> >> >>4, now check on other IPA master and IPA replica, both shows only two users 'A' and 'B'. this is expected. >> >> >>5, now on IPA replica, restore the backup with 'ldif2db.pl' >> >> >>6, check on IPA replica immediately, 'ipa user-find' shows 4 users 'A, B, C, D' at the beginning. >> >> >>7, check IPA Master, 'ipa user-find' shows still only two users 'A, B'. >> >> >>8, wait 3 minutes or so, check on IPA replica, and found that there are only THREE users 'A, B, D'. The users 'C' is deleted now -- change propagated from IPA Master. >> >> >>9, check on IPA Master again and again, there are still only two users 'A, B'. >> >> >>10, check on IPA Replica again and again, there are still three users 'A, B,D'. --- this status is different from IPA Master's 'A,B', or backup's ?'A, B, C, D'. >> >> >> >> >>If backup was created without '-r' option, then the step 8 above will always show 'A,B,C,D', the same as backup. ?with '-r' option make the final result between. >> >> >> >> >>Hope I have explained it clearly. Please advice something like ipa2ldif.pl and ldif2ipa.pl tools. There are really the key useful feature for serious production IPA deployment, which is definitely of much higher priority than dogtag. >Sounds like a bug.? What should happen is that the deletion of C and D should be propagated to replica. > Was a bug or a ticket filed? > > >> >>Thanks a lot. >> >> >>--David >> >> >> >> >> >> >> >>________________________________ >> From: Rich Megginson >>To: David Copperfield >>Cc: E Deon Lackey ; Petr Spacek ; Rob Crittenden ; "freeipa-users at redhat.com" >>Sent: Thursday, May 10, 2012 6:37 PM >>Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? >> >> >>On 05/10/2012 07:32 PM, David Copperfield wrote: >>Hi Rich and all, >>> >>> >>>the '-r' option to db2ldif.pl doesn't work neither, it make few difference.? >>> >>> >>>My command, backup and restore commands on the IPA replica are: >>> >>> >>>db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' >>> >>> >>>ldif2db.pl -D 'cn=Directory Manager' -w - -i >>> >>> >>>The only difference is: after IPA master restart (restart happens after IPA replica's restore operation), the changes -- which applied on IPA master before backup -- are propagated to IPA replica.?Which is in fact, make the restoration test end up with a result completely unusable on IPA replica, an result that is different from backup, and different from IPA master. >>> >>I don't quite understand what you mean. >> >> >> >>> >>>Please let me know if there are any other options/steps to follow. Thanks. >>Not sure what else to try. >> >> >> >>> >>>--David >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>________________________________ >>> From: Rich Megginson >>>To: David Copperfield >>>Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek >>>Sent: Thursday, May 10, 2012 5:28 PM >>>Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? >>> >>> >>>On 05/10/2012 04:37 PM, David Copperfield wrote: >>>Hi Rich and all, >>>> >>>> >>>>Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are originally for 389 Directory Servers' backup and restore purposes.? >>>> >>>> >>>>There are no IPA tools for IPA system backup and restore.?Is there a plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it is in IPA roadmap? >>>> >>>> >>>>For the second question: I use the simple way: ipa user-add/user-delete/user-find to see whether data is propagated. My testing steps are like this: >>>> >>>> >>>>?1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes. >>>> >>>> >>>>?2, run 'db2ldif.pl on IPA replica to save a backup. >>>> >>>> >>>>?3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA replica, and ?it shows that the user is deleted. >>>> >>>> >>>>?4, double check 'ipa user-find test user' on IPA master, and it is found deleted, which is as expected and it is propagated in just a few seconds. >>>> >>>> >>>>?5, run 'ldif2db.pl' on the same IPA replica where the backup was created. >>>> >>>> >>>>?6, run 'ipa user-find testuser' on IPA replica and it is found that the user testuser is alive again. >>>> >>>>?7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find it -- and in just a few seconds. other 2/3 times it could not be found even after HALF HOUR. >>>> >>>> >>>>Please have a quick duplicate tests at your side and advice what normal users should do, because a reliable backup/restore solution is definitely one of the key criteria. Thanks a lot. >>>> >>>> >>>Ok, I see.? The problem is that a regular db2ldif[.pl] does not save the replication meta-data.? You must use the -r option to generate an ldif file with the replication meta-data.? ldif2db[.pl] is destructive - it wipes out your database completely and replaces it, wiping out any replication meta-data in the process.? If you ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace the replication meta-data too. >>> >>>See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>> >>> >>>--David >>>>? >>>> >>>> >>>> >>>> >>>>? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>________________________________ >>>> From: Rich Megginson >>>>To: David Copperfield >>>>Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Petr Spacek >>>>Sent: Thursday, May 10, 2012 3:19 PM >>>>Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? >>>> >>>> >>>>On 05/10/2012 03:57 PM, David Copperfield wrote: >>>>Hi Rob, Petr and all, >>>>> >>>>> >>>>>Because recently crashes of my IPA master and IPA replicas servers, I'm thinking of methods of backup/restore IPA user data: users, groups, host and server certificates etc. ? >>>>> >>>>> >>>>>It's said that the only official way is to create an extra IPA replica and backup/snapshot that replica all the way. But there still has a big chance that some mistakes propagate for a to whole IPA domain/realm before the IAP administrator find it and data got lost forever and some may not even be recovered. >>>>> >>>>> >>>>>What I think is because both Dogtag and IPA store data in backend 389 directory servers separately, then if I freeze the change on one IPA replica for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze the IPA replica to get sync from master. >>>>> >>>>> >>>>>?When data needs to be restored because of disasters, the backup files(in LDIF format -- for easy to read) can be restored to the two 389 LDAP backends on IPA replica with command ldap2db.pl during the freezing period. >>>>It's ldif2db.pl db2ldif.pl not ldap >>>> >>>> >>>> >>>>> >>>>>?Have anyone tried this solution yet? Is there any limitations? >>>>> >>>>> >>>>>My experiences showed that the IPA replica did get data restored successfully (no dogtag is involved so only one LDAP backend is saved/restored). But the IPA master some times didn't get the data synced from IPA replica ( 1/3 times it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync ?--from ' ). >>>>How did you verify that the data was synced?? Note that if a server has been down for a while, it will take the supplier up to 5 minutes to recognize that the consumer is up again, without force sync. >>>> >>>> >>>> >>>>> >>>>>Please shed a light in this area, as backup/restore of IPA master/replica is even not mentioned on the IPA document at all.? >>>>> >>>>> >>>>>Thanks a lot. >>>>> >>>>> >>>>>--David >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> >>> >>> >> >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun May 13 17:46:56 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 13 May 2012 13:46:56 -0400 Subject: [Freeipa-users] DogTag PKI uses ? In-Reply-To: <4FAC2AA6.8080004@redhat.com> References: <20120510203601.GA12024@dibs.tanso.net> <4FAC2AA6.8080004@redhat.com> Message-ID: <4FAFF390.7060705@redhat.com> On 05/10/2012 04:52 PM, Rob Crittenden wrote: > Jan-Frode Myklebust wrote: >> We're finally implementing IPA in our company (migrating from Sun >> Identity Manager populated LDAP + manually maintained netgroups and >> sudoers also in LDAP). I think I understand how to migrate these parts >> to IPA, but the dogtag part is quite foreign currently.. >> >> We already has two private PKI infrastructures implemented. One for >> managing user certificates for about 250 openvpn users, and another for >> managing certificates for a few internal web services. Should we look >> into re-using one of these CA's in IPA? > How are the openVPN user certificates are used? Do you create a PKI pair and put it on user laptops? If this is the case the PKI pair can very well be related to the machine (laptop) identity rather than user identity. Then IPA can mange such certs and certmonger can track and renew them. This assumes that laptops run Fedora, RHEL or version of Ubuntu or CentOS that supports certmonger, sssd and ipa client. > You could install IPA as a subordinate CA of one of them. IPA requires > its own CA. > >> I think it would be marvelous if IPA/dogtag could create certs/keys for >> the users, and keep a copy of the users csr's so that it could >> automatically >> send the user an updated certificate with an expiry matching the >> password >> lifetime. Is this something that's possible currently, or on the >> roadmap maybe? > > Right now the CA is used only to issue server certificates. We have > user certs on the roadmap but that won't be ready for quite some time > (year or more, realistically). > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sun May 13 18:21:25 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 13 May 2012 14:21:25 -0400 Subject: [Freeipa-users] Please help: Re: How to rebuild IPA master? In-Reply-To: <1336686153.2247.110.camel@aleeredhat.laptop> References: <4FAAE451.9000400@redhat.com> , <1336604694.44854.YahooMailNeo@web125703.mail.ne1.yahoo.com> <833D8E48405E064EBC54C84EC6B36E404CC910E4@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FAB8E38.9020608@redhat.com> <1336681867.14016.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC2A22.5030307@redhat.com> <1336686153.2247.110.camel@aleeredhat.laptop> Message-ID: <4FAFFBA5.1050608@redhat.com> On 05/10/2012 05:42 PM, Ade Lee wrote: > David, > > The simplest solution may be as Rob suggests - which is to create a new > CA as a subordinate of the old. > > The other solution would be doable but would require a few more manual > steps. That is, you could: > 1. install a new ca > 2. switch out the certs in that ca with the ones in your gpg file. The > certificate database is in /var/lib/pki-ca/alias > 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but > as the nicknames should be the same, you might be ok. > 4. If you go this route, you probably want to change the lower point of > the serial number ranges used for certs/ requests in CS.cfg to not reuse > serial numbers for certs you have already issued. > 4. Switch out the ipa agent cert/keys in the IPA cert database. > > You will run into problems later though because you have lost the data > in the dogtag database. > > In particular, because the renewal process uses the original requests > (which are stored in the dogtag database), you will likely be unable to > renew the certs you have already issued unless you rekey those certs. > > That may be OK for most certs, but you may not want to do that for the > CA signing cert. In that case, you will likely need to instrument > something to reconstruct the original request. > https://fedorahosted.org/freeipa/ticket/2749 > Ade > On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote: >> David Copperfield wrote: >>> Hi Petr and all, >>> >>> All the chapter your have pointed out is read many times, but that >>> doesn't help at all. >>> >>> My problem is: the Dogtag system ran on the IPA master ONLY before the >>> IPA Master crashes. Now I have to do the following: >>> >>> 1, install and run Dogtag system on IPA replica -- the document >>> mentioned it -- 'ipa-ca-install' and etc. >>> >>> 2, promote the IPA replica into new IPA Master -- document mentioned it >>> but not clear -- regarding the /root/cacert.p12 key file and the replica >>> file under /var/lib/ipa. >>> >>> 3, how to recover the dogtag systems' data (different LDAP backend) >>> existed on the IPA master before it crashes? >>> >>> Other close questions include: >>> >>> what are included in the replica definition file >>> /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the >>> signing key and how to open the .gpg file? >> # gpg -d /path/to/replica.gpg | tar xf - >> >> The password is the Directory Manager password. >> >> You have limited options since your CA was a single point of failure and >> it failed. The root CA private keys should be in the replica file so >> there may be ways to recover, all of them will require significant >> manual effort. >> >> We have no way to add a new CA to an existing IPA installation outside >> of ipa-ca-install so we'll need to give that some thought. I think the >> simplest way to fix this is to create a new CA as a subordinate of the >> original one. The existing certs should still be trusted (except for the >> agent cert) so mass rekeying won't be necessary. >> >> Another option is to install a new CA and try to replace key with the >> original. We'd need to think long-term about this effort and you'd want >> to renew all issued certificates so they will be revokable. >> >> rob >> >> >>> Thanks. >>> >>> --David >>> >>> ------------------------------------------------------------------------ >>> *From:* Petr Spacek >>> *To:* freeipa-users at redhat.com >>> *Sent:* Thursday, May 10, 2012 2:45 AM >>> *Subject:* Re: [Freeipa-users] How to rebuild IPA master? >>> >>> On 05/10/2012 02:24 AM, Steven Jones wrote: >>> > Hi, >>> > >>> > In case everyone else is asleep now...... >>> > >>> > Do you have access to RH documentation? the 6.3beta admin guide >>> section 18.8 >>> > talks about why and how to make a replicate a master. >>> >>> Just for completeness: >>> Documentation is publicly available: http://docs.redhat.com/ >>> >>> Documentation for IPA beta: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html >>> >>> Documentation for latest stable IPA: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html >>> >>> > >>> > eg., >>> > >>> > "NOTE >>> > All servers and replicas which host a CA are peers in the topology. >>> They can >>> > all issue certificates >>> > and keys to IPA clients, and they all replicate information amongst >>> themselves. >>> > The only reason to promote a replica or server to be a master server >>> is if the >>> > master server is >>> > being taken offline. There has to be a root CA which can issue CRLs and >>> > ultimately validate >>> > certificate checks. >>> > Aside from that, replicas, servers, and the master server are all >>> equal peers." >>> > >>> > regards >>> > >>> > Steven Jones >>> > >>> > Technical Specialist - Linux RHCE >>> > >>> > Victoria University, Wellington, NZ >>> > >>> > 0064 4 463 6272 >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > *From:* freeipa-users-bounces at redhat.com >>> >>> [freeipa-users-bounces at redhat.com >>> ] on >>> > behalf of David Copperfield [cao2dan at yahoo.com >>> ] >>> > *Sent:* Thursday, 10 May 2012 11:04 a.m. >>> > *To:* Rob Crittenden; Freeipa-users at redhat.com >>> >>> > *Subject:* [Freeipa-users] How to rebuild IPA master? >>> > >>> > Hi all, >>> > >>> > I've a IPA master/replica setup in our development environment. >>> Unfortunately >>> > our IPA master crashed, the replica is working fine. Now I have the >>> IPA master >>> > re-imaged. >>> > >>> > What are the steps I have to follow to re-create the IPA master from >>> running >>> > IPA replica? Before crash the IPA master ran dogtag certificate >>> system, while >>> > the IPA replica didn't -- created normally without the --setup-ca option. >>> > >>> > Thanks. >>> > >>> > --David >>> > >>> > >>> > _______________________________________________ >>> > Freeipa-users mailing list >>> > Freeipa-users at redhat.com >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sun May 13 18:24:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 13 May 2012 14:24:01 -0400 Subject: [Freeipa-users] proxy with Active Directory In-Reply-To: References: , <1336601701.5722.215.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CC91027@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FAFFC41.8030109@redhat.com> On 05/10/2012 12:27 PM, Brian Cook wrote: > THe problem with the cross realm trust support as I understand it is that it requires you to populate posix attributes in AD, which many AD admins are hesitant to do. You have to install the AD services for unix pack and create metadata object in the directory for tracking UID and GID and then manage users via the ADSFU snap in. I have run in to significant resistance to this and the Linux guys usually do not have access. You are referring to the current support of AD in SSSD. The UID and GID in AD are required for SSSD to work but in 6.4 this will change too as SSSD would be able to deal with AD SIDs too and do the id mapping in the same way as samba does (and better). > Brian > > > On May 9, 2012, at 3:19 PM, Steven Jones wrote: > >> That is possibly RHEl6.4? so year end? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com] >> Sent: Thursday, 10 May 2012 10:15 a.m. >> To: Sylvain Angers >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] proxy with Active Directory >> >> On Wed, 2012-05-09 at 14:19 -0400, Sylvain Angers wrote: >>> Hello >>> >>> Our security group have concern with copying username/password from >>> from AD and might not allow this synchronisation to even happen. >>> Is there a way to configure ipa to go get username/password via kind >>> of proxy? >> Not really, your best bet in that situation is cross realm trust support >> schedule for the next FreeIPA version. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Sun May 13 21:20:24 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 13 May 2012 21:20:24 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, >From a user perspective such as myself, If its mission critical and complex need today then you need to also look at more mature solutions. These however will cost you a lot of time and money to deploy. We have been there and the costs are obscene and the support worryingly poor in AP. Since you have only mentioned 389 and Openldap as options I suspect IPA will suit you its the best of the three, so take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chandan Kumar [chandank.kumar at gmail.com] Sent: Saturday, 12 May 2012 6:18 a.m. To: Freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA and others Hi All, I was considering different centralized authentication/authorization services such as FreeIPA, 389 and Open ldap to deploy into our network in order to have a good centralized user authentication/authorization machanism. I was wondering what are they key that FreeIPA provides as compared to other directory servies in terms of extra feature, ease of deployment and use etc. Thanks Chandan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun May 13 21:36:36 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 13 May 2012 21:36:36 +0000 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <4FAD84D1.6060103@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com>, <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA8391F.1080706@redhat.com>,<4FAD84D1.6060103@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC92998@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak kills a server in 48 hours. I also find I have a problem with rebooting, IPA doesnt survive a reboot, so I cant even cron a reboot nightly. Right now both are in a bad way and I need to reboot them...... :( The interesting thing is I have a test setup that is stable, yet has the same rpms....so Im flumixt'd, maybe its something Ive done, but I cant think what....its bod standard as far as I know.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Saturday, 12 May 2012 9:29 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server On 05/07/2012 05:05 PM, Rich Megginson wrote: On 05/07/2012 02:55 PM, Steven Jones wrote: Hi, Yes I have a memory leak see attached graphs.... Yes looks like the killer killed slapd.......dont know what caused this yet........if its the "killer" looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. Looks like I have 3 days between reboots if i dont IPA losses the plot big time....very bad news..........I will I think slow IPA deployment here at this time........this cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. :/ Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot..... Right. See https://fedorahosted.org/389/ticket/51 and especially all of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 You will need to closely monitor your entry cache usage. As far as I see the ticket is fixed upstream and is in testing for 6.3. Is this the correct understanding? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Monday, 7 May 2012 9:45 p.m. To: Steven Jones Cc: Jan Cholasta; freeipa-users at redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: Interesting memory message.....as attached.... I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- Jan Cholasta _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa2-memory-error-12.jpeg Type: image/jpeg Size: 163892 bytes Desc: ipa2-memory-error-12.jpeg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa1-memory-error-14.jpeg Type: image/jpeg Size: 154503 bytes Desc: ipa1-memory-error-14.jpeg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa2-cpu-error-11.jpeg Type: image/jpeg Size: 118878 bytes Desc: ipa2-cpu-error-11.jpeg URL: From Steven.Jones at vuw.ac.nz Sun May 13 22:09:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 13 May 2012 22:09:52 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <4FAD7381.7080508@redhat.com> References: <4FAD6715.4000509@redhat.com> , <4FAD7381.7080508@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC929EE@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><-------- Absolutely, the pain threshold of setting those component up and getting them to play together is high. One of the primary design goals of FreeIPA is to eliminate those pain points so you can focus on administrating your user base. 8><-------- Does seems to be a great success, the big pain point I have now is external services connectivity however. Once vendors of hardware devices get onboard and make it as easy to join NAS's (say) to IPA it will be away.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From chandank.kumar at gmail.com Sun May 13 22:17:51 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Sun, 13 May 2012 15:17:51 -0700 Subject: [Freeipa-users] FreeIPA and others Message-ID: Yeah you are right. Basically now our network does not have a overall user authentication module such as OpenLPAD or 389. I was looking around for a better solution that could work on Win + Linux environment. At the same time it should be so painful to setup that I have invest weeks of my full efforts to get it run. Thanks Chandan On Sun, May 13, 2012 at 2:20 PM, Steven Jones wrote: > Hi, > > >From a user perspective such as myself, > > If its mission critical and complex need today then you need to also look > at more mature solutions. These however will cost you a lot of time and > money to deploy. We have been there and the costs are obscene and the > support worryingly poor in AP. Since you have only mentioned 389 and > Openldap as options I suspect IPA will suit you its the best of the three, > so take a look. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Chandan Kumar [chandank.kumar at gmail.com] > *Sent:* Saturday, 12 May 2012 6:18 a.m. > *To:* Freeipa-users at redhat.com > *Subject:* [Freeipa-users] FreeIPA and others > > Hi All, > > I was considering different centralized authentication/authorization > services such as FreeIPA, 389 and Open ldap to deploy into our network in > order to have a good centralized user authentication/authorization > machanism. I was wondering what are they key that FreeIPA provides as > compared to other directory servies in terms of extra feature, ease of > deployment and use etc. > > Thanks > Chandan > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Mon May 14 03:53:34 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 14 May 2012 03:53:34 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz> References: , <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> On May 13, 2012, at 2:23 PM, "Steven Jones" > wrote: Hi, >From a user perspective such as myself, If its mission critical and complex need today then you need to also look at more mature solutions. Mileage may vary. I for one have found no suitable scalable substitute for FreeIPA. I currently run over 21 (soon to be 42) Production FreeIPA servers. These are globally dispersed in every major continent. They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 users. I heavily utilize centralized authentication, SSO, hbac, sudo, and automember (with sometimes as many as 100 new hosts a week being built and automatically assigned to their respective hostgroups.). My use case tends to be the most complex that I've heard of. The important bugs that I find and report have patches sometimes within a few days. My advice is to stage thoroughly so you know what you need to have in order to run effectively in production. There is no real end all be all for all things relating to authentication. I suggest that if you find an important delta, don't give up, experiment with integrating whatever protocol you need. Document the success or the challenges for others to benefit or contribute. -JR These however will cost you a lot of time and money to deploy. We have been there and the costs are obscene and the support worryingly poor in AP. Since you have only mentioned 389 and Openldap as options I suspect IPA will suit you its the best of the three, so take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chandan Kumar [chandank.kumar at gmail.com] Sent: Saturday, 12 May 2012 6:18 a.m. To: Freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA and others Hi All, I was considering different centralized authentication/authorization services such as FreeIPA, 389 and Open ldap to deploy into our network in order to have a good centralized user authentication/authorization machanism. I was wondering what are they key that FreeIPA provides as compared to other directory servies in terms of extra feature, ease of deployment and use etc. Thanks Chandan _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From janfrode at tanso.net Mon May 14 06:13:46 2012 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 14 May 2012 08:13:46 +0200 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> References: <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz> <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> Message-ID: <20120514061346.GA2154@dibs.tanso.net> On Mon, May 14, 2012 at 03:53:34AM +0000, JR Aquino wrote: > > I currently run over 21 (soon to be 42) Production FreeIPA servers. These are globally dispersed in every major continent. > They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 users. Could you please say something about how you're connecting the Cisco's and Juniper's to IPA ? LDAP backend for radius/ACS, or something else ? -jf From janfrode at tanso.net Mon May 14 07:01:34 2012 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 14 May 2012 09:01:34 +0200 Subject: [Freeipa-users] Different automount for different locations Message-ID: <20120514070134.GA4152@dibs.tanso.net> We have two datacenters, site-A and site-B, and would like to server the users' home directories from a local NFS-server at each location to avoid cross site mounts. Is this something the automount maps in IPA can help us with ? Or do we need to do tricks like having the users' home directory under /Home/$username and symlink /Home -> /srv/site-A/ on site-A and vice versa ? -jf From jhrozek at redhat.com Mon May 14 08:10:47 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 May 2012 10:10:47 +0200 Subject: [Freeipa-users] Different automount for different locations In-Reply-To: <20120514070134.GA4152@dibs.tanso.net> References: <20120514070134.GA4152@dibs.tanso.net> Message-ID: <20120514081047.GA8073@hendrix.redhat.com> On Mon, May 14, 2012 at 09:01:34AM +0200, Jan-Frode Myklebust wrote: > We have two datacenters, site-A and site-B, and would like to server the > users' home directories from a local NFS-server at each location to avoid > cross site mounts. Is this something the automount maps in IPA can help > us with ? > > Or do we need to do tricks like having the users' home directory under > /Home/$username and symlink /Home -> /srv/site-A/ on site-A and vice > versa ? IPA has a concept of automount locations. See ipa help automount for more info..here is a basic example, cut-n-pasted from a test setup of mine, except for obfuscated host names. This setup creates two locations exporting the same tree /share/mirror from different servers: ipa automountlocation-add Brno ipa automountmap-add Brno auto.share ipa automountkey-add Brno auto.master --key=/share --info=auto.share ipa automountkey-add Brno auto.share --key=mirror --info="filer.in.brno:/mirror/" ipa automountlocation-add Boston ipa automountmap-add Boston auto.share ipa automountkey-add Boston auto.master --key=/share --info=auto.share ipa automountkey-add Boston auto.share --key=mirror --info="filer.in.boston:/mirror" That should also work with the username wildcard, if not, it's a bug. On the client, set the search base to the respective location: SEARCH_BASE="cn=brno,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" ...or, for clients in Boston: SEARCH_BASE="cn=boston,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" If you're using the SSSD to fetch autofs maps, all you need to set on the client is ipa_automount_location = Brno (or Boston) and set "sss" as the autofs map source in nsswitch. From milvaques_pas at gva.es Mon May 14 08:20:57 2012 From: milvaques_pas at gva.es (pasqual milvaques) Date: Mon, 14 May 2012 10:20:57 +0200 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install In-Reply-To: <4FAD24EC.6090501@gva.es> References: <4FACF525.4070303@gva.es> <4FAD24EC.6090501@gva.es> Message-ID: <4FB0C069.9080403@gva.es> the people frrm ubuntu pointed me to this bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127 enabling ssl3 in the server with this orders served as a workaround: ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on exit but the client doesn't join completly the domain because in the system there is no system wide nss database: New SSSD config will be created. root : INFO New SSSD config will be created Configured /etc/sssd/sssd.conf root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt root : DEBUG stdout= root : DEBUG stderr=certutil: function failed: security library: bad database. Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1292, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1279, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1124, in install run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run raise CalledProcessError(p.returncode, args) subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255 pasqual at ubuntuprovesfreeipa:~$ It can create it with this commands: mkdir -p /etc/pki/nssdb certutil -N -d /etc/pki/nssdb but asks for a password. there are some obscure references about using a password file called pwdfile.txt that resides in the server but I'm not sure with what to do now. perhaps the password must be blank. any idea? thanks Al 11/05/12 16:40, En/na pasqual milvaques ha escrit: > I'have download and compiled some versions of gnutls and this is the > result: > gnutls-2.8.5: works > gnutls-2.12.19: fail > gnutls-3.0.19: fail > > this must affect distributions in which ldaps connections are based in > gnutls (I only know debian and ubuntu). > > the problem can be tested with this command: > gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es > > in you have a problematic gnutls version the command would end with > these lines: > ... > |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes] > |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151 > |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156 > |<2>| ASSERT: gnutls_buffers.c:640 > |<2>| ASSERT: gnutls_record.c:969 > |<2>| ASSERT: gnutls_handshake.c:2762 > *** Fatal error: A TLS packet with unexpected length was received. > |<4>| REC: Sending Alert[2|22] - Record overflow > |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2 > |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7 > *** Handshake has failed > GnuTLS error: A TLS packet with unexpected length was received. > |<4>| REC[0x9bb40d0]: Epoch #0 freed > |<4>| REC[0x9bb40d0]: Epoch #1 freed > pasqual at ubuntuprovesfreeipa:~/gnutls-2.12.19$ > > any idea in how to make this work? > > Al 11/05/12 13:16, En/na pasqual milvaques ha escrit: >> I'm trying to join an ubuntu 12.04 machine to freeipa domain >> installed in a centos 6.2 machine and it seems there is some problem >> with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl >> so the problem could be there but I don't know how to solve it. with >> the ldapsearch command I can also reproduce the fail >> >> I have opened this ubuntu bug as freeipa now has a native client >> package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990 >> >> any idea? >> >> this is the log of the operation: >> >> pasqual at ubuntuprovesfreeipa:~$ sudo ipa-client-install -d >> --enable-dns-updates >> [sudo] password for pasqual: >> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: >> {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': >> False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': >> None, 'permit': False, 'server': None, 'prompt_password': False, >> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, >> 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': >> None, 'unattended': None, 'principal': None} >> root : DEBUG missing options might be asked for interactively later >> >> root : DEBUG Loading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> root : DEBUG Loading StateFile from >> '/var/lib/ipa-client/sysrestore/sysrestore.state' >> root : DEBUG [ipadnssearchldap(linux.gva.es)] >> root : DEBUG [ipadnssearchldap(gva.es)] >> root : DEBUG [ipadnssearchldap(es)] >> root : DEBUG [ipadnssearchldap(linux.gva.es)] >> root : DEBUG [ipadnssearchldap(gva.es)] >> root : DEBUG [ipadnssearchldap(es)] >> root : DEBUG Domain not found >> DNS discovery failed to determine your DNS domain >> Provide the domain name of your IPA server (ex: example.com): >> linux.gva.es >> root : DEBUG will use domain: linux.gva.es >> >> root : DEBUG [ipadnssearchldap] >> root : DEBUG IPA Server not found >> DNS discovery failed to find the IPA Server >> Provide your IPA server name (ex: ipa.example.com): >> freeipaserver.linux.gva.es >> root : DEBUG will use server: freeipaserver.linux.gva.es >> >> root : DEBUG [ipadnssearchkrb] >> root : DEBUG [ipacheckldap] >> root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 >> http://freeipaserver.linux.gva.es/ipa/config/ca.crt >> root : DEBUG stdout= >> root : DEBUG stderr=--2012-05-11 12:06:09-- >> http://freeipaserver.linux.gva.es/ipa/config/ca.crt >> Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... >> 192.168.222.99 >> S'est? connectant a freeipaserver.linux.gva.es >> (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat. >> HTTP: Petici? enviada, esperant resposta... 200 OK >> Longitud: 1325 (1.3K) [application/x-x509-ca-cert] >> S'est? desant a: ?/tmp/tmpWptXwb/ca.crt? >> >> 0K . 100% 38.4M=0s >> >> 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat ?/tmp/tmpWptXwb/ca.crt? >> [1325/1325] >> >> root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389 >> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected >> length was received. >> Failed to verify that freeipaserver.linux.gva.es is an IPA Server. >> This may mean that the remote server is not up or is not reachable >> due to network or firewall settings. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> pasqual at ubuntuprovesfreeipa:~$ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: milvaques_pas.vcf Type: text/x-vcard Size: 335 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5527 bytes Desc: Signatura criptogr??fica S/MIME URL: From janfrode at tanso.net Mon May 14 09:06:34 2012 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 14 May 2012 11:06:34 +0200 Subject: [Freeipa-users] Different automount for different locations In-Reply-To: <20120514081047.GA8073@hendrix.redhat.com> References: <20120514070134.GA4152@dibs.tanso.net> <20120514081047.GA8073@hendrix.redhat.com> Message-ID: <20120514090634.GA6169@dibs.tanso.net> On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote: > > IPA has a concept of automount locations. See ipa help automount for > more info..here is a basic example, cut-n-pasted from a test setup > of mine, except for obfuscated host names. This setup creates two locations > exporting the same tree /share/mirror from different servers: Perfect, thanks for the location explanation! -jf From janfrode at tanso.net Mon May 14 12:09:25 2012 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 14 May 2012 14:09:25 +0200 Subject: [Freeipa-users] Different automount for different locations In-Reply-To: <20120514081047.GA8073@hendrix.redhat.com> References: <20120514070134.GA4152@dibs.tanso.net> <20120514081047.GA8073@hendrix.redhat.com> Message-ID: <20120514120925.GA9502@dibs.tanso.net> On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote: > > IPA has a concept of automount locations. Do these locations have anything to do with the Locality/Location strings in the HOST SETTINGS, so that we don't have to modify each client's sssd.conf for setting the ipa_automount_location ? -jf From jhrozek at redhat.com Mon May 14 12:14:41 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 May 2012 14:14:41 +0200 Subject: [Freeipa-users] Different automount for different locations In-Reply-To: <20120514120925.GA9502@dibs.tanso.net> References: <20120514070134.GA4152@dibs.tanso.net> <20120514081047.GA8073@hendrix.redhat.com> <20120514120925.GA9502@dibs.tanso.net> Message-ID: <20120514121441.GC27728@unused-4-110.brq.redhat.com> On Mon, May 14, 2012 at 02:09:25PM +0200, Jan-Frode Myklebust wrote: > On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote: > > > > IPA has a concept of automount locations. > > Do these locations have anything to do with the Locality/Location > strings in the HOST SETTINGS, so that we don't have to modify each > client's sssd.conf for setting the ipa_automount_location ? No, AFAIK there's no relation between the two. Please note that the sssd/autofs integration is a tech preview in RHEL 6.3 and only present in SSSD 1.8 and later. You'd also want to add "autofs" to the list of active services and create a [autofs] section in sssd.conf. From JR.Aquino at citrix.com Mon May 14 13:58:03 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 14 May 2012 13:58:03 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <20120514061346.GA2154@dibs.tanso.net> References: <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz> <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> <20120514061346.GA2154@dibs.tanso.net> Message-ID: <899ED55A-0EA6-437C-9378-E280E6923EFE@citrixonline.com> On May 13, 2012, at 11:13 PM, Jan-Frode Myklebust wrote: > On Mon, May 14, 2012 at 03:53:34AM +0000, JR Aquino wrote: >> >> I currently run over 21 (soon to be 42) Production FreeIPA servers. These are globally dispersed in every major continent. >> They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 users. > > Could you please say something about how you're connecting the Cisco's and > Juniper's to IPA ? LDAP backend for radius/ACS, or something else ? Yes, there is a Cisco ACS acting as a middle man between providing Tacacs / Radius where appropriate. From rcritten at redhat.com Mon May 14 17:04:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 May 2012 13:04:03 -0400 Subject: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install In-Reply-To: <4FB0C069.9080403@gva.es> References: <4FACF525.4070303@gva.es> <4FAD24EC.6090501@gva.es> <4FB0C069.9080403@gva.es> Message-ID: <4FB13B03.8090409@redhat.com> pasqual milvaques wrote: > the people frrm ubuntu pointed me to this bug. > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127 > > enabling ssl3 in the server with this orders served as a workaround: > > ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x > > dn: cn=encryption,cn=config > changetype: modify > replace: nsSSL3 > nsSSL3: on > > exit > > but the client doesn't join completly the domain because in the system > there is no system wide nss database: > > New SSSD config will be created. > root : INFO New SSSD config will be created > Configured /etc/sssd/sssd.conf > root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t > CT,C,C -a -i /etc/ipa/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=certutil: function failed: security library: bad > database. > > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1292, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1279, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1124, in install > run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", > "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, > in run > raise CalledProcessError(p.returncode, args) > subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d > /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned > non-zero exit status 255 > pasqual at ubuntuprovesfreeipa:~$ > > It can create it with this commands: > mkdir -p /etc/pki/nssdb > certutil -N -d /etc/pki/nssdb > > but asks for a password. there are some obscure references about using a > password file called pwdfile.txt that resides in the server but I'm not > sure with what to do now. perhaps the password must be blank. any idea? It isn't mandatory to set a password, there isn't one by default in Fedora installations. If you do set a password and place it in a file you can pass the file location with -f. Arguably a password in a file is about as secure as a password-less database: for both you are relying on FS permissions (and perhaps SELinux if configured). rob From rmeggins at redhat.com Mon May 14 18:36:51 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 May 2012 12:36:51 -0600 Subject: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ??? In-Reply-To: <1336773959.17164.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC3EF6.1040904@redhat.com> <1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com> <4FAC5D4B.50907@redhat.com> <1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com> <4FAC6D43.9000105@redhat.com> <1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4FAC7F81.709@redhat.com> <4FAD8A5F.7050406@redhat.com> <1336773959.17164.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <4FB150C3.5080103@redhat.com> On 05/11/2012 04:05 PM, David Copperfield wrote: > Please feel free to do it. Thanks. Done. https://fedorahosted.org/389/ticket/369 feel free to add yourself to the CC list, and supply any more details > > --David > > ------------------------------------------------------------------------ > *From:* Dmitri Pal > *To:* Rich Megginson > *Cc:* David Copperfield ; Rob Crittenden > ; E Deon Lackey ; > "freeipa-users at redhat.com" > *Sent:* Friday, May 11, 2012 2:53 PM > *Subject:* Re: [Freeipa-users] backup/restore IPA servers with > db2ldap.pl, ldap2db.pl ??? > > On 05/10/2012 10:54 PM, Rich Megginson wrote: >> On 05/10/2012 07:54 PM, David Copperfield wrote: >>> OK, >>> >>> that means the steps below: >>> >>> 1) on IPA replica, lets create 4 IPA users: A,B,C and D. Now make a >>> backup with 'db2ldif.pl -r ...' >>> >>> 2) on IPA replica, delete the user D. 'ipa user-del D'. >>> >>> 3, on IPA master, delete the user C. 'ipa user-del C'. >>> >>> 4, now check on other IPA master and IPA replica, both shows only >>> two users 'A' and 'B'. this is expected. >>> >>> 5, now on IPA replica, restore the backup with 'ldif2db.pl >>> ' >>> >>> 6, check on IPA replica immediately, 'ipa user-find' shows 4 users >>> 'A, B, C, D' at the beginning. >>> >>> 7, check IPA Master, 'ipa user-find' shows still only two users 'A, B'. >>> >>> 8, wait 3 minutes or so, check on IPA replica, and found that there >>> are only THREE users 'A, B, D'. The users 'C' is deleted now -- >>> change propagated from IPA Master. >>> >>> 9, check on IPA Master again and again, there are still only two >>> users 'A, B'. >>> >>> 10, check on IPA Replica again and again, there are still three >>> users 'A, B,D'. --- this status is different from IPA Master's >>> 'A,B', or backup's 'A, B, C, D'. >>> >>> >>> If backup was created without '-r' option, then the step 8 above >>> will always show 'A,B,C,D', the same as backup. with '-r' option >>> make the final result between. >>> >>> >>> Hope I have explained it clearly. Please advice something like >>> ipa2ldif.pl and ldif2ipa.pl >>> tools. There are really the key useful feature >>> for serious production IPA deployment, which is definitely of much >>> higher priority than dogtag. >> >> Sounds like a bug. What should happen is that the deletion of C and >> D should be propagated to replica. > > Was a bug or a ticket filed? > >> >>> >>> Thanks a lot. >>> >>> --David >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson >>> >>> *To:* David Copperfield >>> *Cc:* E Deon Lackey >>> ; Petr Spacek >>> ; Rob Crittenden >>> ; "freeipa-users at redhat.com" >>> >>> >>> *Sent:* Thursday, May 10, 2012 6:37 PM >>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>> db2ldap.pl , ldap2db.pl ??? >>> >>> On 05/10/2012 07:32 PM, David Copperfield wrote: >>>> Hi Rich and all, >>>> >>>> the '-r' option to db2ldif.pl doesn't work >>>> neither, it make few difference. >>>> >>>> My command, backup and restore commands on the IPA replica are: >>>> >>>> db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com' >>>> >>>> ldif2db.pl -D 'cn=Directory Manager' -w - -i >>>> >>>> >>>> The only difference is: after IPA master restart (restart happens >>>> after IPA replica's restore operation), the changes -- which >>>> applied on IPA master before backup -- are propagated to IPA >>>> replica. Which is in fact, make the restoration test end up with a >>>> result completely unusable on IPA replica, an result that is >>>> different from backup, and different from IPA master. >>> >>> I don't quite understand what you mean. >>> >>>> >>>> Please let me know if there are any other options/steps to follow. >>>> Thanks. >>> >>> Not sure what else to try. >>> >>>> >>>> --David >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson >>>> >>>> *To:* David Copperfield >>>> *Cc:* "freeipa-users at redhat.com" >>>> ; Rob >>>> Crittenden ; Petr >>>> Spacek >>>> *Sent:* Thursday, May 10, 2012 5:28 PM >>>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>>> db2ldap.pl , ldap2db.pl ??? >>>> >>>> On 05/10/2012 04:37 PM, David Copperfield wrote: >>>>> Hi Rich and all, >>>>> >>>>> Thanks for correction. They are db2ldif.pl and >>>>> ldif2db.pl scripts, which are originally for >>>>> 389 Directory Servers' backup and restore purposes. >>>>> >>>>> There are no IPA tools for IPA system backup and restore. Is there >>>>> a plan to develop tools like ipa2ldif.pl and >>>>> ldif2ipa.pl soon? or, at least, whether it is >>>>> in IPA roadmap? >>>>> >>>>> For the second question: I use the simple way: ipa >>>>> user-add/user-delete/user-find to see whether data is propagated. >>>>> My testing steps are like this: >>>>> >>>>> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA >>>>> master with 'ipa user-find testuser' and it is found in a few >>>>> seconds -- not 5 minutes. >>>>> >>>>> 2, run 'db2ldif.pl on IPA replica to save a backup. >>>>> >>>>> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa >>>>> user-find' on IPA replica, and it shows that the user is deleted. >>>>> >>>>> 4, double check 'ipa user-find test user' on IPA master, and it >>>>> is found deleted, which is as expected and it is propagated in >>>>> just a few seconds. >>>>> >>>>> 5, run 'ldif2db.pl' on the same IPA replica where the backup was >>>>> created. >>>>> >>>>> 6, run 'ipa user-find testuser' on IPA replica and it is found >>>>> that the user testuser is alive again. >>>>> >>>>> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can >>>>> find it -- and in just a few seconds. other 2/3 times it could not >>>>> be found even after HALF HOUR. >>>>> >>>>> Please have a quick duplicate tests at your side and advice what >>>>> normal users should do, because a reliable backup/restore solution >>>>> is definitely one of the key criteria. Thanks a lot. >>>>> >>>> >>>> Ok, I see. The problem is that a regular db2ldif[.pl] does not >>>> save the replication meta-data. You must use the -r option to >>>> generate an ldif file with the replication meta-data. ldif2db[.pl] >>>> is destructive - it wipes out your database completely and replaces >>>> it, wiping out any replication meta-data in the process. If you >>>> ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace >>>> the replication meta-data too. >>>> >>>> See >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>>> >>>>> --David >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* Rich Megginson >>>>> >>>>> *To:* David Copperfield >>>>> >>>>> *Cc:* "freeipa-users at redhat.com" >>>>> ; Rob >>>>> Crittenden ; >>>>> Petr Spacek >>>>> *Sent:* Thursday, May 10, 2012 3:19 PM >>>>> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with >>>>> db2ldap.pl , ldap2db.pl ??? >>>>> >>>>> On 05/10/2012 03:57 PM, David Copperfield wrote: >>>>>> Hi Rob, Petr and all, >>>>>> >>>>>> Because recently crashes of my IPA master and IPA replicas >>>>>> servers, I'm thinking of methods of backup/restore IPA user data: >>>>>> users, groups, host and server certificates etc. >>>>>> >>>>>> It's said that the only official way is to create an extra IPA >>>>>> replica and backup/snapshot that replica all the way. But there >>>>>> still has a big chance that some mistakes propagate for a to >>>>>> whole IPA domain/realm before the IAP administrator find it and >>>>>> data got lost forever and some may not even be recovered. >>>>>> >>>>>> What I think is because both Dogtag and IPA store data in backend >>>>>> 389 directory servers separately, then if I freeze the change on >>>>>> one IPA replica for a few minutes first, then run db2ldap.pl >>>>>> for both 389 ldap backends, then un-freeze >>>>>> the IPA replica to get sync from master. >>>>>> >>>>>> When data needs to be restored because of disasters, the backup >>>>>> files(in LDIF format -- for easy to read) can be restored to the >>>>>> two 389 LDAP backends on IPA replica with command ldap2db.pl >>>>>> during the freezing period. >>>>> >>>>> It's ldif2db.pl db2ldif.pl >>>>> not ldap >>>>> >>>>>> >>>>>> Have anyone tried this solution yet? Is there any limitations? >>>>>> >>>>>> My experiences showed that the IPA replica did get data restored >>>>>> successfully (no dogtag is involved so only one LDAP backend is >>>>>> saved/restored). But the IPA master some times didn't get the >>>>>> data synced from IPA replica ( 1/3 times it is synced, 2/3 times >>>>>> needs manual command 'ipa-replica-manage force-sync --from >>>>>> ' ). >>>>> >>>>> How did you verify that the data was synced? Note that if a >>>>> server has been down for a while, it will take the supplier up to >>>>> 5 minutes to recognize that the consumer is up again, without >>>>> force sync. >>>>> >>>>>> >>>>>> Please shed a light in this area, as backup/restore of IPA >>>>>> master/replica is even not mentioned on the IPA document at all. >>>>>> >>>>>> Thanks a lot. >>>>>> >>>>>> --David >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hahaha_30k at yahoo.com Mon May 14 19:48:28 2012 From: hahaha_30k at yahoo.com (Robinson Tiemuqinke) Date: Mon, 14 May 2012 12:48:28 -0700 (PDT) Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? Message-ID: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> Hi Dmitri, Rich and all, ?I am a newbie to Redhat IPA, It looks like pretty cool compared with other solutions I've tried before. Thanks a lot for this great product! :) ?But there are still some things I needs your help. My main question is: How to restore the IPA setup with a daily machine-level IPA Replica backup? ?Please let me explain my IPA setup background and backup/restore goals trying to reach: ?I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with Dogtag CA system. It is installed first. Then two IPA replicas are installed -- with '--setup-ca' options -- for load balancing and failover purposes. ?To describe my problems/objectives, I'll name the IPA Master as machine A, IPA replicas as B and C. and now I've one more extra IPA replica 'D' (virtual machine) setup ONLY for backup purposes. ?? ? The setup looks like the following, A is the configuration Hub. B,C,D are siblings. ? ? A ? ?/ ?| ?\ ?? ?B ?C ?D ?The following are the steps I backup IPA setups and LDAP backends daily -- it is a whole machine-level backup (through virtual machine D). 1, First, IPA replica D is backed up daily. The backup happens like this:? ? ?1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. ?On the Hypervisor which holds virtual machine D, do a daily backup of the whole virtual disk that D is on.? ? ?1.2 turn on the IP replica D again. ? ?1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage --force-sync --from ' to sync the IPA databases forcibly. Now comes to restore part, which is pretty confusing to me. I've tried several times, and every times it comes this or that kinds of issues and so I am wondering that correct steps/ineraction of IPA Master/replicas are the king :( ?2, case #1, A is broken, like disc failure, and then re-imaged after several days. ? ?2.1 ?How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily backup from IPA replica D? ? ?2.2 ?do I have to check some files on A into subversion immediately after A was initially installed? ? ?2.3 ?Please describe the steps. I'll follow exactly and report the results. 3, case #2, A is working, but either B, or C is broken. ? 3.1 It looks that I don't need the daily backup of D to kick in, is that right? ? 3.2 What are the correct steps on A; and B after it is re-imaged? ? 3.3 ?Please describe the steps. I'll follow exactly and report the results. 4, case #3, If ?some un-expected IPA changes happens on A -- like all users are deleted by human mistakes --, and even worse, all the changes are propagated to B and C in minutes. ? 4.1 How can I recover the IPA setup from daily backup from D? ? 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA replicas B/C? and then how to recover others left one by one? ? 4.3 Do I have to disconnect replication agreement of B,C,D from A first? ? ? 4.4? Please describe the steps. I'll follow exactly and report the results. ?I've heard something about tombstone records too, Not sure whether the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid it with correct recovery steps/interactions. Thanks a lot.? --Gelen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon May 14 20:20:07 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 May 2012 16:20:07 -0400 Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? In-Reply-To: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> Message-ID: <4FB168F7.4010207@redhat.com> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: > Hi Dmitri, Rich and all, > > I am a newbie to Redhat IPA, It looks like pretty cool compared with > other solutions I've tried before. Thanks a lot for this great product! :) > > But there are still some things I needs your help. My main question > is: How to restore the IPA setup with a daily machine-level IPA > Replica backup? > > Please let me explain my IPA setup background and backup/restore > goals trying to reach: > > I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is > setup with Dogtag CA system. It is installed first. Then two IPA > replicas are installed -- with '--setup-ca' options -- for load > balancing and failover purposes. > > To describe my problems/objectives, I'll name the IPA Master as > machine A, IPA replicas as B and C. and now I've one more extra IPA > replica 'D' (virtual machine) setup ONLY for backup purposes. > > The setup looks like the following, A is the configuration Hub. > B,C,D are siblings. > > A > / | \ > B C D > > The following are the steps I backup IPA setups and LDAP backends > daily -- it is a whole machine-level backup (through virtual machine D). > > 1, First, IPA replica D is backed up daily. The backup happens like this: > > 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h > '. On the Hypervisor which holds virtual machine D, do a daily > backup of the whole virtual disk that D is on. > 1.2 turn on the IP replica D again. > 1.3 after virtual machine D is up, on D optionally run a > 'ipa-replica-manage --force-sync --from ' to sync the IPA databases > forcibly. > > Now comes to restore part, which is pretty confusing to me. I've tried > several times, and every times it comes this or that kinds of issues > and so I am wondering that correct steps/ineraction of IPA > Master/replicas are the king :( > > 2, case #1, A is broken, like disc failure, and then re-imaged after > several days. > > 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with > the daily backup from IPA replica D? > 2.2 do I have to check some files on A into subversion immediately > after A was initially installed? > 2.3 Please describe the steps. I'll follow exactly and report the > results. > > 3, case #2, A is working, but either B, or C is broken. > > 3.1 It looks that I don't need the daily backup of D to kick in, is > that right? > 3.2 What are the correct steps on A; and B after it is re-imaged? > 3.3 Please describe the steps. I'll follow exactly and report the > results. > > 4, case #3, If some un-expected IPA changes happens on A -- like all > users are deleted by human mistakes --, and even worse, all the > changes are propagated to B and C in minutes. > > 4.1 How can I recover the IPA setup from daily backup from D? > 4.2 which IPA master/replicas I should recover first? IPA master A, > or IPA replicas B/C? and then how to recover others left one by one? > 4.3 Do I have to disconnect replication agreement of B,C,D from A > first? > 4.4 Please describe the steps. I'll follow exactly and report the > results. > > I've heard something about tombstone records too, Not sure whether > the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How > can I avoid it with correct recovery steps/interactions. > > Thanks a lot. > > --Gelen. I can explain it conceptually. Rob is probably best to define the exact sequence and commands. If you A is broken you reinstall it, make it connect to D and init (force sync) A from D. Now you have a new A. If B or C dies you just re-install B or C and init from A. If you lost a lot of data I suggest you start a saved D instance and force-sync A from it and then force sync B and C from A. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Mon May 14 21:09:44 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 14 May 2012 14:09:44 -0700 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup Message-ID: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root at ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ipaserver.example.com at EXAMPLE.COM 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ipaserver.example.com at EXAMPLE.COM [root at ds var]# Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon May 14 21:21:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 May 2012 17:21:20 -0400 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: References: Message-ID: <4FB17750.1010501@redhat.com> On 05/14/2012 05:09 PM, Chandan Kumar wrote: > I am a newbie in IPA and was experimenting it on my couple of VMs > before considering it for production level. > > Installation went fine, however, I am getting the kerberos key > expiration error at firefox. I am running firefox on the same machine > where I have installed/configured ipa-server. On googling and some > help in IRC I checked documentation to trouble shoot it as this appear > to be a known problem. > > Moreover, I did follow > > http://freeipa.org/page/InstallAndDeploy > http://freeipa.org/page/TroubleshootingGuide > > Fire fox logs > > 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken > [rv=80004005] > -1977841888[7fc789f5b040]: using REQ_DELEGATE > -1977841888[7fc789f5b040]: service = ipaserver.example.com > > -1977841888[7fc789f5b040]: using negotiate-gss > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() > -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate] > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() > -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified > GSS failure. Minor code may provide more information > SPNEGO cannot find mechanisms to negotiate > -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken > [rv=80004005] > > [root at ds var]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > 05/14/12 13:53:58 05/15/12 13:50:30 > HTTP/ipaserver.example.com at EXAMPLE.COM > > 05/14/12 13:54:13 05/15/12 13:50:30 > ldap/ipaserver.example.com at EXAMPLE.COM > > [root at ds var]# > > Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin > > at http://fpaste.org/9hXX/ > > I am not sure what I am missing though. Appreciate any help. > > Thanks > Chandan > > > Are you running FF on windows? Which version of IPA are you using? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Mon May 14 21:25:08 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 14 May 2012 14:25:08 -0700 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: <4FB17750.1010501@redhat.com> References: <4FB17750.1010501@redhat.com> Message-ID: System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal wrote: > ** > On 05/14/2012 05:09 PM, Chandan Kumar wrote: > > I am a newbie in IPA and was experimenting it on my couple of VMs before > considering it for production level. > > Installation went fine, however, I am getting the kerberos key expiration > error at firefox. I am running firefox on the same machine where I have > installed/configured ipa-server. On googling and some help in IRC I checked > documentation to trouble shoot it as this appear to be a known problem. > > Moreover, I did follow > > http://freeipa.org/page/InstallAndDeploy > http://freeipa.org/page/TroubleshootingGuide > > Fire fox logs > > 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken > [rv=80004005] > -1977841888[7fc789f5b040]: using REQ_DELEGATE > -1977841888[7fc789f5b040]: service = ipaserver.example.com > -1977841888[7fc789f5b040]: using negotiate-gss > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() > -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate] > -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() > -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information > SPNEGO cannot find mechanisms to negotiate > -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken > [rv=80004005] > > [root at ds var]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM > 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ > ipaserver.example.com at EXAMPLE.COM > 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ > ipaserver.example.com at EXAMPLE.COM > [root at ds var]# > > Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin > > at http://fpaste.org/9hXX/ > > I am not sure what I am missing though. Appreciate any help. > > Thanks > Chandan > > > > > Are you running FF on windows? > Which version of IPA are you using? > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hahaha_30k at yahoo.com Mon May 14 22:28:05 2012 From: hahaha_30k at yahoo.com (Gelen James) Date: Mon, 14 May 2012 15:28:05 -0700 (PDT) Subject: [Freeipa-users] Bug or feature regarding External Host in IPA net groups? In-Reply-To: <4FB168F7.4010207@redhat.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> Message-ID: <1337034485.51643.YahooMailNeo@web160703.mail.bf1.yahoo.com> Hi all, ? Not sure whether it is bug or a feature, but when I evaluate the IPA net groups, the 'external host' feature brings me some unexpected results. I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. ?1, when I added a host into IPA netgroup in command line mode, 'ipa netgroup-add-member ?--hosts='. When the host is not yet installed/configured into an IPA client, it shows in 'external host' category, in the output of 'ipa netgroup-find ' command. ? ? The 'external host' doesn't show up in the Web interface for IPA net group. But it does show up when run 'ipa net group-find', or even 'getent ' by sssd. 2, After the 'external host' is configured into an IPA client -- 'ipa user-find proves it' -- it is still reported as 'external host' by command 'ipa netgroup-find', and still not show up in web interface neither. Could this is a bug? 3, because of #2 above, when this machine is reconfigured, and removed with 'ipa user-del ', it is show up in the containing netgroups and nested netgroups, and has to be removed manually. :( 4, This could be a real bug: You can add an 'external host' with either a host's bare name, or FQDN name. Then after the machine is installed, and you would like to remove it from 'external host' category with command 'ipa user-del ', it will remove the FQDN name entry only! and leave the bare name there forever, until you delete the whole containing netgroup! [root at ipaclient02 ~]# ipa netgroup-find external-ng ------------------- 1 netgroups matched ------------------- ? Netgroup name: external-ng ? Description: netgroup for external hosts ? NIS domain name: example.com ? Member of netgroups: nest-external-ng ? External host: dnsmaster.example.com, ipaclient02, ipaclient02.mac.example.com ---------------------------- Number of entries returned 1 ---------------------------- [root at ipaclient02 ~]# getent netgroup external-ng external-ng ? ? ? ? ? (dnsmaster.example.com, -, example.com) (ipaclient02.mac.example.com, -, example.com) [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 ? Netgroup name: external-ng ? Description: netgroup for external hosts ? NIS domain name: example.com ? Member of netgroups: nest-external-ng ? External host: dnsmaster.example.com, ipaclient02 --------------------------- Number of members removed 1 --------------------------- [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 ? Netgroup name: external-ng ? Description: netgroup for external hosts ? NIS domain name: example.com ? Member of netgroups: nest-external-ng ? External host: dnsmaster.example.com, ipaclient02 ? Failed hosts/hostgroups:? ? ? member host: ipaclient02.example.com: This entry is not a member --------------------------- Number of members removed 0 --------------------------- [root at ipaclient02 ~]#? --Gelen -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon May 14 23:11:06 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 May 2012 19:11:06 -0400 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: References: <4FB17750.1010501@redhat.com> Message-ID: <4FB1910A.2080108@redhat.com> On 05/14/2012 05:25 PM, Chandan Kumar wrote: > > System: Centos 6.2 > IPA version : ipa-server-2.1.3-9.el6.x86_64 > > > Thanks > Chandan > > I am not sure but seems like something is not properly configured with the browser. I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow on a working configuration. But I will defer to experts. > > > > On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal > wrote: > > On 05/14/2012 05:09 PM, Chandan Kumar wrote: >> I am a newbie in IPA and was experimenting it on my couple of VMs >> before considering it for production level. >> >> Installation went fine, however, I am getting the kerberos key >> expiration error at firefox. I am running firefox on the same >> machine where I have installed/configured ipa-server. On googling >> and some help in IRC I checked documentation to trouble shoot it >> as this appear to be a known problem. >> >> Moreover, I did follow >> >> http://freeipa.org/page/InstallAndDeploy >> http://freeipa.org/page/TroubleshootingGuide >> >> Fire fox logs >> >> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> -1977841888[7fc789f5b040]: using REQ_DELEGATE >> -1977841888[7fc789f5b040]: service = ipaserver.example.com >> >> -1977841888[7fc789f5b040]: using negotiate-gss >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() >> -1977841888[7fc789f5b040]: >> nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() >> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information >> SPNEGO cannot find mechanisms to negotiate >> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> >> [root at ds var]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 05/14/12 13:50:32 05/15/12 13:50:30 >> krbtgt/EXAMPLE.COM at EXAMPLE.COM >> 05/14/12 13:53:58 05/15/12 13:50:30 >> HTTP/ipaserver.example.com at EXAMPLE.COM >> >> 05/14/12 13:54:13 05/15/12 13:50:30 >> ldap/ipaserver.example.com at EXAMPLE.COM >> >> [root at ds var]# >> >> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >> >> at http://fpaste.org/9hXX/ >> >> I am not sure what I am missing though. Appreciate any help. >> >> Thanks >> Chandan >> >> >> > > Are you running FF on windows? > Which version of IPA are you using? > > >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From hahaha_30k at yahoo.com Mon May 14 23:19:39 2012 From: hahaha_30k at yahoo.com (Gelen James) Date: Mon, 14 May 2012 16:19:39 -0700 (PDT) Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? In-Reply-To: <4FB168F7.4010207@redhat.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> Message-ID: <1337037579.99164.YahooMailNeo@web160705.mail.bf1.yahoo.com> Hi Dimitri, ?thanks a lot for your offer. It will be more than appreciated if Rob, or some other talented genius could wiki the steps. The more details, the sooner, and the better. It will help IPA projects and its users dramatically, especially for newbies like me. :) Thanks again for you, Rob and others for the coming documentation work. --Gelen.? ________________________________ From: Dmitri Pal To: Robinson Tiemuqinke Cc: "Freeipa-users at redhat.com" ; Rich Megginson Sent: Monday, May 14, 2012 1:20 PM Subject: Re: Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: Hi Dmitri, Rich and all, > > >?I am a newbie to Redhat IPA, It looks like pretty cool compared with other solutions I've tried before. Thanks a lot for this great product! :) > > >?But there are still some things I needs your help. My main question is: How to restore the IPA setup with a daily machine-level IPA Replica backup? > > >?Please let me explain my IPA setup background and backup/restore goals trying to reach: > > >?I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with Dogtag CA system. It is installed first. Then two IPA replicas are installed -- with '--setup-ca' options -- for load balancing and failover purposes. > > >?To describe my problems/objectives, I'll name the IPA Master as machine A, IPA replicas as B and C. and now I've one more extra IPA replica 'D' (virtual machine) setup ONLY for backup purposes. >?? >? The setup looks like the following, A is the configuration Hub. B,C,D are siblings. > > >? ? A >? ?/ ?| ?\ ?? >?B ?C ?D > > >?The following are the steps I backup IPA setups and LDAP backends daily -- it is a whole machine-level backup (through virtual machine D). > > >1, First, IPA replica D is backed up daily. The backup happens like this:? > > >? ?1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. ?On the Hypervisor which holds virtual machine D, do a daily backup of the whole virtual disk that D is on.? >? ?1.2 turn on the IP replica D again. >? ?1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage --force-sync --from ' to sync the IPA databases forcibly. > > >Now comes to restore part, which is pretty confusing to me. I've tried several times, and every times it comes this or that kinds of issues and so I am wondering that correct steps/ineraction of IPA Master/replicas are the king :( > > >?2, case #1, A is broken, like disc failure, and then re-imaged after several days. > > >? ?2.1 ?How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily backup from IPA replica D? > >? ?2.2 ?do I have to check some files on A into subversion immediately after A was initially installed? >? ?2.3 ?Please describe the steps. I'll follow exactly and report the results. > > >3, case #2, A is working, but either B, or C is broken. > > >? 3.1 It looks that I don't need the daily backup of D to kick in, is that right? >? 3.2 What are the correct steps on A; and B after it is re-imaged? >? 3.3 ?Please describe the steps. I'll follow exactly and report the results. > > >4, case #3, If ?some un-expected IPA changes happens on A -- like all users are deleted by human mistakes --, and even worse, all the changes are propagated to B and C in minutes. > > >? 4.1 How can I recover the IPA setup from daily backup from D? >? 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA replicas B/C? and then how to recover others left one by one? >? 4.3 Do I have to disconnect replication agreement of B,C,D from A first? ? >? 4.4? Please describe the steps. I'll follow exactly and report the results. > > >?I've heard something about tombstone records too, Not sure whether the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid it with correct recovery steps/interactions. > > >Thanks a lot.? > > >--Gelen. I can explain it conceptually. Rob is probably best to define the exact sequence and commands. If you A is broken you reinstall it, make it connect to D and init (force sync) A from D. Now you have a new A. If B or C dies you just re-install B or C and init from A. If you lost a lot of data I suggest you start a saved D instance and force-sync A from it and then force sync B and C from A. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue May 15 02:57:06 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 14 May 2012 19:57:06 -0700 (PDT) Subject: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? Message-ID: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com> Hi all, ?The online manual says that the '--usercat' means 'User category the rule applies to'; ?'--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options. ?Could anyone please shed a light on this? Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 15 04:49:21 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 May 2012 04:49:21 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> References: , <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz>, <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC93381@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><--------- Mileage may vary. I for one have found no suitable scalable substitute for FreeIPA. 8><---------- Sure but depends on capability and experience, I for one am struggling.....while significantly easier than say 389 (which I gave up on), its still a huge step up....... regards From Steven.Jones at vuw.ac.nz Tue May 15 04:59:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 May 2012 04:59:04 +0000 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: References: <4FB17750.1010501@redhat.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC93398@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect but thats a safari issue Im sure. After running "kinit admin" I find the kerberos ticket expires about 24 hours later so you have to renew? What you can do if it simply wont work is get IPA to fall back to asking for a password, which is what I have had to set for Windows 7 firefox users. It might depend on which version of firefox, 3 and 10 do work......I think RH say firefox 10 is the long term supported version for them so I'd run that at least. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chandan Kumar [chandank.kumar at gmail.com] Sent: Tuesday, 15 May 2012 9:25 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal > wrote: On 05/14/2012 05:09 PM, Chandan Kumar wrote: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root at ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ipaserver.example.com at EXAMPLE.COM 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ipaserver.example.com at EXAMPLE.COM [root at ds var]# Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan Are you running FF on windows? Which version of IPA are you using? _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Tue May 15 05:25:37 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 May 2012 05:25:37 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC93381@STAWINCOX10MBX1.staff.vuw.ac.nz> References: , <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz>, <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com>, <833D8E48405E064EBC54C84EC6B36E404CC93381@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <91C07EB2-2027-4934-BFB5-48DBF186F7FB@citrix.com> On May 14, 2012, at 9:50 PM, "Steven Jones" wrote: > 8><--------- > > Mileage may vary. > > I for one have found no suitable scalable substitute for FreeIPA. > > 8><---------- > > Sure but depends on capability and experience, I for one am struggling.....while significantly easier than say 389 (which I gave up on), its still a huge step up....... > I agree that it doesn't solve /all/ problems (yet) ;) However, I have looked for a very very long time to find a scalable LDAP implementation with integrated Kerberos and RBAC/HBAC. I've had numerous personal discussions with the creators /maintainers of openldap, pam_ldap, sudo, and some of the MIT-Kerb folk along my way. Because no one else had solve those problems, I was actually in the middle of writing my own solution when I stumbled onto FeeIPA... For example, Pam_ldap expect(s/ed) that every user object contain an attribute entry for every single host they are allowed to log into.... Doesn't quite scale when you have to manage complex mixtures of thousands of users to thousands of hosts... What do you feel is the biggest struggle? Is it the base core features, or is it external integration pains for things feature that don't exist yet? "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aquino at citrixonline.com http://www.citrixonline.com From JR.Aquino at citrix.com Tue May 15 05:36:01 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 May 2012 05:36:01 +0000 Subject: [Freeipa-users] dead in the water IPA server In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC92998@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8F561@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA796C4.2060202@redhat.com>, <21054.213.225.75.97.1336383945.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E404CC8FA64@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FA8391F.1080706@redhat.com>, <4FAD84D1.6060103@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC92998@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <630AEF60-1646-4B69-AFC6-28E25606B20D@citrix.com> On May 13, 2012, at 2:39 PM, "Steven Jones" > wrote: Hi, I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak kills a server in 48 hours. I also find I have a problem with rebooting, IPA doesnt survive a reboot, so I cant even cron a reboot nightly. Right now both are in a bad way and I need to reboot them...... :( The interesting thing is I have a test setup that is stable, yet has the same rpms....so Im flumixt'd, maybe its something Ive done, but I cant think what....its bod standard as far as I know.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 When I was having similar problems, it turned out to be due to a few different factors... * my cache was too low, was being exceeded and triggering a leak in 389 * I discovered a bug in managed entries that caused the plugin to fire if _any_ change occurred to a managed object. As opposed to firing only when relivent attributes changed. * I also had a great deal of churning happening from slapi-nis in competition with the MemberOf plugin... Here is my bug, it was fixed in Fedora, but perhaps it is still a problem in RHEL: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=771493 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Saturday, 12 May 2012 9:29 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server On 05/07/2012 05:05 PM, Rich Megginson wrote: On 05/07/2012 02:55 PM, Steven Jones wrote: Hi, Yes I have a memory leak see attached graphs.... Yes looks like the killer killed slapd.......dont know what caused this yet........if its the "killer" looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. Looks like I have 3 days between reboots if i dont IPA losses the plot big time....very bad news..........I will I think slow IPA deployment here at this time........this cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. :/ Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot..... Right. See https://fedorahosted.org/389/ticket/51 and especially all of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 You will need to closely monitor your entry cache usage. As far as I see the ticket is fixed upstream and is in testing for 6.3. Is this the correct understanding? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Monday, 7 May 2012 9:45 p.m. To: Steven Jones Cc: Jan Cholasta; freeipa-users at redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: Interesting memory message.....as attached.... I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- Jan Cholasta _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sbose at redhat.com Tue May 15 08:48:50 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 15 May 2012 10:48:50 +0200 Subject: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? In-Reply-To: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <20120515084850.GE2338@localhost.localdomain> On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote: > Hi all, > > ?The online manual says that the '--usercat' means 'User category the rule applies to'; ?'--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options. > > ?Could anyone please shed a light on this? Thanks a lot. iirc these options where introduced with the host based access control (HBAC) and are used to identify categories/classes of users and hosts in a more general way than using groups or ip-address ranges. I think currently only the keyword 'all' can be used here, which e.g means that an HBAC rule will match for all users or all hosts. In future it is planned to support other categories, e.g. something like 'local' and 'remote' which would catch all users/hosts of the local IPA domain or all users/groups which are coming from remote domains ,respectively. HTH bye, Sumit > > --David > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Tue May 15 09:13:37 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 15 May 2012 11:13:37 +0200 Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? In-Reply-To: <1337037579.99164.YahooMailNeo@web160705.mail.bf1.yahoo.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> <1337037579.99164.YahooMailNeo@web160705.mail.bf1.yahoo.com> Message-ID: <4FB21E41.9060906@redhat.com> Hello, IMHO it *must* be documented very well. Thank for scenario proposal! There is a new documentation ticket: https://fedorahosted.org/freeipa/ticket/2758 Another ticket exists for CA master recovery procedure: https://fedorahosted.org/freeipa/ticket/2749 Petr^2 Spacek On 05/15/2012 01:19 AM, Gelen James wrote: > Hi Dimitri, > > thanks a lot for your offer. It will be more than appreciated if Rob, or some > other talented genius could wiki the steps. The more details, the sooner, and > the better. It will help IPA projects and its users dramatically, especially > for newbies like me. :) > > Thanks again for you, Rob and others for the coming documentation work. > > > --Gelen. > > ------------------------------------------------------------------------------ > *From:* Dmitri Pal > *To:* Robinson Tiemuqinke > *Cc:* "Freeipa-users at redhat.com" ; Rich Megginson > > *Sent:* Monday, May 14, 2012 1:20 PM > *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA > Replica setup??? > > On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: >> Hi Dmitri, Rich and all, >> >> I am a newbie to Redhat IPA, It looks like pretty cool compared with other >> solutions I've tried before. Thanks a lot for this great product! :) >> >> But there are still some things I needs your help. My main question is: How >> to restore the IPA setup with a daily machine-level IPA Replica backup? >> >> Please let me explain my IPA setup background and backup/restore goals >> trying to reach: >> >> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with >> Dogtag CA system. It is installed first. Then two IPA replicas are installed >> -- with '--setup-ca' options -- for load balancing and failover purposes. >> >> To describe my problems/objectives, I'll name the IPA Master as machine A, >> IPA replicas as B and C. and now I've one more extra IPA replica 'D' >> (virtual machine) setup ONLY for backup purposes. >> The setup looks like the following, A is the configuration Hub. B,C,D are >> siblings. >> >> A >> / | \ >> B C D >> >> The following are the steps I backup IPA setups and LDAP backends daily -- >> it is a whole machine-level backup (through virtual machine D). >> >> 1, First, IPA replica D is backed up daily. The backup happens like this: >> >> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. On >> the Hypervisor which holds virtual machine D, do a daily backup of the whole >> virtual disk that D is on. >> 1.2 turn on the IP replica D again. >> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage >> --force-sync --from ' to sync the IPA databases forcibly. >> >> Now comes to restore part, which is pretty confusing to me. I've tried >> several times, and every times it comes this or that kinds of issues and so >> I am wondering that correct steps/ineraction of IPA Master/replicas are the >> king :( >> >> 2, case #1, A is broken, like disc failure, and then re-imaged after several >> days. >> >> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily >> backup from IPA replica D? >> 2.2 do I have to check some files on A into subversion immediately after A >> was initially installed? >> 2.3 Please describe the steps. I'll follow exactly and report the results. >> >> 3, case #2, A is working, but either B, or C is broken. >> >> 3.1 It looks that I don't need the daily backup of D to kick in, is that right? >> 3.2 What are the correct steps on A; and B after it is re-imaged? >> 3.3 Please describe the steps. I'll follow exactly and report the results. >> >> 4, case #3, If some un-expected IPA changes happens on A -- like all users >> are deleted by human mistakes --, and even worse, all the changes are >> propagated to B and C in minutes. >> >> 4.1 How can I recover the IPA setup from daily backup from D? >> 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA >> replicas B/C? and then how to recover others left one by one? >> 4.3 Do I have to disconnect replication agreement of B,C,D from A first? >> 4.4 Please describe the steps. I'll follow exactly and report the results. >> >> I've heard something about tombstone records too, Not sure whether the >> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid >> it with correct recovery steps/interactions. >> >> Thanks a lot. >> >> --Gelen. > > I can explain it conceptually. Rob is probably best to define the exact > sequence and commands. > > If you A is broken you reinstall it, make it connect to D and init (force > sync) A from D. Now you have a new A. > > If B or C dies you just re-install B or C and init from A. > > If you lost a lot of data I suggest you start a saved D instance and > force-sync A from it and then force sync B and C from A. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Tue May 15 11:46:26 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 15 May 2012 07:46:26 -0400 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: <4FB1910A.2080108@redhat.com> References: <4FB17750.1010501@redhat.com> <4FB1910A.2080108@redhat.com> Message-ID: <1337082386.16840.10.camel@willson.li.ssimo.org> On Mon, 2012-05-14 at 19:11 -0400, Dmitri Pal wrote: > On 05/14/2012 05:25 PM, Chandan Kumar wrote: > > > > System: Centos 6.2 > > IPA version : ipa-server-2.1.3-9.el6.x86_64 > > > > > > Thanks > > Chandan > > > > > > I am not sure but seems like something is not properly configured with > the browser. > I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow > on a working configuration. > But I will defer to experts. > Firefox always uses SPNEGO. HEre what fails is the init_sec_context, I assume the user does not have a kerberos ticket, so spengo fails to find valid credentials for any of the supported mechs and punts. Simo. -- Simo Sorce * Red Hat, Inc * New York From grimme at atix.de Tue May 15 11:58:36 2012 From: grimme at atix.de (Marc Grimme) Date: Tue, 15 May 2012 13:58:36 +0200 (CEST) Subject: [Freeipa-users] Replica failing to install with ipa and RHEL6.2 In-Reply-To: <61218459.362120.1337082769679.JavaMail.root@webmail2.atix.de> Message-ID: <1561426802.362204.1337083116215.JavaMail.root@webmail2.atix.de> Hello, until today we had a ipa configuration with two directory servers (master/replica) up and running. But today unfortunately the replica could not synchronize and is since then unable to resynchronize. I removed the replica from the master: ipa-replica-manage --force del methusalix2.cl.atix and then recreated the replica: ipa-replica-prepare methusalix2.cl.atix --ip-address=192.168.3.3 Directory Manager (existing master) password: Preparing replica for methusalix2.cl.atix from axinfra01-1.cl.atix Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-methusalix2.cl.atix.gpg Adding DNS records for methusalix2.cl.atix Using reverse zone 3.168.192.in-addr.arpa. On the replica I then issued the proposed commands: [root at methusalix2 ~]# scp 192.168.40.102:/var/lib/ipa/replica-info-methusalix2.cl.atix.gpg /var/lib/ipa/ root at 192.168.40.102's password: Permission denied, please try again. root at 192.168.40.102's password: replica-info-methusalix2.cl.atix.gpg 100% 28KB 28.4KB/s 00:00 [root at methusalix2 ~]# ipa-replica-install --debug --setup-dns --forwarder=.. --forwarder=.. /var/lib/ipa/replica-info-methusalix2.cl.atix.gpg root : DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-methusalix2.cl.atix.gpg" and options: {'no_forwarders': False, 'ui_redirect': True, 'reverse_zone': None, 'unattended': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': True, 'setup_ca': False, 'forwarders': [CheckedIPAddress('..'), CheckedIPAddress('..')], 'debug': True, 'conf_ntp': True, 'skip_conncheck': False} root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Directory Manager (existing master) password: root : DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpvVcfupipa/files.tar -d /var/lib/ipa/replica-info-methusalix2.cl.atix.gpg root : DEBUG stdout= root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg' gpg: keyring `/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected .. Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at CL.ATIX password: Execute check on remote master Check connection from master to remote replica 'methusalix2.cl.atix': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from master to replica is OK. root : DEBUG args=/usr/sbin/ipa-replica-conncheck --master axinfra01-1.cl.atix --auto-master-check --realm CL.ATIX --principal admin --hostname methusalix2.cl.atix Connection check OK root : DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' root : DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' .. [21/29]: setting up initial replication root : DEBUG args=/sbin/service dirsrv restart CL-ATIX root : DEBUG stdout=Shutting down dirsrv: CL-ATIX... [ OK ] Starting dirsrv: CL-ATIX... [ OK ] root : DEBUG stderr= Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress [axinfra01-1.cl.atix] reports: Update failed! Status: [-2 Total update abortedSystem error] creation of replica failed: Failed to start replication root : DEBUG Failed to start replication File "/usr/sbin/ipa-replica-install", line 482, in main() File "/usr/sbin/ipa-replica-install", line 433, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 135, in install_replica_ds pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 284, in create_replica self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 248, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 297, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 694, in setup_replication raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. On the master I only see the following: [15/May/2012:13:56:55 +0200] NSMMReplicationPlugin - agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389): Replica has a different generation ID than the local data. I followed instructions from other posts with restarting the master and so on but without success. Any ideas how I can proceed? Thanks Marc. ______________________________________________________________________________ Marc Grimme E-Mail: grimme at atix.de From JR.Aquino at citrix.com Tue May 15 13:18:34 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 May 2012 13:18:34 +0000 Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? In-Reply-To: <4FB21E41.9060906@redhat.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> <1337037579.99164.YahooMailNeo@web160705.mail.bf1.yahoo.com>, <4FB21E41.9060906@redhat.com> Message-ID: I have successfully utilized a similar procedure. The restoration process is the same for both though. I would be willing to accept the tickets and document the various backup and recovery methods. Though, I'd like Dmitri's feedback on whether or not the team approves of making the "official" method of recovery from catastrophic failure be the use of frozen vm images. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aquino at citrix.com http://www.citrixonline.com On May 15, 2012, at 2:16 AM, "Petr Spacek" wrote: > Hello, > > IMHO it *must* be documented very well. Thank for scenario proposal! > > There is a new documentation ticket: https://fedorahosted.org/freeipa/ticket/2758 > > Another ticket exists for CA master recovery procedure: https://fedorahosted.org/freeipa/ticket/2749 > > Petr^2 Spacek > > On 05/15/2012 01:19 AM, Gelen James wrote: >> Hi Dimitri, >> >> thanks a lot for your offer. It will be more than appreciated if Rob, or some >> other talented genius could wiki the steps. The more details, the sooner, and >> the better. It will help IPA projects and its users dramatically, especially >> for newbies like me. :) >> >> Thanks again for you, Rob and others for the coming documentation work. >> >> >> --Gelen. >> >> ------------------------------------------------------------------------------ >> *From:* Dmitri Pal >> *To:* Robinson Tiemuqinke >> *Cc:* "Freeipa-users at redhat.com" ; Rich Megginson >> >> *Sent:* Monday, May 14, 2012 1:20 PM >> *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA >> Replica setup??? >> >> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: >>> Hi Dmitri, Rich and all, >>> >>> I am a newbie to Redhat IPA, It looks like pretty cool compared with other >>> solutions I've tried before. Thanks a lot for this great product! :) >>> >>> But there are still some things I needs your help. My main question is: How >>> to restore the IPA setup with a daily machine-level IPA Replica backup? >>> >>> Please let me explain my IPA setup background and backup/restore goals >>> trying to reach: >>> >>> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with >>> Dogtag CA system. It is installed first. Then two IPA replicas are installed >>> -- with '--setup-ca' options -- for load balancing and failover purposes. >>> >>> To describe my problems/objectives, I'll name the IPA Master as machine A, >>> IPA replicas as B and C. and now I've one more extra IPA replica 'D' >>> (virtual machine) setup ONLY for backup purposes. >>> The setup looks like the following, A is the configuration Hub. B,C,D are >>> siblings. >>> >>> A >>> / | \ >>> B C D >>> >>> The following are the steps I backup IPA setups and LDAP backends daily -- >>> it is a whole machine-level backup (through virtual machine D). >>> >>> 1, First, IPA replica D is backed up daily. The backup happens like this: >>> >>> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. On >>> the Hypervisor which holds virtual machine D, do a daily backup of the whole >>> virtual disk that D is on. >>> 1.2 turn on the IP replica D again. >>> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage >>> --force-sync --from ' to sync the IPA databases forcibly. >>> >>> Now comes to restore part, which is pretty confusing to me. I've tried >>> several times, and every times it comes this or that kinds of issues and so >>> I am wondering that correct steps/ineraction of IPA Master/replicas are the >>> king :( >>> >>> 2, case #1, A is broken, like disc failure, and then re-imaged after several >>> days. >>> >>> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily >>> backup from IPA replica D? >>> 2.2 do I have to check some files on A into subversion immediately after A >>> was initially installed? >>> 2.3 Please describe the steps. I'll follow exactly and report the results. >>> >>> 3, case #2, A is working, but either B, or C is broken. >>> >>> 3.1 It looks that I don't need the daily backup of D to kick in, is that right? >>> 3.2 What are the correct steps on A; and B after it is re-imaged? >>> 3.3 Please describe the steps. I'll follow exactly and report the results. >>> >>> 4, case #3, If some un-expected IPA changes happens on A -- like all users >>> are deleted by human mistakes --, and even worse, all the changes are >>> propagated to B and C in minutes. >>> >>> 4.1 How can I recover the IPA setup from daily backup from D? >>> 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA >>> replicas B/C? and then how to recover others left one by one? >>> 4.3 Do I have to disconnect replication agreement of B,C,D from A first? >>> 4.4 Please describe the steps. I'll follow exactly and report the results. >>> >>> I've heard something about tombstone records too, Not sure whether the >>> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid >>> it with correct recovery steps/interactions. >>> >>> Thanks a lot. >>> >>> --Gelen. >> >> I can explain it conceptually. Rob is probably best to define the exact >> sequence and commands. >> >> If you A is broken you reinstall it, make it connect to D and init (force >> sync) A from D. Now you have a new A. >> >> If B or C dies you just re-install B or C and init from A. >> >> If you lost a lot of data I suggest you start a saved D instance and >> force-sync A from it and then force sync B and C from A. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From chandank.kumar at gmail.com Tue May 15 14:35:39 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Tue, 15 May 2012 07:35:39 -0700 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC93398@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4FB17750.1010501@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC93398@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Hi, I am running the default Firefox that comes with centos 6.2 . I guess that Whatever time I do kinit it just does not working for me even for single time. Also it shows as that I am logged in as user at freeipa.org.... In the main back ground web page. Not sure whether it's relevant with this error. On Monday, 14 May 2012, Steven Jones wrote: > Hi, > > > > I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont > connect but thats a safari issue Im sure. > > > > After running "kinit admin" I find the kerberos ticket expires about 24 > hours later so you have to renew? What you can do if it simply wont > work is get IPA to fall back to asking for a password, which is what I have > had to set for Windows 7 firefox users. > > > > It might depend on which version of firefox, 3 and 10 do work......I think > RH say firefox 10 is the long term supported version for them so I'd run > that at least. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Chandan Kumar [chandank.kumar at gmail.com] > *Sent:* Tuesday, 15 May 2012 9:25 a.m. > *To:* dpal at redhat.com > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup > > > System: Centos 6.2 > IPA version : ipa-server-2.1.3-9.el6.x86_64 > > > Thanks > Chandan > > > > > > On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal wrote: > >> ** >> On 05/14/2012 05:09 PM, Chandan Kumar wrote: >> >> I am a newbie in IPA and was experimenting it on my couple of VMs before >> considering it for production level. >> >> Installation went fine, however, I am getting the kerberos key expiration >> error at firefox. I am running firefox on the same machine where I have >> installed/configured ipa-server. On googling and some help in IRC I checked >> documentation to trouble shoot it as this appear to be a known problem. >> >> Moreover, I did follow >> >> http://freeipa.org/page/InstallAndDeploy >> http://freeipa.org/page/TroubleshootingGuide >> >> Fire fox logs >> >> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> -1977841888[7fc789f5b040]: using REQ_DELEGATE >> -1977841888[7fc789f5b040]: service = ipaserver.example.com >> -1977841888[7fc789f5b040]: using negotiate-gss >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() >> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() >> [challenge=Negotiate] >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() >> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS >> failure. Minor code may provide more information >> SPNEGO cannot find mechanisms to negotiate >> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> >> [root at ds var]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ >> ipaserver.example.com at EXAMPLE.COM >> 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ >> ipaserver.example.com at EXAMPLE.COM >> [root at ds var]# >> >> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >> >> at http://fpaste.org/9hXX/ >> >> I am not sure what I am missing though. Appreciate any help. >> >> Thanks >> Chandan >> >> >> >> >> Are you running FF on windows? >> Which version of IPA are you using? >> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -- Sent from my iPad -------------- next part -------------- An HTML attachment was scrubbed... URL: From adrien at uniwan.be Tue May 15 15:46:15 2012 From: adrien at uniwan.be (=?utf-8?Q?Adrien_Rami?=) Date: Tue, 15 May 2012 17:46:15 +0200 Subject: [Freeipa-users] Problem Active Directory Synchronisation: ipawinsyncuserflatten false Message-ID: Hi all, I introduce myself. I am Adrien Rami and I am Open Source developper. I work on a project with FreeIPA and I try to sync an Active Directory with FreeIPA, with the special case that I want to sync the Organisation Unit. I set the ipawinsyncuserflatten on false but unfortunately it didn't work. Is there a way to do this? If yes does someone do that and have some information for me? Best regards Adrien Rami -------------- next part -------------- An HTML attachment was scrubbed... URL: From hahaha_30k at yahoo.com Tue May 15 16:05:43 2012 From: hahaha_30k at yahoo.com (Gelen James) Date: Tue, 15 May 2012 09:05:43 -0700 (PDT) Subject: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? In-Reply-To: <20120515084850.GE2338@localhost.localdomain> References: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com> <20120515084850.GE2338@localhost.localdomain> Message-ID: <1337097943.10734.YahooMailNeo@web160704.mail.bf1.yahoo.com> Hi Sumit, ?Thanks for your quick reply. ? ?In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command. More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :) BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here. Thanks. --Gelen ________________________________ From: Sumit Bose To: freeipa-users at redhat.com Sent: Tuesday, May 15, 2012 1:48 AM Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote: > Hi all, > > ?The online manual says that the '--usercat' means 'User category the rule applies to'; ?'--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options. > > ?Could anyone please shed a light on this? Thanks a lot. iirc these options where introduced with the host based access control (HBAC) and are used to identify categories/classes of users and hosts in a more general way than using groups or ip-address ranges. I think currently only the keyword 'all' can be used here, which e.g means that an HBAC rule will match for all users or all hosts. In future it is planned to support other categories, e.g. something like 'local' and 'remote' which would catch all users/hosts of the local IPA domain or all users/groups which are coming from remote domains ,respectively. HTH bye, Sumit > > --David > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 15 16:09:25 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 May 2012 10:09:25 -0600 Subject: [Freeipa-users] Problem Active Directory Synchronisation: ipawinsyncuserflatten false In-Reply-To: References: Message-ID: <4FB27FB5.5090400@redhat.com> On 05/15/2012 09:46 AM, Adrien Rami wrote: > Hi all, > > I introduce myself. I am Adrien Rami and I am Open Source developper. > > I work on a project with FreeIPA and I try to sync an Active Directory > with FreeIPA, with the special case that I want to sync the > Organisation Unit. > > I set the ipawinsyncuserflatten on false but unfortunately it didn't work. > > Is there a way to do this? If yes does someone do that and have some > information for me? What exactly did you try, and what was the result that you saw? Note that if you create a new ou in AD, that will not sync to IPA. You must create your ou structure on both sides. And that won't work with IPA since IPA expects to have a flat DIT on the IPA side. Perhaps if you could explain why you want to sync your AD structure to IPA, we could suggest some alternatives. > > Best regards > > Adrien Rami > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Tue May 15 16:14:17 2012 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Tue, 15 May 2012 09:14:17 -0700 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: References: <4FB17750.1010501@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC93398@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: The kinit does show that the keys are there. [root at ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 05/15/12 09:13:35 05/16/12 09:13:32 krbtgt/EXAMPLE.COM at EXAMPLE.COM Thanks Chandan On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar wrote: > Hi, > I am running the default Firefox that comes with centos 6.2 . I guess that > Whatever time I do kinit it just does not working for me even for single > time. > > Also it shows as that I am logged in as user at freeipa.org.... In the main > back ground web page. Not sure whether it's relevant with this error. > > > On Monday, 14 May 2012, Steven Jones wrote: > >> Hi, >> >> >> >> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont >> connect but thats a safari issue Im sure. >> >> >> >> After running "kinit admin" I find the kerberos ticket expires about 24 >> hours later so you have to renew? What you can do if it simply wont >> work is get IPA to fall back to asking for a password, which is what I have >> had to set for Windows 7 firefox users. >> >> >> >> It might depend on which version of firefox, 3 and 10 do work......I >> think RH say firefox 10 is the long term supported version for them so I'd >> run that at least. >> >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> ------------------------------ >> *From:* freeipa-users-bounces at redhat.com [ >> freeipa-users-bounces at redhat.com] on behalf of Chandan Kumar [ >> chandank.kumar at gmail.com] >> *Sent:* Tuesday, 15 May 2012 9:25 a.m. >> *To:* dpal at redhat.com >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup >> >> >> System: Centos 6.2 >> IPA version : ipa-server-2.1.3-9.el6.x86_64 >> >> >> Thanks >> Chandan >> >> >> >> >> >> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal wrote: >> >>> ** >>> On 05/14/2012 05:09 PM, Chandan Kumar wrote: >>> >>> I am a newbie in IPA and was experimenting it on my couple of VMs before >>> considering it for production level. >>> >>> Installation went fine, however, I am getting the kerberos key >>> expiration error at firefox. I am running firefox on the same machine where >>> I have installed/configured ipa-server. On googling and some help in IRC I >>> checked documentation to trouble shoot it as this appear to be a known >>> problem. >>> >>> Moreover, I did follow >>> >>> http://freeipa.org/page/InstallAndDeploy >>> http://freeipa.org/page/TroubleshootingGuide >>> >>> Fire fox logs >>> >>> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >>> [rv=80004005] >>> -1977841888[7fc789f5b040]: using REQ_DELEGATE >>> -1977841888[7fc789f5b040]: service = ipaserver.example.com >>> -1977841888[7fc789f5b040]: using negotiate-gss >>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() >>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() >>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() >>> [challenge=Negotiate] >>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() >>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified >>> GSS failure. Minor code may provide more information >>> SPNEGO cannot find mechanisms to negotiate >>> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >>> [rv=80004005] >>> >>> [root at ds var]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at EXAMPLE.COM >>> >>> Valid starting Expires Service principal >>> 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ >>> ipaserver.example.com at EXAMPLE.COM >>> 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ >>> ipaserver.example.com at EXAMPLE.COM >>> [root at ds var]# >>> >>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >>> >>> at http://fpaste.org/9hXX/ >>> >>> I am not sure what I am missing though. Appreciate any help. >>> >>> Thanks >>> Chandan >>> >>> >>> >>> >>> Are you running FF on windows? >>> Which version of IPA are you using? >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > -- > Sent from my iPad > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 15 16:41:16 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 May 2012 12:41:16 -0400 Subject: [Freeipa-users] Bug or feature regarding External Host in IPA net groups? In-Reply-To: <1337034485.51643.YahooMailNeo@web160703.mail.bf1.yahoo.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> <1337034485.51643.YahooMailNeo@web160703.mail.bf1.yahoo.com> Message-ID: <4FB2872C.5040103@redhat.com> Gelen James wrote: > > Hi all, > > Not sure whether it is bug or a feature, but when I evaluate the IPA net > groups, the 'external host' feature brings me some unexpected results. > I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. > > 1, when I added a host into IPA netgroup in command line mode, 'ipa > netgroup-add-member --hosts='. When the host is not > yet installed/configured into an IPA client, it shows in 'external host' > category, in the output of 'ipa netgroup-find ' command. > The 'external host' doesn't show up in the Web interface for IPA net > group. But it does show up when run 'ipa net group-find', or even > 'getent ' by sssd. > > 2, After the 'external host' is configured into an IPA client -- 'ipa > user-find proves it' -- it is still reported as 'external host' > by command 'ipa netgroup-find', and still not show up in web interface > neither. Could this is a bug? > > 3, because of #2 above, when this machine is reconfigured, and removed > with 'ipa user-del ', it is show up in the containing netgroups > and nested netgroups, and has to be removed manually. :( > > 4, This could be a real bug: You can add an 'external host' with either > a host's bare name, or FQDN name. Then after the machine is installed, > and you would like to remove it from 'external host' category with > command 'ipa user-del ', it will remove the FQDN name entry > only! and leave the bare name there forever, until you delete the whole > containing netgroup! > > [root at ipaclient02 ~]# ipa netgroup-find external-ng > ------------------- > 1 netgroups matched > ------------------- > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02, > ipaclient02.mac.example.com > > ---------------------------- > Number of entries returned 1 > ---------------------------- > > [root at ipaclient02 ~]# getent netgroup external-ng > external-ng (dnsmaster.example.com, -, example.com) > (ipaclient02.mac.example.com, -, example.com) > > [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng > --hosts=ipaclient02 > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02 > --------------------------- > Number of members removed 1 > --------------------------- > > [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng > --hosts=ipaclient02 > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02 > Failed hosts/hostgroups: > member host: ipaclient02.example.com: This entry is not a member > --------------------------- > Number of members removed 0 > --------------------------- > [root at ipaclient02 ~]# > An external host is one that is never expected to be added as a host in IPA, however we don't prevent it. There is no reconciliation done if an external host is added as an IPA host, as you've seen. If you'd like this please file an enhancement request at https://fedorahosted.org/freeipa/ In 3.0 we have added validation of external host names. Whether this will prevent a bare name or not I'm not sure. I don't know why we would care whether it was fully qualified or not, though yeah, it appears we are automatically adding the domain. I tested this in 2.2 and it worked as expected, a bare name was deletable. rob From rcritten at redhat.com Tue May 15 16:57:49 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 May 2012 12:57:49 -0400 Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? In-Reply-To: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> Message-ID: <4FB28B0D.5080201@redhat.com> Robinson Tiemuqinke wrote: > Hi Dmitri, Rich and all, > > I am a newbie to Redhat IPA, It looks like pretty cool compared with > other solutions I've tried before. Thanks a lot for this great product! :) > > But there are still some things I needs your help. My main question is: > How to restore the IPA setup with a daily machine-level IPA Replica backup? > > Please let me explain my IPA setup background and backup/restore goals > trying to reach: > > I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup > with Dogtag CA system. It is installed first. Then two IPA replicas are > installed -- with '--setup-ca' options -- for load balancing and > failover purposes. > > To describe my problems/objectives, I'll name the IPA Master as machine > A, IPA replicas as B and C. and now I've one more extra IPA replica 'D' > (virtual machine) setup ONLY for backup purposes. > The setup looks like the following, A is the configuration Hub. B,C,D > are siblings. > > A > / | \ > B C D > > The following are the steps I backup IPA setups and LDAP backends daily > -- it is a whole machine-level backup (through virtual machine D). > > 1, First, IPA replica D is backed up daily. The backup happens like this: > > 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. > On the Hypervisor which holds virtual machine D, do a daily backup of > the whole virtual disk that D is on. > 1.2 turn on the IP replica D again. > 1.3 after virtual machine D is up, on D optionally run a > 'ipa-replica-manage --force-sync --from ' to sync the IPA databases > forcibly. > > Now comes to restore part, which is pretty confusing to me. I've tried > several times, and every times it comes this or that kinds of issues and > so I am wondering that correct steps/ineraction of IPA Master/replicas > are the king :( > > 2, case #1, A is broken, like disc failure, and then re-imaged after > several days. > > 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the > daily backup from IPA replica D? The first thing you'll need to do is to connect your other replias together, either by picking a new hub or adding links to each one. Then you'll need to delete the replication agreement to A. You should be left with a set of servers that continues to replicate. So, for arguments sake, we promote B to be the new hub: On B: # ipa-replica-manage connect C # ipa-replica-manage connect D # ipa-replica-manage del --force A # ipactl restart On C: # ipa-replica-manage del --force A # ipactl restart On D: # ipa-replica-manage del --force A # ipactl restart It is unclear what you mean by re-imaged. Are you restoring from backup or installing it fresh? I'll assume it is a new install. You'll need to prepare a replica file for A and install it as a replica. Then if you want to keep A as the primary you'll need to change the replication agreements back to it is the hub (using ipa-replica-manage connect and disconnect). When you install the new A server it should get all the changes needed, you should be done. You'll want to check the documentation on promoting a master to verify that only one server is the CRL generator (at this point there may be none). > 2.2 do I have to check some files on A into subversion immediately after > A was initially installed? The only thing you really need to save is the cacert.p12 file. This is your root CA. > 2.3 Please describe the steps. I'll follow exactly and report the results. > > 3, case #2, A is working, but either B, or C is broken. > > 3.1 It looks that I don't need the daily backup of D to kick in, is that > right? No, D is unrelated. > 3.2 What are the correct steps on A; and B after it is re-imaged? On A: # ipa-replica-manage del B # ipactl restart # ipa-replica-prepare B On B # ipa-replica-install B You'll probably need/want to clean RUV, http://directory.fedoraproject.org/wiki/Howto:CLEANRUV > 3.3 Please describe the steps. I'll follow exactly and report the results. > > 4, case #3, If some un-expected IPA changes happens on A -- like all > users are deleted by human mistakes --, and even worse, all the changes > are propagated to B and C in minutes. > > 4.1 How can I recover the IPA setup from daily backup from D? We have not yet documented how to recover from tombstones or an offline replica. > 4.2 which IPA master/replicas I should recover first? IPA master A, or > IPA replicas B/C? and then how to recover others left one by one? If the entries are re-added on any of the replicas it will be propogated out. > 4.3 Do I have to disconnect replication agreement of B,C,D from A first? Depends on how 4.1 gets answered which we are still investigating. > 4.4 Please describe the steps. I'll follow exactly and report the results. > > I've heard something about tombstone records too, Not sure whether the > problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I > avoid it with correct recovery steps/interactions. It is RUV that is the problem. This 389-ds wiki page describes how to clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV The 389-ds team is working to make this less manual. rob From johnny.westerlund at atea.se Tue May 15 17:42:59 2012 From: johnny.westerlund at atea.se (Westerlund Johnny) Date: Tue, 15 May 2012 19:42:59 +0200 Subject: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 57 Message-ID: "freeipa-users-request at redhat.com" skrev: Send Freeipa-users mailing list submissions to freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request at redhat.com You can reach the person managing the list at freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Help regarding Basic FreeIPA setup (Chandan Kumar) 2. Problem Active Directory Synchronisation: ipawinsyncuserflatten false (Adrien Rami) ---------------------------------------------------------------------- Message: 1 Date: Tue, 15 May 2012 07:35:39 -0700 From: Chandan Kumar To: Steven Jones Cc: "freeipa-users at redhat.com" Subject: [Freeipa-users] Help regarding Basic FreeIPA setup Message-ID: Content-Type: text/plain; charset="iso-8859-1" Hi, I am running the default Firefox that comes with centos 6.2 . I guess that Whatever time I do kinit it just does not working for me even for single time. Also it shows as that I am logged in as user at freeipa.org.... In the main back ground web page. Not sure whether it's relevant with this error. On Monday, 14 May 2012, Steven Jones wrote: > Hi, > > > > I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont > connect but thats a safari issue Im sure. > > > > After running "kinit admin" I find the kerberos ticket expires about 24 > hours later so you have to renew? What you can do if it simply wont > work is get IPA to fall back to asking for a password, which is what I have > had to set for Windows 7 firefox users. > > > > It might depend on which version of firefox, 3 and 10 do work......I think > RH say firefox 10 is the long term supported version for them so I'd run > that at least. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Chandan Kumar [chandank.kumar at gmail.com] > *Sent:* Tuesday, 15 May 2012 9:25 a.m. > *To:* dpal at redhat.com > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup > > > System: Centos 6.2 > IPA version : ipa-server-2.1.3-9.el6.x86_64 > > > Thanks > Chandan > > > > > > On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal wrote: > >> ** >> On 05/14/2012 05:09 PM, Chandan Kumar wrote: >> >> I am a newbie in IPA and was experimenting it on my couple of VMs before >> considering it for production level. >> >> Installation went fine, however, I am getting the kerberos key expiration >> error at firefox. I am running firefox on the same machine where I have >> installed/configured ipa-server. On googling and some help in IRC I checked >> documentation to trouble shoot it as this appear to be a known problem. >> >> Moreover, I did follow >> >> http://freeipa.org/page/InstallAndDeploy >> http://freeipa.org/page/TroubleshootingGuide >> >> Fire fox logs >> >> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> -1977841888[7fc789f5b040]: using REQ_DELEGATE >> -1977841888[7fc789f5b040]: service = ipaserver.example.com >> -1977841888[7fc789f5b040]: using negotiate-gss >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() >> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() >> [challenge=Negotiate] >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() >> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS >> failure. Minor code may provide more information >> SPNEGO cannot find mechanisms to negotiate >> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> >> [root at ds var]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ >> ipaserver.example.com at EXAMPLE.COM >> 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ >> ipaserver.example.com at EXAMPLE.COM >> [root at ds var]# >> >> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >> >> at http://fpaste.org/9hXX/ >> >> I am not sure what I am missing though. Appreciate any help. >> >> Thanks >> Chandan >> >> >> >> >> Are you running FF on windows? >> Which version of IPA are you using? >> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -- Sent from my iPad -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 2 Date: Tue, 15 May 2012 17:46:15 +0200 From: Adrien Rami To: freeipa-users at redhat.com Subject: [Freeipa-users] Problem Active Directory Synchronisation: ipawinsyncuserflatten false Message-ID: Content-Type: text/plain; charset="utf-8" Hi all, I introduce myself. I am Adrien Rami and I am Open Source developper. I work on a project with FreeIPA and I try to sync an Active Directory with FreeIPA, with the special case that I want to sync the Organisation Unit. I set the ipawinsyncuserflatten on false but unfortunately it didn't work. Is there a way to do this? If yes does someone do that and have some information for me? Best regards Adrien Rami -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 46, Issue 57 ********************************************* From hahaha_30k at yahoo.com Tue May 15 18:01:40 2012 From: hahaha_30k at yahoo.com (Gelen James) Date: Tue, 15 May 2012 11:01:40 -0700 (PDT) Subject: [Freeipa-users] Thanks -- Re: Bug or feature regarding External Host in IPA net groups? In-Reply-To: <4FB2872C.5040103@redhat.com> References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com> <4FB168F7.4010207@redhat.com> <1337034485.51643.YahooMailNeo@web160703.mail.bf1.yahoo.com> <4FB2872C.5040103@redhat.com> Message-ID: <1337104900.98984.YahooMailNeo@web160705.mail.bf1.yahoo.com> Hi Rob, ?Thanks a lot for confirming the effect and clear and plain explanation of 'external host' idea. I've filed a feature request type bug as you have recommended. ?The bug link is here for your reference:?Bug?821907?-?Feature Request: convert once External Hosts into Member Hosts after ipa-client-install?.. ?I'll follow your steps to test the replication recovery on another thread now. Thanks again for your help. --Gelen. ________________________________ From: Rob Crittenden To: Gelen James Cc: "dpal at redhat.com" ; "Freeipa-users at redhat.com" Sent: Tuesday, May 15, 2012 9:41 AM Subject: Re: [Freeipa-users] Bug or feature regarding External Host in IPA net groups? Gelen James wrote: > > Hi all, > > Not sure whether it is bug or a feature, but when I evaluate the IPA net > groups, the 'external host' feature brings me some unexpected results. > I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. > > 1, when I added a host into IPA netgroup in command line mode, 'ipa > netgroup-add-member --hosts='. When the host is not > yet installed/configured into an IPA client, it shows in 'external host' > category, in the output of 'ipa netgroup-find ' command. > The 'external host' doesn't show up in the Web interface for IPA net > group. But it does show up when run 'ipa net group-find', or even > 'getent ' by sssd. > > 2, After the 'external host' is configured into an IPA client -- 'ipa > user-find proves it' -- it is still reported as 'external host' > by command 'ipa netgroup-find', and still not show up in web interface > neither. Could this is a bug? > > 3, because of #2 above, when this machine is reconfigured, and removed > with 'ipa user-del ', it is show up in the containing netgroups > and nested netgroups, and has to be removed manually. :( > > 4, This could be a real bug: You can add an 'external host' with either > a host's bare name, or FQDN name. Then after the machine is installed, > and you would like to remove it from 'external host' category with > command 'ipa user-del ', it will remove the FQDN name entry > only! and leave the bare name there forever, until you delete the whole > containing netgroup! > > [root at ipaclient02 ~]# ipa netgroup-find external-ng > ------------------- > 1 netgroups matched > ------------------- > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02, > ipaclient02.mac.example.com > > ---------------------------- > Number of entries returned 1 > ---------------------------- > > [root at ipaclient02 ~]# getent netgroup external-ng > external-ng (dnsmaster.example.com, -, example.com) > (ipaclient02.mac.example.com, -, example.com) > > [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng > --hosts=ipaclient02 > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02 > --------------------------- > Number of members removed 1 > --------------------------- > > [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng > --hosts=ipaclient02 > Netgroup name: external-ng > Description: netgroup for external hosts > NIS domain name: example.com > Member of netgroups: nest-external-ng > External host: dnsmaster.example.com, ipaclient02 > Failed hosts/hostgroups: > member host: ipaclient02.example.com: This entry is not a member > --------------------------- > Number of members removed 0 > --------------------------- > [root at ipaclient02 ~]# > An external host is one that is never expected to be added as a host in IPA, however we don't prevent it. There is no reconciliation done if an external host is added as an IPA host, as you've seen. If you'd like this please file an enhancement request at https://fedorahosted.org/freeipa/ In 3.0 we have added validation of external host names. Whether this will prevent a bare name or not I'm not sure. I don't know why we would care whether it was fully qualified or not, though yeah, it appears we are automatically adding the domain. I tested this in 2.2 and it worked as expected, a bare name was deletable. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at crystal.harvard.edu Tue May 15 18:59:15 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 15 May 2012 14:59:15 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) Message-ID: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> Hi, I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via kickstart. Unfortunately, it's not working via kickstart and when I try running the commands by hand on a freshly-installed host, it still fails with "kinit: Client not found in Kerberos database while getting initial credentials". The freeipa docs [1] seem to indicate that this is as easy as: 1) ipa host-add --password=secret 2) ensuring ipa-client is installed in the kickstart 3) running ipa-client-install with the principal set as host/ and providing the password I believe I've done what's required on the server: # ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar ------------------------------------- Added host "ian-ultra24-dmz.in.hwlab" ------------------------------------- Host name: ian-ultra24-dmz.in.hwlab Keytab: False Password: True Managed by: ian-ultra24-dmz.in.hwlab (I've deleted and re-added the host after each ipa-client-install attempt) And on the client: # rpm -qa | grep ipa-client ipa-client-2.1.3-9.el6.x86_64 # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: ian-ultra24-dmz.in.hwlab Realm: SBGRID.ORG DNS Domain: in.hwlab IPA Server: sbgrid-directory.in.hwlab BaseDN: dc=sbgrid,dc=org Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. kinit: Client not found in Kerberos database while getting initial credentials Installation failed. Rolling back changes. IPA client is not configured on this system. Any help would be appreciated. Thanks! Ian -- 1. http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html From ian at crystal.harvard.edu Tue May 15 19:09:13 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 15 May 2012 15:09:13 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> Message-ID: On May 15, 2012, at 2:59 PM, Ian Levesque wrote: > # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended > DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: ian-ultra24-dmz.in.hwlab > Realm: SBGRID.ORG > DNS Domain: in.hwlab > IPA Server: sbgrid-directory.in.hwlab > BaseDN: dc=sbgrid,dc=org > > > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > > kinit: Client not found in Kerberos database while getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. ipaclient-install.log attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaclient-install.log Type: application/octet-stream Size: 5157 bytes Desc: not available URL: From ben13ho at hotmail.com Tue May 15 19:00:32 2012 From: ben13ho at hotmail.com (Ben Ho) Date: Tue, 15 May 2012 15:00:32 -0400 Subject: [Freeipa-users] Help with ipa-replica-manage Message-ID: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. Thanks! -Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 15 19:15:46 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 May 2012 13:15:46 -0600 Subject: [Freeipa-users] Help with ipa-replica-manage In-Reply-To: References: Message-ID: <4FB2AB62.6080002@redhat.com> On 05/15/2012 01:00 PM, Ben Ho wrote: > Hello, > I am pretty new to IPA. Right now I have three servers that are > running IPA. I am trying to replicate one server to two other > servers. I use this command: > > ipa-replica-manage re-initialize --from example2.edu > > On the first server I need to replicate, it works fine. However, on > the second server I get this message in my log files. The errors get > printed out once every 1 to 5 minutes. > > [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Schema replication update > failed: Type or value exists > [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Warning: unable to > replicate schema: rc=1 > [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Schema replication update > failed: Type or value exists > [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Warning: unable to > replicate schema: rc=1 > > > Again, I am pretty new to this, so any help or tips would be > appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? > > Thanks! > > -Ben > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 15 20:56:28 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 May 2012 20:56:28 +0000 Subject: [Freeipa-users] FreeIPA and others In-Reply-To: <91C07EB2-2027-4934-BFB5-48DBF186F7FB@citrix.com> References: , <833D8E48405E064EBC54C84EC6B36E404CC92981@STAWINCOX10MBX1.staff.vuw.ac.nz>, <47F80C39-F4C8-4DB3-88A3-F5791D532A8D@citrixonline.com>, <833D8E48405E064EBC54C84EC6B36E404CC93381@STAWINCOX10MBX1.staff.vuw.ac.nz>, <91C07EB2-2027-4934-BFB5-48DBF186F7FB@citrix.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC93A27@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><------ What do you feel is the biggest struggle? Is it the base core features, or is it external integration pains for things feature that don't exist yet? 8><------- Core functionality is fine and I'm very impressed with the ui and IPA's paper capability. You are correct nothing else on paper at least comes close.....and Ive tried a few things searching for a solution, FDS, 389...Sun's, Novell's Oracle's LDAP/IdMs...all ouch....Given time I think IPA will be an award winner personally....it will be/is like AD, a gamer changer.... :) The two things that hurt me a lot is yes lack of external integration and fault finding. The former can be "easily" fixed with a depth of docs that will come in time. Partially this means I think that RH needs to engage with hardware vendors like EMC, Bluearc, Bluecoat (to name my three pain points) to provide accurate docs at least and if possible make it easier....with automation....Im trying to get there and I will write up howtos....Im doing NFS and Bluearc at present, EMC and Bluecoat soon. Doesn't help that I lack fundamentals in some areas....that isn't IPA's fault. The biggest obvious issue I have day to day is fault finding IPA, improving message codes would be one area to look at.... regards From ben13ho at hotmail.com Tue May 15 20:49:46 2012 From: ben13ho at hotmail.com (Ben Ho) Date: Tue, 15 May 2012 16:49:46 -0400 Subject: [Freeipa-users] Help with ipa-replica-manage In-Reply-To: <4FB2AB62.6080002@redhat.com> References: , <4FB2AB62.6080002@redhat.com> Message-ID: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64CentOS release 6.2389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmeggins at redhat.com To: ben13ho at hotmail.com CC: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 15 21:01:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 May 2012 21:01:04 +0000 Subject: [Freeipa-users] Help regarding Basic FreeIPA setup In-Reply-To: References: <4FB17750.1010501@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC93398@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC93A3B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, For me it sounds like you have not configured firefox to use IPA or centos is missing a package/rpm. What strikes me as strange is you should get pop ups telling/helping you do it.....just following them make sit easy. If you have and it just wont work, I suggest moving to password authentication to get you past that problem so you can get on with testing. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Chandan Kumar [chandank.kumar at gmail.com] Sent: Wednesday, 16 May 2012 2:35 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Help regarding Basic FreeIPA setup Hi, I am running the default Firefox that comes with centos 6.2 . I guess that Whatever time I do kinit it just does not working for me even for single time. Also it shows as that I am logged in as user at freeipa.org.... In the main back ground web page. Not sure whether it's relevant with this error. On Monday, 14 May 2012, Steven Jones wrote: Hi, I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect but thats a safari issue Im sure. After running "kinit admin" I find the kerberos ticket expires about 24 hours later so you have to renew? What you can do if it simply wont work is get IPA to fall back to asking for a password, which is what I have had to set for Windows 7 firefox users. It might depend on which version of firefox, 3 and 10 do work......I think RH say firefox 10 is the long term supported version for them so I'd run that at least. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chandan Kumar [chandank.kumar at gmail.com] Sent: Tuesday, 15 May 2012 9:25 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal wrote: On 05/14/2012 05:09 PM, Chandan Kumar wrote: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root at ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ipaserver.example.com at EXAMPLE.COM 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ipaserver.example.com at EXAMPLE.COM [root at ds var]# Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan Are you running FF on windows? Which version of IPA are you using? _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my iPad -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 15 21:04:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 May 2012 21:04:04 +0000 Subject: [Freeipa-users] Help with ipa-replica-manage In-Reply-To: References: , <4FB2AB62.6080002@redhat.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC93A72@STAWINCOX10MBX1.staff.vuw.ac.nz> firewall? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Ben Ho [ben13ho at hotmail.com] Sent: Wednesday, 16 May 2012 8:49 a.m. To: rmeggins at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. -Ben ________________________________ Date: Tue, 15 May 2012 13:15:46 -0600 From: rmeggins at redhat.com To: ben13ho at hotmail.com CC: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomj at syn-packet.com Tue May 15 21:21:24 2012 From: tomj at syn-packet.com (Thomas Jackson) Date: Tue, 15 May 2012 14:21:24 -0700 Subject: [Freeipa-users] howto modify krb principal attributes without kadmin.local Message-ID: So going through the documentation it's clearly laid out not to use kadmin or kadmin.local when using freeipa. I have been unable to find how to replace this functionality in the documentation. If I could use kadmin.local on my kdc I would like to run the following command.... modprinc +requires_hwauth user Am I going to need to extend/modify the krb5 schema to modify principals attributes in this way? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 15 22:14:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 May 2012 18:14:33 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> Message-ID: <4FB2D549.9020202@redhat.com> Ian Levesque wrote: > Hi, > > I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via kickstart. Unfortunately, it's not working via kickstart and when I try running the commands by hand on a freshly-installed host, it still fails with "kinit: Client not found in Kerberos database while getting initial credentials". > > The freeipa docs [1] seem to indicate that this is as easy as: > > 1) ipa host-add --password=secret > 2) ensuring ipa-client is installed in the kickstart > 3) running ipa-client-install with the principal set as host/ and providing the password > > I believe I've done what's required on the server: > > # ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar > ------------------------------------- > Added host "ian-ultra24-dmz.in.hwlab" > ------------------------------------- > Host name: ian-ultra24-dmz.in.hwlab > Keytab: False > Password: True > Managed by: ian-ultra24-dmz.in.hwlab > > (I've deleted and re-added the host after each ipa-client-install attempt) > > And on the client: > > # rpm -qa | grep ipa-client > ipa-client-2.1.3-9.el6.x86_64 > > # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended > DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: ian-ultra24-dmz.in.hwlab > Realm: SBGRID.ORG > DNS Domain: in.hwlab > IPA Server: sbgrid-directory.in.hwlab > BaseDN: dc=sbgrid,dc=org > > > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > > kinit: Client not found in Kerberos database while getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > Any help would be appreciated. Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet). rob From simo at redhat.com Tue May 15 22:24:52 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 15 May 2012 18:24:52 -0400 Subject: [Freeipa-users] howto modify krb principal attributes without kadmin.local In-Reply-To: References: Message-ID: <1337120692.16840.29.camel@willson.li.ssimo.org> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote: > So going through the documentation it's clearly laid out not to use > kadmin or kadmin.local when using freeipa. I have been unable to find > how to replace this functionality in the documentation. > > If I could use kadmin.local on my kdc I would like to run the > following command.... > > modprinc +requires_hwauth user > > Am I going to need to extend/modify the krb5 schema to modify > principals attributes in this way? > For this specific change you can use kadmin.local, but the IPA UI will not report you anything about it. The flags part is still a weak point of the Web UI, if you want you can open a RFE ticket to ask for better support for these flags, we need to do it at some point we simply haven't yet as we concentrated on more important and pressing issue this far. Simo. -- Simo Sorce * Red Hat, Inc * New York From ian at crystal.harvard.edu Tue May 15 22:47:57 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Tue, 15 May 2012 18:47:57 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <4FB2D549.9020202@redhat.com> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> Message-ID: <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote: >> # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended >> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. >> KDC address will be set to fixed value. >> >> Discovery was successful! >> Hostname: ian-ultra24-dmz.in.hwlab >> Realm: SBGRID.ORG >> DNS Domain: in.hwlab >> IPA Server: sbgrid-directory.in.hwlab >> BaseDN: dc=sbgrid,dc=org >> >> >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> >> kinit: Client not found in Kerberos database while getting initial credentials >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> Any help would be appreciated. > > Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet). No luck: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. I thought the point of doing the host-add was to setup a host principal with a one-time password. Without specifying the host principal, isn't the ipa-client-install trying to use the specified password to auth me, and not the host? Thanks, Ian From rmeggins at redhat.com Wed May 16 00:33:34 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 May 2012 18:33:34 -0600 Subject: [Freeipa-users] Help with ipa-replica-manage In-Reply-To: References: , <4FB2AB62.6080002@redhat.com> Message-ID: <4FB2F5DE.5030308@redhat.com> On 05/15/2012 02:49 PM, Ben Ho wrote: > This is the information I retrieved about my server. > > *ipa-server-selinux-2.1.3-9.el6.x86_64* > *ipa-client-2.1.3-9.el6.x86_64* > *ipa-server-2.1.3-9.el6.x86_64* > *CentOS release 6.2* > *389-ds-base-1.2.9.14-1.el6_2.2.x86_64* > > Thanks again. Is replication otherwise working? > > -Ben > > ------------------------------------------------------------------------ > Date: Tue, 15 May 2012 13:15:46 -0600 > From: rmeggins at redhat.com > To: ben13ho at hotmail.com > CC: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 01:00 PM, Ben Ho wrote: > > Hello, > I am pretty new to IPA. Right now I have three servers that are > running IPA. I am trying to replicate one server to two other > servers. I use this command: > > ipa-replica-manage re-initialize --from example2.edu > > On the first server I need to replicate, it works fine. > However, on the second server I get this message in my log files. > The errors get printed out once every 1 to 5 minutes. > > [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Schema replication > update failed: Type or value exists > [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Warning: unable to > replicate schema: rc=1 > [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Schema replication > update failed: Type or value exists > [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Warning: unable to > replicate schema: rc=1 > > > Again, I am pretty new to this, so any help or tips would be > appreciated. > > > What platform and what version of 389-ds-base and ipa-server for all > of your servers? > > > Thanks! > > -Ben > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed May 16 10:20:46 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 16 May 2012 12:20:46 +0200 Subject: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? In-Reply-To: <1337097943.10734.YahooMailNeo@web160704.mail.bf1.yahoo.com> References: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com> <20120515084850.GE2338@localhost.localdomain> <1337097943.10734.YahooMailNeo@web160704.mail.bf1.yahoo.com> Message-ID: <20120516102046.GH2338@localhost.localdomain> On Tue, May 15, 2012 at 09:05:43AM -0700, Gelen James wrote: > Hi Sumit, > > > ?Thanks for your quick reply. > ? > ?In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command. > > More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :) yes, this is my understanding, too. > > BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here. yes, HBAC rules use hosts/hostgroups and not netgroups. In general netgroups were added to support application which still needs them or to make migrations from environments where netgroups were used easier. But we recommend to use hostgroups with IPA if possible. HTH bye, Sumit > > Thanks. > > --Gelen > > > > > > > > ________________________________ > From: Sumit Bose > To: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 1:48 AM > Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? > > On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote: > > Hi all, > > > > ?The online manual says that the '--usercat' means 'User category the rule applies to'; ?'--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options. > > > > ?Could anyone please shed a light on this? Thanks a lot. > > iirc these options where introduced with the host based access control > (HBAC) and are used to identify categories/classes of users and hosts > in a more general way than using groups or ip-address ranges. I think > currently only the keyword 'all' can be used here, which e.g means that > an HBAC rule will match for all users or all hosts. In future it is > planned to support other categories, e.g. something like 'local' and > 'remote' which would catch all users/hosts of the local IPA domain or > all users/groups which are coming from remote domains ,respectively. > > HTH > > bye, > Sumit > > > > > --David > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed May 16 14:02:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 May 2012 10:02:30 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> Message-ID: <4FB3B376.6060108@redhat.com> Ian Levesque wrote: > > On May 15, 2012, at 6:14 PM, Rob Crittenden wrote: > >>> # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended >>> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. >>> KDC address will be set to fixed value. >>> >>> Discovery was successful! >>> Hostname: ian-ultra24-dmz.in.hwlab >>> Realm: SBGRID.ORG >>> DNS Domain: in.hwlab >>> IPA Server: sbgrid-directory.in.hwlab >>> BaseDN: dc=sbgrid,dc=org >>> >>> >>> Synchronizing time with KDC... >>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>> >>> kinit: Client not found in Kerberos database while getting initial credentials >>> >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >>> >>> Any help would be appreciated. >> >> Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet). > > No luck: > > Joining realm failed: Incorrect password. > Installation failed. Rolling back changes. > > I thought the point of doing the host-add was to setup a host principal with a one-time password. Without specifying the host principal, isn't the ipa-client-install trying to use the specified password to auth me, and not the host? Bulk enrollment is done using a one-time password. No Kerberos credentials are created (though still works if a krbPrincipalName is set in the host entry). The userPassword attribute is set to the password and the client installer does a simple bind using the dn of the host as the user and the provided password to do the enrollment. The enrollment process removes the userPassword attribute when a successful bind occurs. I'd suggest resetting the password on the host and trying again. rob From ian at crystal.harvard.edu Wed May 16 18:42:07 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Wed, 16 May 2012 14:42:07 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <4FB3B376.6060108@redhat.com> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> <4FB3B376.6060108@redhat.com> Message-ID: <356EEF30-FA85-44BC-A730-961F4CF55EF9@crystal.harvard.edu> On May 16, 2012, at 10:02 AM, Rob Crittenden wrote: > Ian Levesque wrote: >> >> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote: >> >>> Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet). >> >> No luck: >> >> Joining realm failed: Incorrect password. >> Installation failed. Rolling back changes. >> >> I thought the point of doing the host-add was to setup a host principal with a one-time password. Without specifying the host principal, isn't the ipa-client-install trying to use the specified password to auth me, and not the host? > > Bulk enrollment is done using a one-time password. No Kerberos credentials are created (though still works if a krbPrincipalName is set in the host entry). > > The userPassword attribute is set to the password and the client installer does a simple bind using the dn of the host as the user and the provided password to do the enrollment. The enrollment process removes the userPassword attribute when a successful bind occurs. > > I'd suggest resetting the password on the host and trying again. Hi Rob, et al - I tried again, and am pasting all the output below. Is there something I'm missing? Cheers, Ian --- server --- [sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab --------------------------------------- Deleted host "ian-ultra24-dmz.in.hwlab" [sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab --------------- 0 hosts matched [sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar ------------------------------------- Added host "ian-ultra24-dmz.in.hwlab" ------------------------------------- Host name: ian-ultra24-dmz.in.hwlab Keytab: False Password: True Managed by: ian-ultra24-dmz.in.hwlab --- client --- [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab -w=foobar \ --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: ian-ultra24-dmz.in.hwlab Realm: SBGRID.ORG DNS Domain: in.hwlab IPA Server: sbgrid-directory.in.hwlab BaseDN: dc=sbgrid,dc=org Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Joining realm failed: Incorrect password. Installation failed. Rolling back changes. [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: ian-ultra24-dmz.in.hwlab Realm: SBGRID.ORG DNS Domain: in.hwlab IPA Server: sbgrid-directory.in.hwlab BaseDN: dc=sbgrid,dc=org Continue to configure the system with these values? [no]: yes User authorized to enroll computers: ian Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ian at SBGRID.ORG: Enrolled in IPA realm SBGRID.ORG Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SBGRID.ORG SSSD enabled NTP enabled Client configuration complete. From cao2dan at yahoo.com Wed May 16 19:23:10 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 16 May 2012 12:23:10 -0700 (PDT) Subject: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <4FB2F5DE.5030308@redhat.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> Message-ID: <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> Hi all, ?I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root at ipareplica02 slapd-EXAMPLE-COM]#? On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? ?BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. ? Thanks. --David ________________________________ From: Rich Megginson To: Ben Ho Cc: freeipa-users at redhat.com Sent: Tuesday, May 15, 2012 5:33 PM Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: >This is the information I retrieved about my server. > > >ipa-server-selinux-2.1.3-9.el6.x86_64 >ipa-client-2.1.3-9.el6.x86_64 >ipa-server-2.1.3-9.el6.x86_64 >CentOS release 6.2 >389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > > >Thanks again. Is replication otherwise working? > >-Ben > > >________________________________ >Date: Tue, 15 May 2012 13:15:46 -0600 >From: rmeggins at redhat.com >To: ben13ho at hotmail.com >CC: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Help with ipa-replica-manage > >On 05/15/2012 01:00 PM, Ben Ho wrote: > >>Hello, >>? I am pretty new to IPA. ?Right now I have three servers that are running IPA. ?I am trying to replicate one server to two other servers. ?I use this command: >> >> >>ipa-replica-manage re-initialize --from example2.edu >> >> >>? On the first server I need to replicate, it works fine. ?However, on the second server I get this message in my log files. ?The errors get printed out once every 1 to 5 minutes. >> >> >>[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >>[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >>[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >>[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >> >> >>? Again, I am pretty new to this, so any help or tips would be appreciated. >What platform and what version of 389-ds-base and ipa-server for all of your servers? > > > >> >>? Thanks! >> >> >>-Ben >> >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 16 19:57:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 May 2012 15:57:11 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <356EEF30-FA85-44BC-A730-961F4CF55EF9@crystal.harvard.edu> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> <4FB3B376.6060108@redhat.com> <356EEF30-FA85-44BC-A730-961F4CF55EF9@crystal.harvard.edu> Message-ID: <4FB40697.9000504@redhat.com> Ian Levesque wrote: > Hi Rob, et al - > > I tried again, and am pasting all the output below. Is there something I'm missing? Drop the = with -w. You're passing the password as =foobar. Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? rob > > Cheers, > Ian > > > --- server --- > > [sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab > --------------------------------------- > Deleted host "ian-ultra24-dmz.in.hwlab" > > [sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab > --------------- > 0 hosts matched > > [sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar > ------------------------------------- > Added host "ian-ultra24-dmz.in.hwlab" > ------------------------------------- > Host name: ian-ultra24-dmz.in.hwlab > Keytab: False > Password: True > Managed by: ian-ultra24-dmz.in.hwlab > > --- client --- > > [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab -w=foobar \ > --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended > DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: ian-ultra24-dmz.in.hwlab > Realm: SBGRID.ORG > DNS Domain: in.hwlab > IPA Server: sbgrid-directory.in.hwlab > BaseDN: dc=sbgrid,dc=org > > > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Joining realm failed: Incorrect password. > Installation failed. Rolling back changes. > > > [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab > DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: ian-ultra24-dmz.in.hwlab > Realm: SBGRID.ORG > DNS Domain: in.hwlab > IPA Server: sbgrid-directory.in.hwlab > BaseDN: dc=sbgrid,dc=org > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: ian > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for ian at SBGRID.ORG: > > Enrolled in IPA realm SBGRID.ORG > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm SBGRID.ORG > SSSD enabled > NTP enabled > Client configuration complete. > > From JR.Aquino at citrix.com Wed May 16 19:57:46 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 16 May 2012 19:57:46 +0000 Subject: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > > I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > > BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson > To: Ben Ho > Cc: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com >> To: ben13ho at hotmail.com >> CC: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >> I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >> On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >> Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >> Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ian at crystal.harvard.edu Wed May 16 20:06:35 2012 From: ian at crystal.harvard.edu (Ian Levesque) Date: Wed, 16 May 2012 16:06:35 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <4FB40697.9000504@redhat.com> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> <4FB3B376.6060108@redhat.com> <356EEF30-FA85-44BC-A730-961F4CF55EF9@crystal.harvard.edu> <4FB40697.9000504@redhat.com> Message-ID: <839DDFF1-45DD-4C63-A1F2-BA9A314B0A9A@crystal.harvard.edu> On May 16, 2012, at 3:57 PM, Rob Crittenden wrote: > Ian Levesque wrote: >> Hi Rob, et al - >> >> I tried again, and am pasting all the output below. Is there something I'm missing? > > Drop the = with -w. You're passing the password as =foobar. > > Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? > > rob Right you are! Thanks for your help, Rob - this will certainly help us with mass deployments. For the record, the winning combination: ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --password=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended Is this documented anywhere else other than on Fedora's site? The docs I linked to are just plain wrong... http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html says: /usr/sbin/ipa-client-install --domain=EXAMPLEDOMAIN --enable-dns-updates --mkomedir --principal=HOST/$(cat /tmp/hostname.txt) -w=secret --realm=EXAMPLEREALM --server=ipaserver.example.com --unattended Best, Ian From rcritten at redhat.com Wed May 16 20:11:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 May 2012 16:11:24 -0400 Subject: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <4FB409EC.1030507@redhat.com> David Copperfield wrote: > Hi all, > > I accidentally removed one of my IPA replica host on IPA web UI by > mistake, on the host list I planed to remove ipaclient02.example.com, > but accidentally the mouse moved to ipareplica02.example.com and the > latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it > was already too late, the change propagated to all the replicas and the > poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in > 'host-find' list or 'service-find' list. Though it still showed in the > master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', > the real command 'ipa-replica-manage list ipareplica02' fails with LDAP > could't reach error. > > What should I do now? Is there are any other ways to recover besides > uninstall and reinstall of IPA replica ipareplica02? > > BTW, it will be more than appreciated if the web UI could pop up a > warning prompt when removing host/services entries associated with IPA > masters and IPA replicas. > Thanks. > > --David On a working master try re-creating the host and re-adding the services. You'll probably want to use the fqdn in places of ipareplica02 here. The case of the services is important. I'm assuming this master is not running dogtag or DNS. # ipa host-add ipareplica02 # ipa service-add ldap/ipareplica02 # ipa service-add HTTP/ipareplica02 # mkdir /tmp/ipareplica02 # ipa-getkeytab -s -k /tmp/ipareplica02/ds.keytab -p ldap/ipareplica02 # ipa-getkeytab -s -k /tmp/ipareplica02/ipa.keytab -p HTTP/ipareplica02 Copy these files to ipareplica02. ds.keytab goes in /etc/dirsrv/ ipa.keytab goes in /etc/httpd/conf/ I'd run restorecon on both. Perms should be 0600 dirsrv:dirsrv on ds.keytab 0600 root:root on ipa.keytab # ipactl restart You'll need to restart the dirsrv service (or ipactl restart) on all your other masters to pick up the new ldap service principal. In theory you should have a working system again. The only downside is the certs being used aren't reflected in your service entries any more. I don't believe this will affect automated renewal so if you don't care about that you're done. If you are using dogtag as your CA your SSL certs have been revoked though. To fix this we can try to get certmonger to refresh them. # ipa-getcert list find the ID for the /etc/dirsrv/slapd- cert # ipa-getcert resubmit -i Run ipa-getcert list again to see the status. It should be MONITORING and the expires date should have changed. Assuming that worked do the same for the Apache cert (in /etc/httpd/alias). Restart dirsrv and httpd services or ipactl restart. We block deleting master hosts and services in FreeIPA 2.2. rob From rcritten at redhat.com Wed May 16 20:25:41 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 May 2012 16:25:41 -0400 Subject: [Freeipa-users] Split enrollment (adding hosts via kickstart) In-Reply-To: <839DDFF1-45DD-4C63-A1F2-BA9A314B0A9A@crystal.harvard.edu> References: <617AA478-51A6-4449-89EA-9A1B60845603@crystal.harvard.edu> <4FB2D549.9020202@redhat.com> <73F97329-AA6D-41D3-98EA-3D129F0AA9D4@crystal.harvard.edu> <4FB3B376.6060108@redhat.com> <356EEF30-FA85-44BC-A730-961F4CF55EF9@crystal.harvard.edu> <4FB40697.9000504@redhat.com> <839DDFF1-45DD-4C63-A1F2-BA9A314B0A9A@crystal.harvard.edu> Message-ID: <4FB40D45.7020401@redhat.com> Ian Levesque wrote: > > On May 16, 2012, at 3:57 PM, Rob Crittenden wrote: > >> Ian Levesque wrote: >>> Hi Rob, et al - >>> >>> I tried again, and am pasting all the output below. Is there something I'm missing? >> >> Drop the = with -w. You're passing the password as =foobar. >> >> Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? >> >> rob > > Right you are! Thanks for your help, Rob - this will certainly help us with mass deployments. > > For the record, the winning combination: > > ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar > ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --password=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended > > Is this documented anywhere else other than on Fedora's site? The docs I linked to are just plain wrong... > > http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html > > says: > > /usr/sbin/ipa-client-install --domain=EXAMPLEDOMAIN --enable-dns-updates --mkomedir --principal=HOST/$(cat /tmp/hostname.txt) -w=secret --realm=EXAMPLEREALM --server=ipaserver.example.com --unattended > > Best, > Ian Ouch, sorry about the bad docs. I've filed a bug to have that corrected, https://bugzilla.redhat.com/show_bug.cgi?id=822252 regards rob From cao2dan at yahoo.com Wed May 16 20:23:00 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 16 May 2012 13:23:00 -0700 (PDT) Subject: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> Message-ID: <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well.? BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino To: David Copperfield Cc: FreeIPAUsers Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > >? I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > >? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg? ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install? ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson > To: Ben Ho > Cc: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com >> To: ben13ho at hotmail.com >> CC: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >>? I am pretty new to IPA.? Right now I have three servers that are running IPA.? I am trying to replicate one server to two other servers.? I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >>? On the first server I need to replicate, it works fine.? However, on the second server I get this message in my log files.? The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >>? Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >>? Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomj at syn-packet.com Wed May 16 22:08:34 2012 From: tomj at syn-packet.com (Thomas Jackson) Date: Wed, 16 May 2012 15:08:34 -0700 Subject: [Freeipa-users] howto modify krb principal attributes without kadmin.local In-Reply-To: <1337120692.16840.29.camel@willson.li.ssimo.org> References: <1337120692.16840.29.camel@willson.li.ssimo.org> Message-ID: On Tue, May 15, 2012 at 3:24 PM, Simo Sorce wrote: > On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote: > > So going through the documentation it's clearly laid out not to use > > kadmin or kadmin.local when using freeipa. I have been unable to find > > how to replace this functionality in the documentation. > > > > If I could use kadmin.local on my kdc I would like to run the > > following command.... > > > > modprinc +requires_hwauth user > > > > Am I going to need to extend/modify the krb5 schema to modify > > principals attributes in this way? > > > For this specific change you can use kadmin.local, but the IPA UI will > not report you anything about it. > > The flags part is still a weak point of the Web UI, if you want you can > open a RFE ticket to ask for better support for these flags, we need to > do it at some point we simply haven't yet as we concentrated on more > important and pressing issue this far. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > The following errors lead me to believe I am missing something as kadmin.local appears to have access issues when trying to modify a principle. kadmin.local: modprinc +requires_hwauth user modify_principal: User modification failed: Insufficient access while modifying "user". For good measure I've modified /var/kerberos/krb5kdc/kadm5. acl with the correct ACLs for the domain and still encounter the same errors. -ipa 2.1.3 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed May 16 21:54:40 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 16 May 2012 14:54:40 -0700 (PDT) Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. ?I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but ?'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master ?failed with the following message, it showed that 389 port listening disappeared for unknown reasons.? [root at ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp ? ? ? ?0 ? ? ?0 :::7389 ? ? ? ? ? ? ? ? ? ? :::* ? ? ? ? ? ? ? ? ? ? ? ?LISTEN ? ? ?6550/ns-slapd ? ? ?? tcp ? ? ? ?0 ? ? ?0 :::7390 ? ? ? ? ? ? ? ? ? ? :::* ? ? ? ? ? ? ? ? ? ? ? ?LISTEN ? ? ?6550/ns-slapd ? ? ?? [root at ipamaster slapd-EXAMPLE-COM]#? The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. ?Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David ________________________________ From: David Copperfield To: JR Aquino Cc: "freeipa-users at redhat.com" Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well.? BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino To: David Copperfield Cc: FreeIPAUsers Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > >? I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > >? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg? ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install? ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson > To: Ben Ho > Cc: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com >> To: ben13ho at hotmail.com >> CC: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >>? I am pretty new to IPA.? Right now I have three servers that are running IPA.? I am trying to replicate one server to two other servers.? I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >>? On the first server I need to replicate, it works fine.? However, on the second server I get this message in my log files.? The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >>? Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >>? Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 16 22:15:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 May 2012 18:15:11 -0400 Subject: [Freeipa-users] howto modify krb principal attributes without kadmin.local In-Reply-To: References: <1337120692.16840.29.camel@willson.li.ssimo.org> Message-ID: <4FB426EF.8070603@redhat.com> Thomas Jackson wrote: > kadmin.local: modprinc +requires_hwauth user > modify_principal: User modification failed: Insufficient access while > modifying "user". What user's ticket do you have when trying to make this change? The error is coming from 389-ds, not from the KDC ACLs. For whatever it's worth I tried this in 2.2.0 and it worked. rob From simo at redhat.com Wed May 16 22:18:35 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 May 2012 18:18:35 -0400 Subject: [Freeipa-users] howto modify krb principal attributes without kadmin.local In-Reply-To: <4FB426EF.8070603@redhat.com> References: <1337120692.16840.29.camel@willson.li.ssimo.org> <4FB426EF.8070603@redhat.com> Message-ID: <1337206715.16840.93.camel@willson.li.ssimo.org> On Wed, 2012-05-16 at 18:15 -0400, Rob Crittenden wrote: > Thomas Jackson wrote: > > kadmin.local: modprinc +requires_hwauth user > > modify_principal: User modification failed: Insufficient access while > > modifying "user". > > What user's ticket do you have when trying to make this change? > > The error is coming from 389-ds, not from the KDC ACLs. > > For whatever it's worth I tried this in 2.2.0 and it worked. In 2.2 we do not restrict kadmin/kdc as much as we did in < 2.1 Simo. -- Simo Sorce * Red Hat, Inc * New York From SKline at tnsi.com Wed May 16 22:33:59 2012 From: SKline at tnsi.com (Kline, Sara) Date: Wed, 16 May 2012 15:33:59 -0700 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD Message-ID: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect -winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed May 16 23:00:26 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 16 May 2012 23:00:26 +0000 Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com http://www.citrixonline.com On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root at ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp 0 0 :::7389 :::* LISTEN 6550/ns-slapd tcp 0 0 :::7390 :::* LISTEN 6550/ns-slapd [root at ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David ________________________________ From: David Copperfield > To: JR Aquino > Cc: "freeipa-users at redhat.com" > Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino > To: David Copperfield > Cc: FreeIPAUsers > Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > > I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > > BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson > > To: Ben Ho > > Cc: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com >> To: ben13ho at hotmail.com >> CC: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >> I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >> On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >> Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >> Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Wed May 16 23:11:32 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 May 2012 17:11:32 -0600 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD In-Reply-To: References: Message-ID: <4FB43424.2050301@redhat.com> On 05/16/2012 04:33 PM, Kline, Sara wrote: > > Hey all, > > FreeIPA has been very simple to setup so far, I have been able to > follow along with the documentation every step of the way. I am > running into an issue however when trying to set up replication > between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 > server running Active Directory. I created the replication user like > the instructions say and gave it the necessary permissions, however > when I try to set up the agreement, it tells me I am using invalid > credentials. I am unsure of what I should do at this point? SSL Certs > are installed on both and trusted on both, the servers are connected > and both are synced to the same time source. Can anyone think of > anything else? > > I am using the command as follows: > > Ipa-replica-manage connect --winsync > > --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com > > --bindpw mypassword > > --passsync mypassword > > --cacert /etc/openldap/cacerts/winadcert.cer > > oly-infra-ldap2.prod.example.com > You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword-s base -b "" 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > ------------------------------------------------------------------------ > This e-mail message is for the sole use of the intended > recipient(s)and may > contain confidential and privileged information of Transaction Network > Services. > Any unauthorised review, use, disclosure or distribution is > prohibited. If you > are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed May 16 23:28:11 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 16 May 2012 16:28:11 -0700 (PDT) Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com> Could that be because of removing ghost entries in CA database?? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :(? I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. ?At last I brought up the valid replica and it worked this time as well.? Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. ?Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. ?Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed --David ________________________________ From: JR Aquino To: David Copperfield Cc: JR Aquino ; Rob Crittenden ; "freeipa-users at redhat.com" Sent: Wednesday, May 16, 2012 4:00 PM Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T:? +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com http://www.citrixonline.com On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning.? I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but? 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master? failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root at ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp? ? ? ? 0? ? ? 0 :::7389? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ? ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd tcp? ? ? ? 0? ? ? 0 :::7390? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ? ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd [root at ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started.? Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David ________________________________ From: David Copperfield > To: JR Aquino > Cc: "freeipa-users at redhat.com" > Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino > To: David Copperfield > Cc: FreeIPAUsers > Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > >? I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > >? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg? ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install? ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson > > To: Ben Ho > > Cc: freeipa-users at redhat.com > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com >> To: ben13ho at hotmail.com >> CC: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >>? I am pretty new to IPA.? Right now I have three servers that are running IPA.? I am trying to replicate one server to two other servers.? I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >>? On the first server I need to replicate, it works fine.? However, on the second server I get this message in my log files.? The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >>? Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >>? Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed May 16 23:41:54 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 16 May 2012 23:41:54 +0000 Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> , <1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com> Whew, glad to hear you got through it! The 389 ds crew is working on making the cleanruv into an internal automated process. I empathize completely. The gssapi errors are generally benign. They come up because ldap starts before the kdc. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aquino at citrix.com http://www.citrixonline.com On May 16, 2012, at 4:29 PM, "David Copperfield" > wrote: Could that be because of removing ghost entries in CA database? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :( I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. At last I brought up the valid replica and it worked this time as well. Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed --David ________________________________ From: JR Aquino > To: David Copperfield > Cc: JR Aquino >; Rob Crittenden >; "freeipa-users at redhat.com" > Sent: Wednesday, May 16, 2012 4:00 PM Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com> http://www.citrixonline.com On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root at ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp 0 0 :::7389 :::* LISTEN 6550/ns-slapd tcp 0 0 :::7390 :::* LISTEN 6550/ns-slapd [root at ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David ________________________________ From: David Copperfield >> To: JR Aquino >> Cc: "freeipa-users at redhat.com>" >> Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino >> To: David Copperfield >> Cc: FreeIPAUsers >> Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > > I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > > BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson >> > To: Ben Ho >> > Cc: freeipa-users at redhat.com> > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com> >> To: ben13ho at hotmail.com> >> CC: freeipa-users at redhat.com> >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >> I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >> On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >> Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >> Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users From SKline at tnsi.com Thu May 17 00:04:51 2012 From: SKline at tnsi.com (Kline, Sara) Date: Wed, 16 May 2012 17:04:51 -0700 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD In-Reply-To: <4FB43424.2050301@redhat.com> References: <4FB43424.2050301@redhat.com> Message-ID: I found the issue, it had to do with what Windows set the cn to, as opposed to what I thought the CN was. Once I figured out where that was set at I was able to fix it. Cn's for us are usually the user id so that was where the disconnect was. Once I fixed that issue however I got another error. I am logged in as root on the FreeIPA server. When I run the ipa-manage-replica command I get: Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate database for oly-infra-ldap1.prod.tnsi.com INFO:root:AD Suffix is: DC=prod,DC=example,DC=com Insufficient access I am not sure I understand why this is not working. Thanks, Sara Kline From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, May 16, 2012 4:12 PM To: Kline, Sara Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Problems replicating with Windows 2008 AD On 05/16/2012 04:33 PM, Kline, Sara wrote: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect -winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b "" 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Thu May 17 00:11:20 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 16 May 2012 17:11:20 -0700 (PDT) Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> , <1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com> <345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com> Message-ID: <1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com> Hi JR, Rob and Rich, Thanks a lot for helping! A massage may be the choice for me now. :) Though I still have two questions here. :) ?1, do you have an idea on how to clear the ghost RUVs thoroughly in one run? For my case today it took me quite some time to clear it again and again from across server farm -- it looks like the affected LDAP entries are overwritten from each other, like a basket of bumping balls. ?2, And, does it bring troubles if I also run: ? ipa-csreplica-manage del --force ? ## on IPA master and? ? clear the CA ghost RUV record from under 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'?? I thought this above could be more complete, But the link http://directory.fedoraproject.org/wiki/Howto:CLEANRUV documented only user LDAP backend and normal user LDAP replica, not including this CA replication and CA ldap backend clearance. ? So I got confused on the purposes the document link didn't mention this (CA). It is because clear CA RUV is wrong? or the author just took it for granted that all users are non-newbies, any ideas? ? :) Thanks a lot for your help today. --David ?? --David ________________________________ From: JR Aquino To: David Copperfield Cc: "freeipa-users at redhat.com" ; Rob Crittenden Sent: Wednesday, May 16, 2012 4:41 PM Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Whew, glad to hear you got through it! The 389 ds crew is working on making the cleanruv into an internal automated process. I empathize completely. The gssapi errors are generally benign. They come up because ldap starts before the kdc. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aquino at citrix.com http://www.citrixonline.com On May 16, 2012, at 4:29 PM, "David Copperfield" > wrote: Could that be because of removing ghost entries in CA database? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :( I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked.? At last I brought up the valid replica and it worked this time as well. Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started.? Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed --David ________________________________ From: JR Aquino > To: David Copperfield > Cc: JR Aquino >; Rob Crittenden >; "freeipa-users at redhat.com" > Sent: Wednesday, May 16, 2012 4:00 PM Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T:? +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com> http://www.citrixonline.com On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning.? I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but? 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master? failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root at ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp? ? ? ? 0? ? ? 0 :::7389? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ? ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd tcp? ? ? ? 0? ? ? 0 :::7390? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ? ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd [root at ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started.? Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David ________________________________ From: David Copperfield >> To: JR Aquino >> Cc: "freeipa-users at redhat.com>" >> Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David ________________________________ From: JR Aquino >> To: David Copperfield >> Cc: FreeIPAUsers >> Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: > Hi all, > >? I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. > > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error > [root at ipareplica02 slapd-EXAMPLE-COM]# > > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. > > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? > >? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg? ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install? ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee > Thanks. > > --David > From: Rich Megginson >> > To: Ben Ho >> > Cc: freeipa-users at redhat.com> > Sent: Tuesday, May 15, 2012 5:33 PM > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > On 05/15/2012 02:49 PM, Ben Ho wrote: >> This is the information I retrieved about my server. >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> ipa-client-2.1.3-9.el6.x86_64 >> ipa-server-2.1.3-9.el6.x86_64 >> CentOS release 6.2 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> Thanks again. > > Is replication otherwise working? > >> >> -Ben >> >> Date: Tue, 15 May 2012 13:15:46 -0600 >> From: rmeggins at redhat.com> >> To: ben13ho at hotmail.com> >> CC: freeipa-users at redhat.com> >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage >> >> On 05/15/2012 01:00 PM, Ben Ho wrote: >> Hello, >>? I am pretty new to IPA.? Right now I have three servers that are running IPA.? I am trying to replicate one server to two other servers.? I use this command: >> >> ipa-replica-manage re-initialize --from example2.edu >> >>? On the first server I need to replicate, it works fine.? However, on the second server I get this message in my log files.? The errors get printed out once every 1 to 5 minutes. >> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1 >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1 >> >> >>? Again, I am pretty new to this, so any help or tips would be appreciated. >> >> What platform and what version of 389-ds-base and ipa-server for all of your servers? >> >> >>? Thanks! >> >> -Ben >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 17 01:15:22 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 May 2012 19:15:22 -0600 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD In-Reply-To: References: <4FB43424.2050301@redhat.com> Message-ID: <4FB4512A.2060009@redhat.com> On 05/16/2012 06:04 PM, Kline, Sara wrote: > > I found the issue, it had to do with what Windows set the cn to, as > opposed to what I thought the CN was. Once I figured out where that > was set at I was able to fix it. Cn's for us are usually the user id > so that was where the disconnect was. Once I fixed that issue however > I got another error. I am logged in as root on the FreeIPA server. > When I run the ipa-manage-replica command I get: > > Added CA certificate /etc/openldap/cacerts/winadcert.cer to > certificate database for oly-infra-ldap1.prod.tnsi.com > > INFO:root:AD Suffix is: DC=prod,DC=example,DC=com > > Insufficient access > > I am not sure I understand why this is not working. > You have to set permissions for your AD user in order to use the DirSync control. See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx > To use the DirSync control, caller must have the "directory get > changes" right assigned on the root of the partition being monitored. > By default, this right is assigned to the Administrator and > LocalSystem accounts on domain controllers. The caller must also have > the *DS-Replication-Get-Changes* > > extended control access right. For more information about implementing > a change-tracking mechanism for applications that must run under an > account that does not have this right, see Polling for Changes Using > USNChanged > . > For more information about privileges, see Privileges > . > > Thanks, > > Sara Kline > > *From:*Rich Megginson [mailto:rmeggins at redhat.com] > *Sent:* Wednesday, May 16, 2012 4:12 PM > *To:* Kline, Sara > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD > > On 05/16/2012 04:33 PM, Kline, Sara wrote: > > Hey all, > > FreeIPA has been very simple to setup so far, I have been able to > follow along with the documentation every step of the way. I am > running into an issue however when trying to set up replication > between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 > server running Active Directory. I created the replication user like > the instructions say and gave it the necessary permissions, however > when I try to set up the agreement, it tells me I am using invalid > credentials. I am unsure of what I should do at this point? SSL Certs > are installed on both and trusted on both, the servers are connected > and both are synced to the same time source. Can anyone think of > anything else? > > I am using the command as follows: > > Ipa-replica-manage connect --winsync > > --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com > > --bindpw mypassword > > --passsync mypassword > > --cacert /etc/openldap/cacerts/winadcert.cer > > oly-infra-ldap2.prod.example.com > > > You can use ldapsearch to test the connection with AD: > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H > ldap://oly-infra-ldap2.prod.example.com -ZZ -D > "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base > -b "" 'objectclass=*' namingcontexts > > This assumes > 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine > 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD > 3) mypassword is the correct password and doesn't need to be quoted > for the shell > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > ------------------------------------------------------------------------ > > This e-mail message is for the sole use of the intended > recipient(s)and may > contain confidential and privileged information of Transaction Network > Services. > Any unauthorised review, use, disclosure or distribution is > prohibited. If you > are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > This e-mail message is for the sole use of the intended > recipient(s)and may > contain confidential and privileged information of Transaction Network > Services. > Any unauthorised review, use, disclosure or distribution is > prohibited. If you > are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 17 01:18:49 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 May 2012 19:18:49 -0600 Subject: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake In-Reply-To: <1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: , <4FB2AB62.6080002@redhat.com> <4FB2F5DE.5030308@redhat.com> <1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com> <46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com> <1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com> <1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com> , <1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com> <345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com> <1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <4FB451F9.9030803@redhat.com> On 05/16/2012 06:11 PM, David Copperfield wrote: > Hi JR, Rob and Rich, > > Thanks a lot for helping! A massage may be the choice for me now. :) > > Though I still have two questions here. :) > > 1, do you have an idea on how to clear the ghost RUVs thoroughly in > one run? For my case today it took me quite some time to clear it > again and again from across server farm -- it looks like the affected > LDAP entries are overwritten from each other, like a basket of bumping > balls. Correct. See http://port389.org/wiki/Howto:CLEANRUV under the CLEANALLRUV and RELEASERUV procedures. Mark can explain the procedure better than I can. Note that CLEANALLRUV and RELEASERUV are not available in the current release, but will be available in an upcoming release. > > 2, And, does it bring troubles if I also run: > > ipa-csreplica-manage del --force ## on IPA master > > and > > clear the CA ghost RUV record from under > 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'? > > I thought this above could be more complete, But the link > http://directory.fedoraproject.org/wiki/Howto:CLEANRUV documented only > user LDAP backend and normal user LDAP replica, not including this CA > replication and CA ldap backend clearance. It shouldn't make a difference - to 389 a replica is a replica - it doesn't matter if it is a user data or a CA data replica. > > So I got confused on the purposes the document link didn't mention > this (CA). It is because clear CA RUV is wrong? or the author just > took it for granted that all users are non-newbies, any ideas? :) > > Thanks a lot for your help today. > > > --David > > > > > --David > > > > ------------------------------------------------------------------------ > *From:* JR Aquino > *To:* David Copperfield > *Cc:* "freeipa-users at redhat.com" ; Rob > Crittenden > *Sent:* Wednesday, May 16, 2012 4:41 PM > *Subject:* Re: Still not working -- Re: [Freeipa-users] What to do > next???: IPA replica host entry is removed on web UI by mistake > > Whew, glad to hear you got through it! > > The 389 ds crew is working on making the cleanruv into an internal > automated process. I empathize completely. > > The gssapi errors are generally benign. They come up because ldap > starts before the kdc. > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GIAC Certified Incident Handler | GIAC WebApp Penetration Tester > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > jr.aquino at citrix.com > > > http://www.citrixonline.com > > On May 16, 2012, at 4:29 PM, "David Copperfield" >> wrote: > > Could that be because of removing ghost entries in CA database? > > Another possible place could be the deleting/clearing option itself. > One annoying thing that I've found is: > > I cleared the RUV records from IPA servers one by one, then I restart > IPA services on the servers one by one again, ldapsearch showed that > the RUV ghost entries popped up again. :( > > I had to kill it again and again across the IPA server farms, then > restart IPA servers one by one, check again, until the ghost RUV > entries disappeared from all and didn't come back -- It is very, VERY > exhausting and annoying. > > After that I still need to stop IPA replica first, then restart IPA > master and until now it worked -- ipa commands and kinit worked. At > last I brought up the valid replica and it worked this time as well. > > Now it was time to reinstall the failed IPA replica and it was > installed and up and running well. > > After I tested with 'ipa user-add', 'ipa-user-delete' and found that > the replication did work across the IPA master and IPA replicas. I > tested the last time and found the following messages in the error log > file on IPA master, it maybe harmless but I am not sure: > > [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 > starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - > warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com > [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which > should be added before the CoS Definition. > [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which > should be added before the CoS Definition. > [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM > >] in keytab > [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see > e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on > All Interfaces port 389 for LDAP requests > [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM > >] in keytab > [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see > e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces > port 636 for LDAPS requests > [16/May/2012:16:18:36 -0700] - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_496' not found)) > [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (Credentials cache file '/tmp/krb5cc_496' > not found)) > [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_496' not found)) > [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (Credentials cache file '/tmp/krb5cc_496' > not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication > bind with GSSAPI auth resumed > [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication > bind with GSSAPI auth resumed > > > --David > > > ________________________________ > From: JR Aquino >> > To: David Copperfield >> > Cc: JR Aquino >>; Rob Crittenden >>; "freeipa-users at redhat.com > >" >> > Sent: Wednesday, May 16, 2012 4:00 PM > Subject: Re: Still not working -- Re: [Freeipa-users] What to do > next???: IPA replica host entry is removed on web UI by mistake > > Try: ipactl stop then ipactl start > > Doesn't look like dirsrv is running on 389 and 636 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GIAC Certified Incident Handler | GIAC WebApp Penetration Tester > Citrix Online | 7408 Hollister Avenue | Goleta, CA > 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrixonline.com > > >> > http://www.citrixonline.com > > On May 16, 2012, at 2:54 PM, David Copperfield wrote: > > Sorry to declare success too quick, :( In fact, it is worse now, the > IPA master fail after performing the above steps including the RUV > cleaning. I've only one working replica and I'm afraid to do anything > on it. > > On The IPA master, after I ran 'service ipa restart' it reported OK, > but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran > 'kinit admin' to try my luck, the IPA master failed with the > following message, it showed that 389 port listening disappeared for > unknown reasons. > > [root at ipamaster slapd-EXAMPLE-COM]# kinit admin > > kinit: Generic error (see e-text) while getting initial credentials > [root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | > grep ns > tcp 0 0 :::7389 :::* > LISTEN 6550/ns-slapd > tcp 0 0 :::7390 :::* > LISTEN 6550/ns-slapd > [root at ipamaster slapd-EXAMPLE-COM]# > > The error logs are pasted here too. > > [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM > > >>] in keytab > [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [16/May/2012:14:41:43 -0700] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 > for LDAPS requests > [16/May/2012:14:41:43 -0700] - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_496' not found)) > [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (Credentials cache file '/tmp/krb5cc_496' > not found)) > [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - > agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication > bind with GSSAPI auth resumed > > Thanks. > > --David > > ________________________________ > From: David Copperfield > >>> > To: JR Aquino > >>> > Cc: "freeipa-users at redhat.com > > >>" > >>> > Sent: Wednesday, May 16, 2012 1:23 PM > Subject: Re: [Freeipa-users] What to do next???: IPA replica host > entry is removed on web UI by mistake > > Hi JR, > > Thanks a lot! It works perfectly. > > The only extra thing probably goes with 2.1.3 only: I need to find and > clear ghost RUV records for CA database, and remove it from master and > all other live replicas as well. > > BTW, on 2.2.0 the two database backends still are separate, or merged > into one? > > Thanks. > > --David > > ________________________________ > From: JR Aquino > >>> > To: David Copperfield > >>> > Cc: FreeIPAUsers > >>> > Sent: Wednesday, May 16, 2012 12:57 PM > Subject: Re: [Freeipa-users] What to do next???: IPA replica host > entry is removed on web UI by mistake > > On May 16, 2012, at 12:23 PM, David Copperfield wrote: > > > Hi all, > > > > I accidentally removed one of my IPA replica host on IPA web UI by > mistake, on the host list I planed to remove > ipaclient02.example.com, > but accidentally the mouse moved to > ipareplica02.example.com > and the latter got removed without a prompt. > > > > I realized the mistake and tried to recover from this disaster but > it was already too late, the change propagated to all the replicas and > the poor ipareplica02 now stops functioning. > > > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find > > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml' > : Internal Server Error > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find > > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml' > : Internal Server Error > > [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find > > ipa: ERROR: cannot connect to > u'https://ipareplica02.qe9.jigsaw.com/ipa/xml' > : Internal Server Error > > [root at ipareplica02 slapd-EXAMPLE-COM]# > > > > On the IPA master, It was found that ipareplica02 didn't show up in > 'host-find' list or 'service-find' list. Though it still showed in the > master list reported by 'ipa-replica-manage' and > 'ipa-csreplica-manage', the real command 'ipa-replica-manage list > ipareplica02' fails with LDAP could't reach error. > > > > What should I do now? Is there are any other ways to recover besides > uninstall and reinstall of IPA replica ipareplica02? > > > > BTW, it will be more than appreciated if the web UI could pop up a > warning prompt when removing host/services entries associated with IPA > masters and IPA replicas. > > Been there... Done that... The bug is fixed in 2.2... It will prompt > and prevent you from deleting a replica host if there is an agreement. > > To clean up... > > 0. On the master replica: ipa-replica-manage del > ipareplica02.example.com > --force > -This will delete the replica agreement for the host. > > 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \ > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > > Look for your your nsds50ruv that matches your ghost replica. > > 2. Create an ldif following the directions here: > http://directory.fedoraproject.org/wiki/Howto:CLEANRUV > Something like: > > $ cat cleanup.ldif > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica. > > 3. Run on all of the remaining replicas: ldapmodify -x -D > "cn=directory manager" -W -f fixed.ldif > - This removes the ghost entry. > > 4. on the broken replica: ipa-server-install --uninstall > > 5. Follow the normal directions for 'installing a replica' > - on master: ipa-replica-prepare > ipareplica02.example.com > - scp /path/to/ipareplica02.example.com.gpg > ipareplica02.example.com: > ipareplica02.example.com.gpg > - on replica: ipa-replica-install > ipareplica02.example.com > --whatever_options_you_used_previously > > 6. Check to make sure the server was built correctly and command work > as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc > > 7. Sigh and drink coffee > > > Thanks. > > > > --David > > From: Rich Megginson > >>> > > To: Ben Ho > >>> > > Cc: freeipa-users at redhat.com > > >> > > Sent: Tuesday, May 15, 2012 5:33 PM > > Subject: Re: [Freeipa-users] Help with ipa-replica-manage > > > > On 05/15/2012 02:49 PM, Ben Ho wrote: > >> This is the information I retrieved about my server. > >> > >> ipa-server-selinux-2.1.3-9.el6.x86_64 > >> ipa-client-2.1.3-9.el6.x86_64 > >> ipa-server-2.1.3-9.el6.x86_64 > >> CentOS release 6.2 > >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > >> > >> Thanks again. > > > > Is replication otherwise working? > > > >> > >> -Ben > >> > >> Date: Tue, 15 May 2012 13:15:46 -0600 > >> From: rmeggins at redhat.com > > >> > >> To: ben13ho at hotmail.com > > >> > >> CC: freeipa-users at redhat.com > > >> > >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage > >> > >> On 05/15/2012 01:00 PM, Ben Ho wrote: > >> Hello, > >> I am pretty new to IPA. Right now I have three servers that are > running IPA. I am trying to replicate one server to two other > servers. I use this command: > >> > >> ipa-replica-manage re-initialize --from > example2.edu > >> > >> On the first server I need to replicate, it works fine. However, > on the second server I get this message in my log files. The errors > get printed out once every 1 to 5 minutes. > >> > >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Schema replication update > failed: Type or value exists > >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample1.edu" (example1:389): Warning: unable to > replicate schema: rc=1 > >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Schema replication update > failed: Type or value exists > >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - > agmt="cn=meToexample2.edu" (example2:389): Warning: unable to > replicate schema: rc=1 > >> > >> > >> Again, I am pretty new to this, so any help or tips would be > appreciated. > >> > >> What platform and what version of 389-ds-base and ipa-server for > all of your servers? > >> > >> > >> Thanks! > >> > >> -Ben > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> > >> Freeipa-users at redhat.com > > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at noboost.org Thu May 17 02:41:19 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Thu, 17 May 2012 06:41:19 +0400 Subject: [Freeipa-users] ipa-client-install hangs on Centos 5.2x64 Message-ID: <20120517024119.GA5622@noboost.org> Hi Everyone, Server: RHEL 6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Client: CentOS release 5.2 (Final) x86_64 Kernel: 2.6.18-92.1.18.el5 ipa-client-2.1.3-1.el5 sssd-client-1.5.1-49.el5_8.1 sssd-1.5.1-49.el5_8.1 Error: During the ipa-client-install, the client just hangs with no explanation. I've been trying to debug the log file (shown before), I figure being an older CentOS, that the IPA client must need new versions of it's dependencies? Debug Log: 2012-05-16 18:04:28,487 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'preserve_sssd': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} 2012-05-16 18:04:28,487 DEBUG missing options might be asked for interactively later 2012-05-16 18:04:28,487 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-05-16 18:04:28,499 DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2012-05-16 18:04:28,536 DEBUG [ipadnssearchldap(example.com)] 2012-05-16 18:04:28,537 DEBUG [ipadnssearchkrb] 2012-05-16 18:04:28,538 DEBUG [ipacheckldap] 2012-05-16 18:04:28,604 DEBUG args=/usr/bin/wget -O /tmp/tmpdbXm98/ca.crt -T 15 -t 2 http://sysvm-ipa.example.com/ipa/config/ca.crt 2012-05-16 18:04:28,604 DEBUG stdout= 2012-05-16 18:04:28,605 DEBUG stderr=--18:04:28-- http://sysvm-ipa.example.com/ipa/config/ca.crt Resolving sysvm-ipa.example.com... 192.168.0.214 Connecting to sysvm-ipa.example.com|192.168.0.214|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1353 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmpdbXm98/ca.crt' 0K . 100% 215M=0s 18:04:28 (215 MB/s) - `/tmp/tmpdbXm98/ca.crt' saved [1353/1353] 2012-05-16 18:04:28,605 DEBUG Init ldap with: ldap://sysvm-ipa.example.com:389 2012-05-16 18:04:28,664 DEBUG Search LDAP server for IPA base DN 2012-05-16 18:04:28,666 DEBUG Check if naming context 'dc=example,dc=com' is for IPA 2012-05-16 18:04:28,667 DEBUG Naming context 'dc=example,dc=com' is a valid IPA context 2012-05-16 18:04:28,667 DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com(sub) 2012-05-16 18:04:28,668 DEBUG Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['EXAMPLE.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2012-05-16 18:04:28,668 DEBUG will use domain: example.com 2012-05-16 18:04:28,668 DEBUG will use server: sysvm-ipa.example.com 2012-05-16 18:04:28,669 DEBUG will use cli_realm: EXAMPLE.COM 2012-05-16 18:04:28,669 DEBUG will use cli_basedn: dc=example,dc=com 2012-05-16 18:04:32,172 DEBUG will use principal: admin 2012-05-16 18:04:32,237 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://sysvm-ipa.example.com/ipa/config/ca.crt 2012-05-16 18:04:32,237 DEBUG stdout= 2012-05-16 18:04:32,237 DEBUG stderr=--18:04:32-- http://sysvm-ipa.example.com/ipa/config/ca.crt Resolving sysvm-ipa.example.com... 192.168.0.214 Connecting to sysvm-ipa.example.com|192.168.0.214|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1353 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 215M=0s 18:04:32 (215 MB/s) - `/etc/ipa/ca.crt' saved [1353/1353] 2012-05-16 18:04:32,256 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,256 DEBUG stdout= 2012-05-16 18:04:32,256 DEBUG stderr= 2012-05-16 18:04:32,264 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,265 DEBUG stdout= 2012-05-16 18:04:32,265 DEBUG stderr= 2012-05-16 18:04:32,275 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,276 DEBUG stdout= 2012-05-16 18:04:32,276 DEBUG stderr= 2012-05-16 18:04:32,285 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,285 DEBUG stdout= 2012-05-16 18:04:32,285 DEBUG stderr= 2012-05-16 18:04:32,293 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,294 DEBUG stdout= 2012-05-16 18:04:32,294 DEBUG stderr= 2012-05-16 18:04:32,302 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,302 DEBUG stdout= 2012-05-16 18:04:32,302 DEBUG stderr= 2012-05-16 18:04:32,303 DEBUG Writing Kerberos configuration to /tmp/tmpVmLJZu: #File modified by ipa-client-install [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM 2012-05-16 18:04:36,006 DEBUG args=kinit admin at EXAMPLE.COM 2012-05-16 18:04:36,006 DEBUG stdout=Password for admin at EXAMPLE.COM: 2012-05-16 18:04:36,006 DEBUG stderr= 2012-05-16 18:06:01,902 DEBUG args=kdestroy 2012-05-16 18:06:01,902 DEBUG stdout= 2012-05-16 18:06:01,902 DEBUG stderr= From lyamanishi at sesda2.com Wed May 16 23:07:48 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Wed, 16 May 2012 19:07:48 -0400 Subject: [Freeipa-users] Custom ACI entries Message-ID: <4FB43344.4020501@sesda2.com> Hi everybody, I've added some custom schema to my directory, but it's useless to me if if I can't control read permissions on it. This is obviously a little tricky since (Free)IPA allows everybody to ready everything by default. With that, what's the best way to restrict access to user attributes? Is there anything like this in the roadmap? For the interim I've crafted some custom aci entries. Where should I put them? Will they work? Here they are: > aci: (targetattr = > "attribute1 || > attribute2 || > attribute3") > (version 3.0; acl "custom attributes base"; deny (all) > (userdn = "ldap:///anyone" and > userdn != "ldap:///self" and > groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) > > aci: (targetattr = > "attribute1 || > attribute2 || > attribute3") > (version 3.0; acl "custom attributes update"; allow (add, read, write, search, delete) > (userdn = "ldap:///self" or > groupdn = "ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From rcritten at redhat.com Thu May 17 13:17:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 May 2012 09:17:26 -0400 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD In-Reply-To: References: <4FB43424.2050301@redhat.com> Message-ID: <4FB4FA66.5090602@redhat.com> Kline, Sara wrote: > I found the issue, it had to do with what Windows set the cn to, as > opposed to what I thought the CN was. Once I figured out where that was > set at I was able to fix it. Cn?s for us are usually the user id so that > was where the disconnect was. Once I fixed that issue however I got > another error. I am logged in as root on the FreeIPA server. When I run > the ipa-manage-replica command I get: > > Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate > database for oly-infra-ldap1.prod.tnsi.com > > INFO:root:AD Suffix is: DC=prod,DC=example,DC=com > > Insufficient access > > I am not sure I understand why this is not working. Hmm, can you try this: # kdestroy # ipa-replica-manage ... It should prompt you for the Directory Manager password. My guess is that this isn't working with a delegated user over GSSAPI. What version of freeIPA are you running? rob > > Thanks, > > Sara Kline > > *From:*Rich Megginson [mailto:rmeggins at redhat.com] > *Sent:* Wednesday, May 16, 2012 4:12 PM > *To:* Kline, Sara > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD > > On 05/16/2012 04:33 PM, Kline, Sara wrote: > > Hey all, > > FreeIPA has been very simple to setup so far, I have been able to follow > along with the documentation every step of the way. I am running into an > issue however when trying to set up replication between the Red Hat 6.2 > server running FreeIPA and the Win 2008 R2 server running Active > Directory. I created the replication user like the instructions say and > gave it the necessary permissions, however when I try to set up the > agreement, it tells me I am using invalid credentials. I am unsure of > what I should do at this point? SSL Certs are installed on both and > trusted on both, the servers are connected and both are synced to the > same time source. Can anyone think of anything else? > > I am using the command as follows: > > Ipa-replica-manage connect ?winsync > > --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com > > --bindpw mypassword > > --passsync mypassword > > --cacert /etc/openldap/cacerts/winadcert.cer > > oly-infra-ldap2.prod.example.com > > > You can use ldapsearch to test the connection with AD: > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H > ldap://oly-infra-ldap2.prod.example.com -ZZ -D > "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b > "" 'objectclass=*' namingcontexts > > This assumes > 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine > 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD > 3) mypassword is the correct password and doesn't need to be quoted for > the shell > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > ------------------------------------------------------------------------ > > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network > Services. > Any unauthorised review, use, disclosure or distribution is prohibited. > If you > are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network > Services. > Any unauthorised review, use, disclosure or distribution is prohibited. > If you > are not the intended recipient, please contact the sender by reply > e-mail and destroy all copies of the original message. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu May 17 13:34:31 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 May 2012 09:34:31 -0400 Subject: [Freeipa-users] Custom ACI entries In-Reply-To: <4FB43344.4020501@sesda2.com> References: <4FB43344.4020501@sesda2.com> Message-ID: <4FB4FE67.9020204@redhat.com> Lucas Yamanishi wrote: > Hi everybody, > > I've added some custom schema to my directory, but it's useless to me if > if I can't control read permissions on it. This is obviously a little > tricky since (Free)IPA allows everybody to ready everything by default. > With that, what's the best way to restrict access to user attributes? > Is there anything like this in the roadmap? Right now there is are no plans to support deny ACIs natively in the permission plugin. That isn't set into stone, we just need some convincing. The best way to do this is what you've done, manually creating ACIs. The problem with deny ACIs is they can get very hard to unwind when trying to figure out why things aren't working. > For the interim I've crafted some custom aci entries. Where should I > put them? Will they work? Here they are: > >> aci: (targetattr = >> "attribute1 || >> attribute2 || >> attribute3") >> (version 3.0; acl "custom attributes base"; deny (all) >> (userdn = "ldap:///anyone" and >> userdn != "ldap:///self" and >> groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) >> >> aci: (targetattr = >> "attribute1 || >> attribute2 || >> attribute3") >> (version 3.0; acl "custom attributes update"; allow (add, read, write, search, delete) >> (userdn = "ldap:///self" or >> groupdn = "ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) > > We put all ACIs into the basedn, so for you dc=sesda2,dc=com. This is going to be tricky since you want to delegate these but you can't create them natively. This means you need to create both the aci and the permission entry. A sample permission would look like: dn: cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com objectClass: top objectClass: groupofnames objectClass: ipapermission cn: Read custom attributes The ACIs need a little bit of work. The name of the aci needs to match the name of the ACI that permission is being granted to, with a prefix of permission:. So it should look more like: aci: (targetattr = "attribute1 || attribute2 || attribute3") (version 3.0; acl "permission:Read custom attributes"; deny (all) (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) For the second ACI you don't need add and delete, those are entry-level permissions. You might want to add compare though. We also tend to separate things you can do to your own entry from things you can do to others. So we would break this out into some selfservice ACIs and permission ACIs. Not saying what you're doing won't work. rob From SKline at tnsi.com Thu May 17 15:10:57 2012 From: SKline at tnsi.com (Kline, Sara) Date: Thu, 17 May 2012 08:10:57 -0700 Subject: [Freeipa-users] Problems replicating with Windows 2008 AD In-Reply-To: <4FB4512A.2060009@redhat.com> References: <4FB43424.2050301@redhat.com> <4FB4512A.2060009@redhat.com> Message-ID: That did it! Thank you so much for your assistance! The sync agreement went through successfully. Thanks, Sara Kline From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, May 16, 2012 6:15 PM To: Kline, Sara Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Problems replicating with Windows 2008 AD On 05/16/2012 06:04 PM, Kline, Sara wrote: I found the issue, it had to do with what Windows set the cn to, as opposed to what I thought the CN was. Once I figured out where that was set at I was able to fix it. Cn's for us are usually the user id so that was where the disconnect was. Once I fixed that issue however I got another error. I am logged in as root on the FreeIPA server. When I run the ipa-manage-replica command I get: Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate database for oly-infra-ldap1.prod.tnsi.com INFO:root:AD Suffix is: DC=prod,DC=example,DC=com Insufficient access I am not sure I understand why this is not working. You have to set permissions for your AD user in order to use the DirSync control. See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx To use the DirSync control, caller must have the "directory get changes" right assigned on the root of the partition being monitored. By default, this right is assigned to the Administrator and LocalSystem accounts on domain controllers. The caller must also have the DS-Replication-Get-Changes extended control access right. For more information about implementing a change-tracking mechanism for applications that must run under an account that does not have this right, see Polling for Changes Using USNChanged. For more information about privileges, see Privileges. Thanks, Sara Kline From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, May 16, 2012 4:12 PM To: Kline, Sara Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Problems replicating with Windows 2008 AD On 05/16/2012 04:33 PM, Kline, Sara wrote: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect -winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b "" 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyamanishi at sesda2.com Thu May 17 14:47:26 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Thu, 17 May 2012 10:47:26 -0400 Subject: [Freeipa-users] Custom ACI entries In-Reply-To: <4FB4FE67.9020204@redhat.com> References: <4FB43344.4020501@sesda2.com> <4FB4FE67.9020204@redhat.com> Message-ID: <4FB50F7E.9060301@sesda2.com> On 05/17/2012 09:34 AM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> Hi everybody, >> >> I've added some custom schema to my directory, but it's useless to me if >> if I can't control read permissions on it. This is obviously a little >> tricky since (Free)IPA allows everybody to ready everything by default. >> With that, what's the best way to restrict access to user attributes? >> Is there anything like this in the roadmap? > > Right now there is are no plans to support deny ACIs natively in the > permission plugin. That isn't set into stone, we just need some convincing. Then let me make the case: I know IPA is aimed mainly at authentication and authorization, but it provides enough base schema and tree structure to do basic asset and personnel management. More importantly, it's easier to setup than a pure 389 Directory. This makes it ideal for small to medium sized organizations that don't need the extra utility a separate directory provides. Additionaly, the well-designed webui makes it easy to delegate tasks to non-technical personnel. The requirements to achieve this end are two: add native support for a restricted set of schema extensions and fine-grained access controls to those attributes. For schema extensions, support could (and should) be limited only to additional attributes on a restricted set of existing objects. For example, additions to users and hosts. This would satisfy requirements for a majority of small to medium sized organizations, I'd think. > > The best way to do this is what you've done, manually creating ACIs. The > problem with deny ACIs is they can get very hard to unwind when trying > to figure out why things aren't working. How do you mean? > >> For the interim I've crafted some custom aci entries. Where should I >> put them? Will they work? Here they are: >> >>> aci: (targetattr = >>> "attribute1 || >>> attribute2 || >>> attribute3") >>> (version 3.0; acl "custom attributes base"; deny (all) >>> (userdn = "ldap:///anyone" and >>> userdn != "ldap:///self" and >>> groupdn != "ldap:///cn=Read custom >>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) >>> >>> aci: (targetattr = >>> "attribute1 || >>> attribute2 || >>> attribute3") >>> (version 3.0; acl "custom attributes update"; allow (add, read, >>> write, search, delete) >>> (userdn = "ldap:///self" or >>> groupdn = "ldap:///cn=Manage custom >>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) >> >> > > We put all ACIs into the basedn, so for you dc=sesda2,dc=com. > > This is going to be tricky since you want to delegate these but you > can't create them natively. This means you need to create both the aci > and the permission entry. > > A sample permission would look like: > > dn: cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com > objectClass: top > objectClass: groupofnames > objectClass: ipapermission > cn: Read custom attributes Can't I add these via "ipa permission-add" or the webui? > > The ACIs need a little bit of work. The name of the aci needs to match > the name of the ACI that permission is being granted to, with a prefix > of permission:. So it should look more like: > > aci: (targetattr = "attribute1 || attribute2 || attribute3") > (version 3.0; acl "permission:Read custom attributes"; deny (all) > (userdn = "ldap:///anyone" and > userdn != "ldap:///self" and > groupdn != "ldap:///cn=Read custom > attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) > > For the second ACI you don't need add and delete, those are entry-level > permissions. You might want to add compare though. > > We also tend to separate things you can do to your own entry from things > you can do to others. So we would break this out into some selfservice > ACIs and permission ACIs. Not saying what you're doing won't work. > > rob Thanks! -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From lyamanishi at sesda2.com Thu May 17 16:34:46 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Thu, 17 May 2012 12:34:46 -0400 Subject: [Freeipa-users] Custom ACI entries In-Reply-To: <4FB4FE67.9020204@redhat.com> References: <4FB43344.4020501@sesda2.com> <4FB4FE67.9020204@redhat.com> Message-ID: <4FB528A6.7060003@sesda2.com> On 05/17/2012 09:34 AM, Rob Crittenden wrote: > ... > > The ACIs need a little bit of work. The name of the aci needs to > match the name of the ACI that permission is being granted to, with a > prefix of permission:. So it should look more like: > > aci: (targetattr = "attribute1 || attribute2 || attribute3") > (version 3.0; acl "permission:Read custom attributes"; deny (all) > (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn > != "ldap:///cn=Read custom > attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) > > For the second ACI you don't need add and delete, those are > entry-level permissions. You might want to add compare though. > > We also tend to separate things you can do to your own entry from > things you can do to others. So we would break this out into some > selfservice ACIs and permission ACIs. Not saying what you're doing > won't work. > > rob BTW, what's the origin of the naming restrictions? Is it an IPA thing? Here are my updated ACIs: 

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2 ||
  privateAttribute3 ||
  privateAttribute4")
 (version 3.0; acl "permission:Read custom attributes"; deny (all)
  (userdn = "ldap:///anyone" and
  groupdn != "ldap:///cn=Read custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2")
 (version 3.0; acl "permission:Does this need a special name?"; allow
(read, search, compare)
  userdn = "ldap:///self";)

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2 ||
  privateAttribute3 ||
  privateAttribute4")
 (version 3.0; acl "permission:Manage custom attributes"; allow
(read, write, search, compare)
  groupdn = "ldap:///cn=Manage custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";)
----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From rcritten at redhat.com Thu May 17 17:47:49 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 May 2012 13:47:49 -0400 Subject: [Freeipa-users] Custom ACI entries In-Reply-To: <4FB528A6.7060003@sesda2.com> References: <4FB43344.4020501@sesda2.com> <4FB4FE67.9020204@redhat.com> <4FB528A6.7060003@sesda2.com> Message-ID: <4FB539C5.8010704@redhat.com> Lucas Yamanishi wrote: > On 05/17/2012 09:34 AM, Rob Crittenden wrote: >> ... >> >> The ACIs need a little bit of work. The name of the aci needs to >> match the name of the ACI that permission is being granted to, with a >> prefix of permission:. So it should look more like: >> >> aci: (targetattr = "attribute1 || attribute2 || attribute3") >> (version 3.0; acl "permission:Read custom attributes"; deny (all) >> (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn >> != "ldap:///cn=Read custom >> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) >> >> For the second ACI you don't need add and delete, those are >> entry-level permissions. You might want to add compare though. >> >> We also tend to separate things you can do to your own entry from >> things you can do to others. So we would break this out into some >> selfservice ACIs and permission ACIs. Not saying what you're doing >> won't work. >> >> rob > > BTW, what's the origin of the naming restrictions? Is it an IPA thing? Yes, we are trying to hide the complexity of ACIs behind the permission concept. We take advantage of nested group membership and use that to delegate access. We create an ACI that grants permission to do something to a group (in this case a permission). This permission is then a member of a privilege which is a member of a role which itself has users, groups, etc as members. So being a member of a role grants access to all permissions associated with it. An ACI is just a string of text so we need some mechanism to link an ACI with a permission object so we use this comment/name section. We added a prefix to distinguish between selfservice permissions and normal permissions (and perhaps future prefixes as well). > > Here are my updated ACIs: > > 
>
> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
>    "privateAttribute1 ||
>    privateAttribute2 ||
>    privateAttribute3 ||
>    privateAttribute4")
>   (version 3.0; acl "permission:Read custom attributes"; deny (all)
>    (userdn = "ldap:///anyone" and
>    groupdn != "ldap:///cn=Read custom
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>
> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
>    "privateAttribute1 ||
>    privateAttribute2")
>   (version 3.0; acl "permission:Does this need a special name?"; allow
> (read, search, compare)
>    userdn = "ldap:///self";)

Use the prefix selfservice and name it something like: selfservice: 
Users can read their own private attributes

> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
>    "privateAttribute1 ||
>    privateAttribute2 ||
>    privateAttribute3 ||
>    privateAttribute4")
>   (version 3.0; acl "permission:Manage custom attributes"; allow
> (read, write, search, compare)
>    groupdn = "ldap:///cn=Manage custom
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";)

Otherwise looks ok. ACIs often have subtle problems so I'd test 
casefully. Assuming these work ok you might try enhancing them to limit 
their scope to just users by adding (target = 
"ldap:///uid=*,cn=users,cn=accounts,dc=sesda2,dc=com"). This might speed 
up ACI processing ever so slightly, and ever ms counts.

rob



From SKline at tnsi.com  Thu May 17 18:06:23 2012
From: SKline at tnsi.com (Kline, Sara)
Date: Thu, 17 May 2012 11:06:23 -0700
Subject: [Freeipa-users] Problems with Passsync
Message-ID: 

Replication is working great. When I create/delete an account on the AD server it shows up in FreeIPA, hoever I can't get Passsync to work. I believe it is working because the last step in the documentation isn't working. When I try to import the certificate, I get this message:
Certutil.exe: "unable to open "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any ideas?

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ilf at ilf.me  Thu May 17 21:13:32 2012
From: ilf at ilf.me (Iliyan Stoyanov)
Date: Fri, 18 May 2012 00:13:32 +0300
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
Message-ID: <1337289212.24421.16.camel@tablet>

Hello,

I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After running
ipa-server-install everything runs alright and IPA is running fine. 389,
kerberos and the rest of the components start up fine. However after
reboot of the machine IPA doesn't want to start, systemctl status
ipa.service reports: 

ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
	  Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
+0300; 6min ago
	 Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
status=1/FAILURE)
	  CGroup: name=systemd:/system/ipa.service

May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to read
data from Directory Service: Unknown error when retrieving list of
services from LDAP: [Errno 111] Connection refused
May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down
May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting
Directory Service

and ipactl start just repeats the error:

ipactl start
Starting Directory Service
Failed to read data from Directory Service: Unknown error when
retrieving list of services from LDAP: [Errno 111] Connection refused
Shutting down

If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA
&& ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the
MYREALM instance throws 

etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors
must range from 1 to 4096 (the current process limit).  Server will use
a setting of 4096.
[17/May/2012:23:25:29 +0300] - Config Warning: - nsslapd-maxdescriptors:
invalid value "8192", maximum file descriptors must range from 1 to 4096
(the current process limit).  Server will use a setting of 4096.

which however is not a big problem, but it seems ns-slapd doesn't care
about the limits that are setup in the limits.conf.

after starting the directory server I again try with  systemctl start
ipa.service and the result this time is:

ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
	  Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
+0300; 25s ago
	 Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
status=1/FAILURE)
	  CGroup: name=systemd:/system/ipa.service

May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed. See
system journal and 'systemctl status' for details.
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to start
KDC Service
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
Directory Service
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC
Service

the /var/log/krb5kdc.log reports:

rb5kdc: Server error - while fetching master key K/M for realm MYREALM
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal
to request exit
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down
fd 9
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down
fd 10
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down
fd 8
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down
fd 7
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down
krb5kdc: Server error - while fetching master key K/M for realm MYREALM

>From what I get from the kdc.conf file in /var/kerberos/krb5kdc it seems
like the files
pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
are missing in that path, however I don't really know what should
generate those pem certs. From my very basic understanding of how IPA
works I assume that is dogtag's job, and again I assume ipactl
start/systemctl start ipa.service probably should take care of that,
however this doesn't happen.

So any help with this issue is welcome. I can go for LDAP/KRB setup to
use on my virtual/physical machines, however if going down the krb/LDAP
route I think IPA would be far better to support in the long run.

If that might be some help, I'm running x86_64 F17 inside Xen domU. The
host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6 DomU.

I have the exact same situation also with FreeIPA built from git. The
packages from git are  version 2.99:

freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64

the 2.2.0 version I also ran was the one in F17. 

Thanks in advance,
BR
ilf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Thu May 17 21:53:00 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Thu, 17 May 2012 15:53:00 -0600
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <1337289212.24421.16.camel@tablet>
References: <1337289212.24421.16.camel@tablet>
Message-ID: <4FB5733C.8010303@redhat.com>

On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> Hello,
>
> I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After 
> running ipa-server-install everything runs alright and IPA is running 
> fine. 389, kerberos and the rest of the components start up fine. 
> However after reboot of the machine IPA doesn't want to start, 
> systemctl status ipa.service reports:
>
> ipa.service - Identity, Policy, Audit
>   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>   Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42 
> +0300; 6min ago
> Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited, 
> status=1/FAILURE)
>   CGroup: name=systemd:/system/ipa.service
>
> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to 
> read data from Directory Service: Unknown error when retrieving list 
> of services from LDAP: [Errno 111] Connection refused
> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down
> May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting 
> Directory Service
>
> and ipactl start just repeats the error:
>
> ipactl start
> Starting Directory Service
> Failed to read data from Directory Service: Unknown error when 
> retrieving list of services from LDAP: [Errno 111] Connection refused
> Shutting down
>
> If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA 
> && ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the 
> MYREALM instance throws
>
> etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors: 
> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors 
> must range from 1 to 4096 (the current process limit).  Server will 
> use a setting of 4096.
> [17/May/2012:23:25:29 +0300] - Config Warning: - 
> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors 
> must range from 1 to 4096 (the current process limit).  Server will 
> use a setting of 4096.
>
> which however is not a big problem, but it seems ns-slapd doesn't care 
> about the limits that are setup in the limits.conf.

It cares, but the systemd conf file must also specify NOFILES=8192

>
> after starting the directory server I again try with  systemctl start 
> ipa.service and the result this time is:
>
> ipa.service - Identity, Policy, Audit
>   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>   Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02 
> +0300; 25s ago
> Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited, 
> status=1/FAILURE)
>   CGroup: name=systemd:/system/ipa.service
>
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed. 
> See system journal and 'systemctl status' for details.
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to 
> start KDC Service
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting 
> Directory Service
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC 
> Service
>
> the /var/log/krb5kdc.log reports:
>
> rb5kdc: Server error - while fetching master key K/M for realm MYREALM
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal 
> to request exit
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 9
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 10
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 8
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 7
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down
> krb5kdc: Server error - while fetching master key K/M for realm MYREALM
>
> >From what I get from the kdc.conf file in /var/kerberos/krb5kdc it 
> seems like the files
> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> are missing in that path, however I don't really know what should 
> generate those pem certs. From my very basic understanding of how IPA 
> works I assume that is dogtag's job, and again I assume ipactl 
> start/systemctl start ipa.service probably should take care of that, 
> however this doesn't happen.
>
> So any help with this issue is welcome. I can go for LDAP/KRB setup to 
> use on my virtual/physical machines, however if going down the 
> krb/LDAP route I think IPA would be far better to support in the long run.
>
> If that might be some help, I'm running x86_64 F17 inside Xen domU. 
> The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6 
> DomU.
>
> I have the exact same situation also with FreeIPA built from git. The 
> packages from git are  version 2.99:
>
> freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
>
> the 2.2.0 version I also ran was the one in F17.
>
> Thanks in advance,
> BR
> ilf
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From SKline at tnsi.com  Thu May 17 22:10:38 2012
From: SKline at tnsi.com (Kline, Sara)
Date: Thu, 17 May 2012 15:10:38 -0700
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: 
References: 
Message-ID: 

I was able to fix the import issue, and found some special SSL things for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is no longer stating SSL is may not be setup correctly.
I am running into an issue however. These are the entries in the Pass Sync log file:
PassSync service is running
No entries yet
Ldap bind error in Connect 32: No such object
Can not connect to ldap server in SyncPasswords

Thanks,
Sara Kline

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Kline, Sara
Sent: Thursday, May 17, 2012 11:06 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Problems with Passsync

Replication is working great. When I create/delete an account on the AD server it shows up in FreeIPA, hoever I can't get Passsync to work. I believe it is working because the last step in the documentation isn't working. When I try to import the certificate, I get this message:
Certutil.exe: "unable to open "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any ideas?

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Fri May 18 10:06:01 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Fri, 18 May 2012 03:06:01 -0700 (PDT)
Subject: [Freeipa-users] Still not working -- Re: What to do next???:
	IPA replica host entry is removed on web UI by mistake
In-Reply-To: <4FB451F9.9030803@redhat.com>
References: ,
	<4FB2AB62.6080002@redhat.com>
	
	<4FB2F5DE.5030308@redhat.com>
	<1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com>
	<46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com>
	<1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com>
	,
	<1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com>
	<345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com>
	<1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<4FB451F9.9030803@redhat.com>
Message-ID: <1337335561.14809.YahooMailNeo@web125704.mail.ne1.yahoo.com>

Hi Rich and all,

?For the latest IPA version 2.1.3-9 on red hat 6.2, the CA RUV records clearance seems a must. Before clearance the annoying messages are filling /var/log/dirsrv/slapd-PKI-IPA/errors on master file, while after clearance the entries are gone.

[16/May/2012:19:49:40 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:49:57 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:53:21 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:53:24 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20

Before clearing CA, in there error log file, there are entry list below, while after clearance it is gone too.

[16/May/2012:19:49:21 -0700] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data for replica o=ipaca does not match the data in the changelog (replica data (4fb46756000000510000) > changelog (4fb46756000000510000)). Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized.
>[16/May/2012:19:49:21 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
>[16/May/2012:19:49:21 -0700] - Listening on All Interfaces port 7390 for LDAPS requests


Hope in 2.2.0 we only need to clear user data type replication, and can safely ignore CA type which will automatically cleaned -- in sync with user type replication.

Thanks.

--David


________________________________
 From: Rich Megginson 
To: David Copperfield  
Cc: JR Aquino ; Rob Crittenden ; "freeipa-users at redhat.com" ; Mark Reynolds  
Sent: Wednesday, May 16, 2012 6:18 PM
Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
 

On 05/16/2012 06:11 PM, David Copperfield wrote: 
Hi JR, Rob and Rich,
>
>
>Thanks a lot for helping! A massage may be the choice for me now. :)
>
>
>Though I still have two questions here. :)
>
>
>?1, do you have an idea on how to clear the ghost RUVs thoroughly in one run? For my case today it took me quite some time to clear it again and again from across server farm -- it looks like the affected LDAP entries are overwritten from each other, like a basket of bumping balls.
Correct.? See http://port389.org/wiki/Howto:CLEANRUV under the CLEANALLRUV and RELEASERUV procedures.? Mark can explain the procedure better than I can.

Note that CLEANALLRUV and RELEASERUV are not available in the
    current release, but will be available in an upcoming release.



>
>?2, And, does it bring troubles if I also run:
>
>
>? ipa-csreplica-manage del  --force ? ## on IPA master
>
>
>and?
>
>
>? clear the CA ghost RUV record from under 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'??
>
>
>I thought this above could be more complete, But the link http://directory.fedoraproject.org/wiki/Howto:CLEANRUV documented only user LDAP backend and normal user LDAP replica, not including this CA replication and CA ldap backend clearance.? 
>
It shouldn't make a difference - to 389 a replica is a replica - it
    doesn't matter if it is a user? data or a CA data replica.



>
>So I got confused on the purposes the document link didn't mention this (CA). It is because clear CA RUV is wrong? or the author just took it for granted that all users are non-newbies, any ideas? ? :)
>
>
>Thanks a lot for your help today.
>
>
>
>
>--David
>
>
>
>
>
>
>??
>
>
>--David
>
>
>
>
>
>
>
>________________________________
> From: JR Aquino 
>To: David Copperfield  
>Cc: "freeipa-users at redhat.com" ; Rob Crittenden  
>Sent: Wednesday, May 16, 2012 4:41 PM
>Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
> 
>Whew, glad to hear you got through it!
>
>The 389 ds crew is working on making the cleanruv into an
            internal automated process. I empathize completely.
>
>The gssapi errors are generally benign. They come up because
            ldap starts before the kdc.
>
>"Keeping your head in the cloud"
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Jr Aquino | Sr. Information Security Specialist
>GIAC Certified Incident Handler | GIAC WebApp Penetration
            Tester
>Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>jr.aquino at citrix.com
>http://www.citrixonline.com
>
>On May 16, 2012, at 4:29 PM, "David Copperfield" > wrote:
>
>Could that be because of removing ghost entries in CA
            database?
>
>Another possible place could be the deleting/clearing option
            itself. One annoying thing that I've found is:
>
>I cleared the RUV records from IPA servers one by one, then
            I restart IPA services on the servers one by one again,
            ldapsearch showed that the RUV ghost entries popped up
            again. :(
>
>I had to kill it again and again across the IPA server
            farms, then restart IPA servers one by one, check again,
            until the ghost RUV entries disappeared from all and didn't
            come back -- It is very, VERY exhausting and annoying.
>
>After that I still need to stop IPA replica first, then
            restart IPA master and until now it worked -- ipa commands
            and kinit worked.? At last I brought up the valid replica
            and it worked this time as well.
>
>Now it was time to reinstall the failed IPA replica and it
            was installed and up and running well.
>
>After I tested with 'ipa user-add', 'ipa-user-delete' and
            found that the replication did work across the IPA master
            and IPA replicas. I tested the last time and found the
            following messages in the error log file on IPA master, it
            maybe harmless but I am not sure:
>
>[16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16
            B2012.023.214 starting up[16/May/2012:16:18:36 -0700]
            schema-compat-plugin - warning: no entries set up under
            ou=SUDOers, dc=jigsaw,dc=com
>[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
            cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
            Templates found, which should be added before the CoS
            Definition.
>[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
            cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
            Templates found, which should be added before the CoS
            Definition.
>[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started.? Listening on All Interfaces port 389 for LDAP requests
>[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests
>[16/May/2012:16:18:36 -0700] - Listening on
            /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>[16/May/2012:16:18:36 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))
>[16/May/2012:16:18:36 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
            Replication bind with GSSAPI auth resumed
>[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth resumed
>
>
>--David
>
>
>________________________________
>From: JR Aquino >
>To: David Copperfield >
>Cc: JR Aquino >; Rob Crittenden >; "freeipa-users at redhat.com" >
>Sent: Wednesday, May 16, 2012 4:00 PM
>Subject: Re: Still not working -- Re: [Freeipa-users] What
            to do next???: IPA replica host entry is removed on web UI
            by mistake
>
>Try: ipactl stop then ipactl start
>
>Doesn't look like dirsrv is running on 389 and 636
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Jr Aquino | Sr. Information Security Specialist
>GIAC Certified Incident Handler | GIAC WebApp Penetration
            Tester
>Citrix Online | 7408 Hollister Avenue | Goleta, CA
            93117
>T:? +1 805.690.3478
>C: +1 805.717.0365
>jr.aquino at citrixonline.com>
>http://www.citrixonline.com
>
>On May 16, 2012, at 2:54 PM, David Copperfield wrote:
>
>Sorry to declare success too quick, :( In fact, it is worse
            now, the IPA master fail after performing the above steps
            including the RUV cleaning.? I've only one working replica
            and I'm afraid to do anything on it.
>
>On The IPA master, after I ran 'service ipa restart' it
            reported OK, but? 'ipa user-find' failed. so I cleared my
            Kerboers TGT ticket, ran 'kinit admin' to try my luck, the
            IPA master? failed with the following message, it showed
            that 389 port listening disappeared for unknown reasons.
>
>[root at ipamaster slapd-EXAMPLE-COM]# kinit admin
>
>kinit: Generic error (see e-text) while getting initial
            credentials
>[root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i
            LISTEN | grep ns
>tcp? ? ? ? 0? ? ? 0 :::7389? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ?
            ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd
>tcp? ? ? ? 0? ? ? 0 :::7390? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ?
            ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd
>[root at ipamaster slapd-EXAMPLE-COM]#
>
>The error logs are pasted here too.
>
>[16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
>[16/May/2012:14:41:43 -0700] - slapd started.? Listening on
            All Interfaces port 389 for LDAP requests
>[16/May/2012:14:41:43 -0700] - Listening on All Interfaces
            port 636 for LDAPS requests
>[16/May/2012:14:41:43 -0700] - Listening on
            /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>[16/May/2012:14:41:43 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:14:41:43 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))
>[16/May/2012:14:41:46 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth resumed
>
>Thanks.
>
>--David
>
>________________________________
>From: David Copperfield >>
>To: JR Aquino >>
>Cc: "freeipa-users at redhat.com>" >>
>Sent: Wednesday, May 16, 2012 1:23 PM
>Subject: Re: [Freeipa-users] What to do next???: IPA replica
            host entry is removed on web UI by mistake
>
>Hi JR,
>
>Thanks a lot! It works perfectly.
>
>The only extra thing probably goes with 2.1.3 only: I need
            to find and clear ghost RUV records for CA database, and
            remove it from master and all other live replicas as well.
>
>BTW, on 2.2.0 the two database backends still are separate,
            or merged into one?
>
>Thanks.
>
>--David
>
>________________________________
>From: JR Aquino >>
>To: David Copperfield >>
>Cc: FreeIPAUsers >>
>Sent: Wednesday, May 16, 2012 12:57 PM
>Subject: Re: [Freeipa-users] What to do next???: IPA replica
            host entry is removed on web UI by mistake
>
>On May 16, 2012, at 12:23 PM, David Copperfield wrote:
>
>> Hi all,
>>
>>? I accidentally removed one of my IPA replica host on
            IPA web UI by mistake, on the host list I planed to remove
            ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt.
>>
>> I realized the mistake and tried to recover from this
            disaster but it was already too late, the change propagated
            to all the replicas and the poor ipareplica02 now stops
            functioning.
>>
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]#
>>
>> On the IPA master, It was found that ipareplica02
            didn't show up in 'host-find' list or 'service-find' list.
            Though it still showed in the master list reported by
            'ipa-replica-manage' and 'ipa-csreplica-manage', the real
            command 'ipa-replica-manage list ipareplica02' fails with
            LDAP could't reach error.
>>
>> What should I do now? Is there are any other ways to
            recover besides uninstall and reinstall of IPA replica
            ipareplica02?
>>
>>? BTW, it will be more than appreciated if the web UI
            could pop up a warning prompt when removing host/services
            entries associated with IPA masters and IPA replicas.
>
>Been there... Done that... The bug is fixed in 2.2... It
            will prompt and prevent you from deleting a replica host if
            there is an agreement.
>
>To clean up...
>
>0. On the master replica: ipa-replica-manage del
            ipareplica02.example.com --force
>-This will delete the replica agreement for the host.
>
>1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b
            dc=example,dc=com \
>'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>
>Look for your your nsds50ruv that matches your ghost
            replica.
>
>2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>Something like:
>
>$ cat cleanup.ldif
>dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
            tree,cn=config
>changetype: modify
>replace: nsds5task
>nsds5task: CLEANRUV## <- ## == The ReplicaID number for
            the ghost replica.
>
>3. Run on all of the remaining replicas: ldapmodify -x -D
            "cn=directory manager" -W -f fixed.ldif
>- This removes the ghost entry.
>
>4. on the broken replica: ipa-server-install --uninstall
>
>5. Follow the normal directions for 'installing a replica'
>- on master: ipa-replica-prepare
            ipareplica02.example.com
>- scp /path/to/ipareplica02.example.com.gpg?
            ipareplica02.example.com: ipareplica02.example.com.gpg
>- on replica: ipa-replica-install?
            ipareplica02.example.com --whatever_options_you_used_previously
>
>6. Check to make sure the server was built correctly and
            command work as expected: kinit admin, ipa user-find, ipa
            host-find, id admin, etc etc
>
>7. Sigh and drink coffee
>
>> Thanks.
>>
>> --David
>> From: Rich Megginson >>
>> To: Ben Ho >>
>> Cc: freeipa-users at redhat.com>
>> Sent: Tuesday, May 15, 2012 5:33 PM
>> Subject: Re: [Freeipa-users] Help with
            ipa-replica-manage
>>
>> On 05/15/2012 02:49 PM, Ben Ho wrote:
>>> This is the information I retrieved about my
            server.
>>>
>>> ipa-server-selinux-2.1.3-9.el6.x86_64
>>> ipa-client-2.1.3-9.el6.x86_64
>>> ipa-server-2.1.3-9.el6.x86_64
>>> CentOS release 6.2
>>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>>>
>>> Thanks again.
>>
>> Is replication otherwise working?
>>
>>>
>>> -Ben
>>>
>>> Date: Tue, 15 May 2012 13:15:46 -0600
>>> From: rmeggins at redhat.com>
>>> To: ben13ho at hotmail.com>
>>> CC: freeipa-users at redhat.com>
>>> Subject: Re: [Freeipa-users] Help with
            ipa-replica-manage
>>>
>>> On 05/15/2012 01:00 PM, Ben Ho wrote:
>>> Hello,
>>>? I am pretty new to IPA.? Right now I have three
            servers that are running IPA.? I am trying to replicate one
            server to two other servers.? I use this command:
>>>
>>> ipa-replica-manage re-initialize --from
            example2.edu
>>>
>>>? On the first server I need to replicate, it works
            fine.? However, on the second server I get this message in
            my log files.? The errors get printed out once every 1 to 5
            minutes.
>>>
>>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample1.edu" (example1:389): Schema
            replication update failed: Type or value exists
>>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample1.edu" (example1:389): Warning: unable
            to replicate schema: rc=1
>>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample2.edu" (example2:389): Schema
            replication update failed: Type or value exists
>>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample2.edu" (example2:389): Warning: unable
            to replicate schema: rc=1
>>>
>>>
>>>? Again, I am pretty new to this, so any help or
            tips would be appreciated.
>>>
>>> What platform and what version of 389-ds-base and
            ipa-server for all of your servers?
>>>
>>>
>>>? Thanks!
>>>
>>> -Ben
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>>
>>> Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com>
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Fri May 18 10:17:10 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Fri, 18 May 2012 03:17:10 -0700 (PDT)
Subject: [Freeipa-users] Still not working -- Re: What to do next???:
	IPA replica host entry is removed on web UI by mistake
In-Reply-To: <1337335561.14809.YahooMailNeo@web125704.mail.ne1.yahoo.com>
References: ,
	<4FB2AB62.6080002@redhat.com>
	
	<4FB2F5DE.5030308@redhat.com>
	<1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com>
	<46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com>
	<1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com>
	,
	<1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com>
	<345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com>
	<1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<4FB451F9.9030803@redhat.com>
	<1337335561.14809.YahooMailNeo@web125704.mail.ne1.yahoo.com>
Message-ID: <1337336230.14767.YahooMailNeo@web125704.mail.ne1.yahoo.com>

Hi all,

Sorry didn't make myself clear :)

?The first stanza of error messages are from IPA master, the second stanza of error messages are from the replica that's just rebuilt. Thanks.

--David


________________________________
 From: David Copperfield 
To: Rich Megginson  
Cc: JR Aquino ; Rob Crittenden ; "freeipa-users at redhat.com" ; Mark Reynolds  
Sent: Friday, May 18, 2012 3:06 AM
Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
 

Hi Rich and all,

?For the latest IPA version 2.1.3-9 on red hat 6.2, the CA RUV records clearance seems a must. Before clearance the annoying messages are filling /var/log/dirsrv/slapd-PKI-IPA/errors on master file, while after clearance the entries are gone.

[16/May/2012:19:49:40 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:49:57 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:53:21 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>[16/May/2012:19:53:24 -0700] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20

Before clearing CA, in there error log file, there are entry list below, while after clearance it is gone too.

[16/May/2012:19:49:21 -0700] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data for replica o=ipaca does not match the data in the changelog (replica data (4fb46756000000510000) > changelog (4fb46756000000510000)). Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized.
>[16/May/2012:19:49:21 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
>[16/May/2012:19:49:21 -0700] - Listening on All Interfaces port 7390 for LDAPS requests


Hope in 2.2.0 we only need to clear user data type replication, and can safely ignore CA type which will automatically cleaned -- in sync with user type replication.

Thanks.

--David


________________________________
 From: Rich Megginson 
To: David Copperfield  
Cc: JR Aquino ; Rob Crittenden ; "freeipa-users at redhat.com" ; Mark Reynolds  
Sent: Wednesday, May 16, 2012 6:18 PM
Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
 

On 05/16/2012 06:11 PM, David Copperfield wrote: 
Hi JR, Rob and Rich,
>
>
>Thanks a lot for helping! A massage may be the choice for me now. :)
>
>
>Though I still have two questions here. :)
>
>
>?1, do you have an idea on how to clear the ghost RUVs thoroughly in one run? For my case today it took me quite some time to clear it again and again from across server farm -- it looks like the affected LDAP entries are overwritten from each other, like a basket of bumping balls.
Correct.? See http://port389.org/wiki/Howto:CLEANRUV under the CLEANALLRUV and RELEASERUV procedures.? Mark can explain the procedure better than I can.

Note that CLEANALLRUV and RELEASERUV are not available in the
    current release, but will be available in an upcoming release.



>
>?2, And, does it bring troubles if I also run:
>
>
>? ipa-csreplica-manage del  --force ? ## on IPA master
>
>
>and?
>
>
>? clear the CA ghost RUV record from under 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'??
>
>
>I thought this above could be more complete, But the link http://directory.fedoraproject.org/wiki/Howto:CLEANRUV documented only user LDAP backend and normal user LDAP replica, not including this CA replication and CA ldap backend clearance.? 
>
It shouldn't make a difference - to 389 a replica is a replica - it
    doesn't matter if it is a user? data or a CA data replica.



>
>So I got confused on the purposes the document link didn't mention this (CA). It is because clear CA RUV is wrong? or the author just took it for granted that all users are non-newbies, any ideas? ? :)
>
>
>Thanks a lot for your help today.
>
>
>
>
>--David
>
>
>
>
>
>
>??
>
>
>--David
>
>
>
>
>
>
>
>________________________________
> From: JR Aquino 
>To: David Copperfield  
>Cc: "freeipa-users at redhat.com" ; Rob Crittenden  
>Sent: Wednesday, May 16, 2012 4:41 PM
>Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
> 
>Whew, glad to hear you got through it!
>
>The 389 ds crew is working on making the cleanruv into an
            internal automated process. I empathize completely.
>
>The gssapi errors are generally benign. They come up because
            ldap starts before the kdc.
>
>"Keeping your head in the cloud"
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Jr Aquino | Sr. Information Security Specialist
>GIAC Certified Incident Handler | GIAC WebApp Penetration
            Tester
>Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>jr.aquino at citrix.com
>http://www.citrixonline.com
>
>On May 16, 2012, at 4:29 PM, "David Copperfield" > wrote:
>
>Could that be because of removing ghost entries in CA
            database?
>
>Another possible place could be the deleting/clearing option
            itself. One annoying thing that I've found is:
>
>I cleared the RUV records from IPA servers one by one, then
            I restart IPA services on the servers one by one again,
            ldapsearch showed that the RUV ghost entries popped up
            again. :(
>
>I had to kill it again and again across the IPA server
            farms, then restart IPA servers one by one, check again,
            until the ghost RUV entries disappeared from all and didn't
            come back -- It is very, VERY exhausting and annoying.
>
>After that I still need to stop IPA replica first, then
            restart IPA master and until now it worked -- ipa commands
            and kinit worked.? At last I brought up the valid replica
            and it worked this time as well.
>
>Now it was time to reinstall the failed IPA replica and it
            was installed and up and running well.
>
>After I tested with 'ipa user-add', 'ipa-user-delete' and
            found that the replication did work across the IPA master
            and IPA replicas. I tested the last time and found the
            following messages in the error log file on IPA master, it
            maybe harmless but I am not sure:
>
>[16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16
            B2012.023.214 starting up[16/May/2012:16:18:36 -0700]
            schema-compat-plugin - warning: no entries set up under
            ou=SUDOers, dc=jigsaw,dc=com
>[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
            cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
            Templates found, which should be added before the CoS
            Definition.
>[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
            cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
            Templates found, which should be added before the CoS
            Definition.
>[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started.? Listening on All Interfaces port 389 for LDAP requests
>[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests
>[16/May/2012:16:18:36 -0700] - Listening on
            /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>[16/May/2012:16:18:36 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))
>[16/May/2012:16:18:36 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
            Replication bind with GSSAPI auth resumed
>[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth resumed
>
>
>--David
>
>
>________________________________
>From: JR Aquino >
>To: David Copperfield >
>Cc: JR Aquino >; Rob Crittenden >; "freeipa-users at redhat.com" >
>Sent: Wednesday, May 16, 2012 4:00 PM
>Subject: Re: Still not working -- Re: [Freeipa-users] What
            to do next???: IPA replica host entry is removed on web UI
            by mistake
>
>Try: ipactl stop then ipactl start
>
>Doesn't look like dirsrv is running on 389 and 636
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Jr Aquino | Sr. Information Security Specialist
>GIAC Certified Incident Handler | GIAC WebApp Penetration
            Tester
>Citrix Online | 7408 Hollister Avenue | Goleta, CA
            93117
>T:? +1 805.690.3478
>C: +1 805.717.0365
>jr.aquino at citrixonline.com>
>http://www.citrixonline.com
>
>On May 16, 2012, at 2:54 PM, David Copperfield wrote:
>
>Sorry to declare success too quick, :( In fact, it is worse
            now, the IPA master fail after performing the above steps
            including the RUV cleaning.? I've only one working replica
            and I'm afraid to do anything on it.
>
>On The IPA master, after I ran 'service ipa restart' it
            reported OK, but? 'ipa user-find' failed. so I cleared my
            Kerboers TGT ticket, ran 'kinit admin' to try my luck, the
            IPA master? failed with the following message, it showed
            that 389 port listening disappeared for unknown reasons.
>
>[root at ipamaster slapd-EXAMPLE-COM]# kinit admin
>
>kinit: Generic error (see e-text) while getting initial
            credentials
>[root at ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i
            LISTEN | grep ns
>tcp? ? ? ? 0? ? ? 0 :::7389? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ?
            ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd
>tcp? ? ? ? 0? ? ? 0 :::7390? ? ? ? ? ? ? ? ? ? :::*? ? ? ? ?
            ? ? ? ? ? ? ? LISTEN? ? ? 6550/ns-slapd
>[root at ipamaster slapd-EXAMPLE-COM]#
>
>The error logs are pasted here too.
>
>[16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get
            initial credentials for principal [ldap/ipamaster.example.com at EXAMPLE.COM>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
>[16/May/2012:14:41:43 -0700] - slapd started.? Listening on
            All Interfaces port 389 for LDAP requests
>[16/May/2012:14:41:43 -0700] - Listening on All Interfaces
            port 636 for LDAPS requests
>[16/May/2012:14:41:43 -0700] - Listening on
            /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>[16/May/2012:14:41:43 -0700]
            slapd_ldap_sasl_interactive_bind - Error: could not perform
            interactive bind for id [] mech [GSSAPI]: error -2 (Local
            error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
            GSS failure.? Minor code may provide more information
            (Credentials cache file '/tmp/krb5cc_496' not found))
>[16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could
            not perform interactive bind for id [] mech [GSSAPI]: error
            -2 (Local error)
>[16/May/2012:14:41:43 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth failed: LDAP error -2
            (Local error) (SASL(-1): generic failure: GSSAPI Error:
            Unspecified GSS failure.? Minor code may provide more
            information (Credentials cache file '/tmp/krb5cc_496' not
            found))
>[16/May/2012:14:41:46 -0700] NSMMReplicationPlugin -
            agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
            Replication bind with GSSAPI auth resumed
>
>Thanks.
>
>--David
>
>________________________________
>From: David Copperfield >>
>To: JR Aquino >>
>Cc: "freeipa-users at redhat.com>" >>
>Sent: Wednesday, May 16, 2012 1:23 PM
>Subject: Re: [Freeipa-users] What to do next???: IPA replica
            host entry is removed on web UI by mistake
>
>Hi JR,
>
>Thanks a lot! It works perfectly.
>
>The only extra thing probably goes with 2.1.3 only: I need
            to find and clear ghost RUV records for CA database, and
            remove it from master and all other live replicas as well.
>
>BTW, on 2.2.0 the two database backends still are separate,
            or merged into one?
>
>Thanks.
>
>--David
>
>________________________________
>From: JR Aquino >>
>To: David Copperfield >>
>Cc: FreeIPAUsers >>
>Sent: Wednesday, May 16, 2012 12:57 PM
>Subject: Re: [Freeipa-users] What to do next???: IPA replica
            host entry is removed on web UI by mistake
>
>On May 16, 2012, at 12:23 PM, David Copperfield wrote:
>
>> Hi all,
>>
>>? I accidentally removed one of my IPA replica host on
            IPA web UI by mistake, on the host list I planed to remove
            ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt.
>>
>> I realized the mistake and tried to recover from this
            disaster but it was already too late, the change propagated
            to all the replicas and the poor ipareplica02 now stops
            functioning.
>>
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find
>> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
>> [root at ipareplica02 slapd-EXAMPLE-COM]#
>>
>> On the IPA master, It was found that ipareplica02
            didn't show up in 'host-find' list or 'service-find' list.
            Though it still showed in the master list reported by
            'ipa-replica-manage' and 'ipa-csreplica-manage', the real
            command 'ipa-replica-manage list ipareplica02' fails with
            LDAP could't reach error.
>>
>> What should I do now? Is there are any other ways to
            recover besides uninstall and reinstall of IPA replica
            ipareplica02?
>>
>>? BTW, it will be more than appreciated if the web UI
            could pop up a warning prompt when removing host/services
            entries associated with IPA masters and IPA replicas.
>
>Been there... Done that... The bug is fixed in 2.2... It
            will prompt and prevent you from deleting a replica host if
            there is an agreement.
>
>To clean up...
>
>0. On the master replica: ipa-replica-manage del
            ipareplica02.example.com --force
>-This will delete the replica agreement for the host.
>
>1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b
            dc=example,dc=com \
>'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>
>Look for your your nsds50ruv that matches your ghost
            replica.
>
>2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>Something like:
>
>$ cat cleanup.ldif
>dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
            tree,cn=config
>changetype: modify
>replace: nsds5task
>nsds5task: CLEANRUV## <- ## == The ReplicaID number for
            the ghost replica.
>
>3. Run on all of the remaining replicas: ldapmodify -x -D
            "cn=directory manager" -W -f fixed.ldif
>- This removes the ghost entry.
>
>4. on the broken replica: ipa-server-install --uninstall
>
>5. Follow the normal directions for 'installing a replica'
>- on master: ipa-replica-prepare
            ipareplica02.example.com
>- scp /path/to/ipareplica02.example.com.gpg?
            ipareplica02.example.com: ipareplica02.example.com.gpg
>- on replica: ipa-replica-install?
            ipareplica02.example.com --whatever_options_you_used_previously
>
>6. Check to make sure the server was built correctly and
            command work as expected: kinit admin, ipa user-find, ipa
            host-find, id admin, etc etc
>
>7. Sigh and drink coffee
>
>> Thanks.
>>
>> --David
>> From: Rich Megginson >>
>> To: Ben Ho >>
>> Cc: freeipa-users at redhat.com>
>> Sent: Tuesday, May 15, 2012 5:33 PM
>> Subject: Re: [Freeipa-users] Help with
            ipa-replica-manage
>>
>> On 05/15/2012 02:49 PM, Ben Ho wrote:
>>> This is the information I retrieved about my
            server.
>>>
>>> ipa-server-selinux-2.1.3-9.el6.x86_64
>>> ipa-client-2.1.3-9.el6.x86_64
>>> ipa-server-2.1.3-9.el6.x86_64
>>> CentOS release 6.2
>>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>>>
>>> Thanks again.
>>
>> Is replication otherwise working?
>>
>>>
>>> -Ben
>>>
>>> Date: Tue, 15 May 2012 13:15:46 -0600
>>> From: rmeggins at redhat.com>
>>> To: ben13ho at hotmail.com>
>>> CC: freeipa-users at redhat.com>
>>> Subject: Re: [Freeipa-users] Help with
            ipa-replica-manage
>>>
>>> On 05/15/2012 01:00 PM, Ben Ho wrote:
>>> Hello,
>>>? I am pretty new to IPA.? Right now I have three
            servers that are running IPA.? I am trying to replicate one
            server to two other servers.? I use this command:
>>>
>>> ipa-replica-manage re-initialize --from
            example2.edu
>>>
>>>? On the first server I need to replicate, it works
            fine.? However, on the second server I get this message in
            my log files.? The errors get printed out once every 1 to 5
            minutes.
>>>
>>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample1.edu" (example1:389): Schema
            replication update failed: Type or value exists
>>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample1.edu" (example1:389): Warning: unable
            to replicate schema: rc=1
>>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample2.edu" (example2:389): Schema
            replication update failed: Type or value exists
>>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
            - agmt="cn=meToexample2.edu" (example2:389): Warning: unable
            to replicate schema: rc=1
>>>
>>>
>>>? Again, I am pretty new to this, so any help or
            tips would be appreciated.
>>>
>>> What platform and what version of 389-ds-base and
            ipa-server for all of your servers?
>>>
>>>
>>>? Thanks!
>>>
>>> -Ben
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>>
>>> Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com>
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rcritten at redhat.com  Fri May 18 14:06:00 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 18 May 2012 10:06:00 -0400
Subject: [Freeipa-users] Still not working -- Re: What to do next???:
 IPA replica host entry is removed on web UI by mistake
In-Reply-To: <1337335561.14809.YahooMailNeo@web125704.mail.ne1.yahoo.com>
References: ,
	<4FB2AB62.6080002@redhat.com>
	
	<4FB2F5DE.5030308@redhat.com>
	<1337196190.25678.YahooMailNeo@web125706.mail.ne1.yahoo.com>
	<46C26EC0-21F1-4209-AB19-C6EEE2D360CB@citrixonline.com>
	<1337199780.85204.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<1337205280.11629.YahooMailNeo@web125704.mail.ne1.yahoo.com>
	,
	<1337210891.74314.YahooMailNeo@web125701.mail.ne1.yahoo.com>
	<345084AE-5609-4665-A664-6867DDCA0AFE@citrix.com>
	<1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<4FB451F9.9030803@redhat.com>
	<1337335561.14809.YahooMailNeo@web125704.mail.ne1.yahoo.com>
Message-ID: <4FB65748.8060204@redhat.com>

David Copperfield wrote:
> Hi Rich and all,
>
> For the latest IPA version 2.1.3-9 on red hat 6.2, the CA RUV records
> clearance seems a must. Before clearance the annoying messages are
> filling /var/log/dirsrv/slapd-PKI-IPA/errors on master file, while after
> clearance the entries are gone.
>
>     [16/May/2012:19:49:40 -0700] NSMMReplicationPlugin -
>     repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>     [16/May/2012:19:49:57 -0700] NSMMReplicationPlugin -
>     repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>     [16/May/2012:19:53:21 -0700] NSMMReplicationPlugin -
>     repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>     [16/May/2012:19:53:24 -0700] NSMMReplicationPlugin -
>     repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
>
>
> Before clearing CA, in there error log file, there are entry list below,
> while after clearance it is gone too.
>
>     [16/May/2012:19:49:21 -0700] NSMMReplicationPlugin -
>     replica_check_for_data_reload: Warning: data for replica o=ipaca
>     does not match the data in the changelog (replica data
>     (4fb46756000000510000) > changelog (4fb46756000000510000)).
>     Recreating the changelog file. This could affect replication with
>     replica's consumers in which case the consumers should be reinitialized.
>     [16/May/2012:19:49:21 -0700] - slapd started. Listening on All
>     Interfaces port 7389 for LDAP requests
>     [16/May/2012:19:49:21 -0700] - Listening on All Interfaces port 7390
>     for LDAPS requests
>
>
> Hope in 2.2.0 we only need to clear user data type replication, and can
> safely ignore CA type which will automatically cleaned -- in sync with
> user type replication.

The CA is just another 389-ds instance. It needs to be cleaned the same 
way any other instance would.

Nothing will change in 2.2. Hopefully this will be available for the 3.0 
release.

rob



From rcritten at redhat.com  Fri May 18 14:04:20 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 18 May 2012 10:04:20 -0400
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <4FB5733C.8010303@redhat.com>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
Message-ID: <4FB656E4.80502@redhat.com>

Rich Megginson wrote:
> On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
>> Hello,
>>
>> I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
>> running ipa-server-install everything runs alright and IPA is running
>> fine. 389, kerberos and the rest of the components start up fine.
>> However after reboot of the machine IPA doesn't want to start,
>> systemctl status ipa.service reports:
>>
>> ipa.service - Identity, Policy, Audit
>> Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>> Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
>> +0300; 6min ago
>> Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
>> status=1/FAILURE)
>> CGroup: name=systemd:/system/ipa.service
>>
>> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
>> read data from Directory Service: Unknown error when retrieving list
>> of services from LDAP: [Errno 111] Connection refused
>> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down
>> May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting
>> Directory Service
>>
>> and ipactl start just repeats the error:
>>
>> ipactl start
>> Starting Directory Service
>> Failed to read data from Directory Service: Unknown error when
>> retrieving list of services from LDAP: [Errno 111] Connection refused
>> Shutting down
>>
>> If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA
>> && ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the
>> MYREALM instance throws
>>
>> etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
>> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors
>> must range from 1 to 4096 (the current process limit). Server will use
>> a setting of 4096.
>> [17/May/2012:23:25:29 +0300] - Config Warning: -
>> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors
>> must range from 1 to 4096 (the current process limit). Server will use
>> a setting of 4096.
>>
>> which however is not a big problem, but it seems ns-slapd doesn't care
>> about the limits that are setup in the limits.conf.
>
> It cares, but the systemd conf file must also specify NOFILES=8192
>
>>
>> after starting the directory server I again try with systemctl start
>> ipa.service and the result this time is:
>>
>> ipa.service - Identity, Policy, Audit
>> Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>> Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
>> +0300; 25s ago
>> Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
>> status=1/FAILURE)
>> CGroup: name=systemd:/system/ipa.service
>>
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
>> See system journal and 'systemctl status' for details.
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
>> start KDC Service
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
>> Directory Service
>> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC
>> Service
>>
>> the /var/log/krb5kdc.log reports:
>>
>> rb5kdc: Server error - while fetching master key K/M for realm MYREALM
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal
>> to request exit
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>> down fd 9
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>> down fd 10
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>> down fd 8
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>> down fd 7
>> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down
>> krb5kdc: Server error - while fetching master key K/M for realm MYREALM
>>
>> >From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
>> seems like the files
>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>> are missing in that path, however I don't really know what should
>> generate those pem certs. From my very basic understanding of how IPA
>> works I assume that is dogtag's job, and again I assume ipactl
>> start/systemctl start ipa.service probably should take care of that,
>> however this doesn't happen.
>>
>> So any help with this issue is welcome. I can go for LDAP/KRB setup to
>> use on my virtual/physical machines, however if going down the
>> krb/LDAP route I think IPA would be far better to support in the long run.
>>
>> If that might be some help, I'm running x86_64 F17 inside Xen domU.
>> The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6
>> DomU.
>>
>> I have the exact same situation also with FreeIPA built from git. The
>> packages from git are version 2.99:
>>
>> freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
>> freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
>> freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
>> freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
>> freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
>>
>> the 2.2.0 version I also ran was the one in F17.
>>
>> Thanks in advance,
>> BR
>> ilf

It could be a timeout problem. ipactl starts the dirsrv instance to get 
the list of services it needs to start. If this connect fails it would 
behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second 
timeout. I'd try bumping that up to a higher value.

rob



From danieljamesscott at gmail.com  Fri May 18 14:13:17 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Fri, 18 May 2012 10:13:17 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FA1F7D1.50703@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
Message-ID: 

Hi,

On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden  wrote:
> Rich Megginson wrote:
>>
>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>
>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>
>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>> to a less privileged account; i.e., an account solely designed to
>>>>> check replication status?
>>>>
>>>> You also need to expose the RUV tombstone entry at the base of each
>>>> suffix.
>>>
>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>> any pointers?
>>>
>>> Cheers,
>>> Ian
>>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>
>
> We already have some delegated permissions for replication but none granting
> only read access. Off the cuff, something like this might work:
>
> dn: cn="$SUFFIX",cn=mapping tree,cn=config
> changetype: modify
> add: aci
> aci:
> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
> compare) groupdn = "ldap:///cn=Read Replication
> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>
> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
> changetype: add
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> cn: Read Replication Agreements
> ipapermissiontype: SYSTEM
>
> Note that you'll need to replace $SUFFIX with your base dn
> (dc=example,dc=com).
>
> This is untested so YMMV. If you find that it works and is useful please let
> us know, maybe we can add this for everyone to enjoy :-)

Is it safe to allow anonymous access to read this attribute? I added
the following ACI:

dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read,
search, compare) groupdn = "ldap:///anyone";)

And I can now get the replication status using an anonymous bind. I
also modified the nagios perl script to make an anonymous bind and
check the replication status - it's working OK.

I don't know if the aci should be a standard feature, option to
enable, or just to provide the ldif for anyone who wants it.

Thanks,

Dan



From rmeggins at redhat.com  Fri May 18 14:29:06 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 08:29:06 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
Message-ID: <4FB65CB2.5000800@redhat.com>

On 05/18/2012 08:13 AM, Dan Scott wrote:
> Hi,
>
> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden  wrote:
>> Rich Megginson wrote:
>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>
>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>> check replication status?
>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>> suffix.
>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>> any pointers?
>>>>
>>>> Cheers,
>>>> Ian
>>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>
>> We already have some delegated permissions for replication but none granting
>> only read access. Off the cuff, something like this might work:
>>
>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>> changetype: modify
>> add: aci
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>> compare) groupdn = "ldap:///cn=Read Replication
>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>
>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>> changetype: add
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermission
>> cn: Read Replication Agreements
>> ipapermissiontype: SYSTEM
>>
>> Note that you'll need to replace $SUFFIX with your base dn
>> (dc=example,dc=com).
>>
>> This is untested so YMMV. If you find that it works and is useful please let
>> us know, maybe we can add this for everyone to enjoy :-)
> Is it safe to allow anonymous access to read this attribute? I added
> the following ACI:
>
> dn: cn="$SUFFIX",cn=mapping tree,cn=config
> changetype: modify
> add: aci
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
> 3.0; aci "permission:Read Replication Agreements"; allow (read,
> search, compare) groupdn = "ldap:///anyone";)

It would be better to restrict the list of attributes to only those 
needed by the app e.g. (targetattr="foo || bar || baz || ...")

>
> And I can now get the replication status using an anonymous bind. I
> also modified the nagios perl script to make an anonymous bind and
> check the replication status - it's working OK.
>
> I don't know if the aci should be a standard feature, option to
> enable, or just to provide the ldif for anyone who wants it.

Sure.  If you think it should be a standard feature, just file a ticket.

>
> Thanks,
>
> Dan



From rmeggins at redhat.com  Fri May 18 14:33:55 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 08:33:55 -0600
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: 
References: 
	
Message-ID: <4FB65DD3.6050007@redhat.com>

On 05/17/2012 04:10 PM, Kline, Sara wrote:
>
> I was able to fix the import issue, and found some special SSL things 
> for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is 
> no longer stating SSL is may not be setup correctly.
>
> I am running into an issue however. These are the entries in the Pass 
> Sync log file:
>
> PassSync service is running
>
> No entries yet
>

Did you reboot the AD box after installing PassSync?
Have you changed any passwords in AD?

> Ldap bind error in Connect 32: No such object
>

What is the bind DN you used when you configured PassSync on AD?  Does 
that DN correspond to a real user DN in IPA?

> Can not connect to ldap server in SyncPasswords
>
> Thanks,
>
> Sara Kline
>
> *From:*freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Kline, Sara
> *Sent:* Thursday, May 17, 2012 11:06 AM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] Problems with Passsync
>
> Replication is working great. When I create/delete an account on the 
> AD server it shows up in FreeIPA, hoever I can't get Passsync to work. 
> I believe it is working because the last step in the documentation 
> isn't working. When I try to import the certificate, I get this message:
>
> Certutil.exe: "unable to open 
> "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any 
> ideas?
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From SKline at tnsi.com  Fri May 18 15:11:33 2012
From: SKline at tnsi.com (Kline, Sara)
Date: Fri, 18 May 2012 08:11:33 -0700
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: <4FB65DD3.6050007@redhat.com>
References: 
	
	<4FB65DD3.6050007@redhat.com>
Message-ID: 

Yes, after installing PassSync I rebooted, and I have not changed any passwords in AD. The bind dn I am using is the one that the documentation says to use which was:
uid=passsync,cn=systemaccounts,cn=etc,dc=prod,dc=example,dc=com. If I do an ipa user-find on this, it comes back empty but I am thinking its because this is not in with the regular user accounts. Is there a way to verify that the account is there?

Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 7:34 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/17/2012 04:10 PM, Kline, Sara wrote:
I was able to fix the import issue, and found some special SSL things for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is no longer stating SSL is may not be setup correctly.
I am running into an issue however. These are the entries in the Pass Sync log file:
PassSync service is running
No entries yet

Did you reboot the AD box after installing PassSync?
Have you changed any passwords in AD?


Ldap bind error in Connect 32: No such object

What is the bind DN you used when you configured PassSync on AD?  Does that DN correspond to a real user DN in IPA?


Can not connect to ldap server in SyncPasswords

Thanks,
Sara Kline

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Kline, Sara
Sent: Thursday, May 17, 2012 11:06 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Problems with Passsync

Replication is working great. When I create/delete an account on the AD server it shows up in FreeIPA, hoever I can't get Passsync to work. I believe it is working because the last step in the documentation isn't working. When I try to import the certificate, I get this message:
Certutil.exe: "unable to open "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any ideas?

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.





_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Fri May 18 15:16:28 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 09:16:28 -0600
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: 
References: 
	
	<4FB65DD3.6050007@redhat.com>
	
Message-ID: <4FB667CC.4030002@redhat.com>

On 05/18/2012 09:11 AM, Kline, Sara wrote:
>
> Yes, after installing PassSync I rebooted, and I have not changed any 
> passwords in AD.
>

If you have not changed any passwords in AD, then the log is correctly 
reporting "No entries yet"

> The bind dn I am using is the one that the documentation says to use 
> which was:
>
> uid=passsync,cn=systemaccounts,cn=etc,dc=prod,dc=example,dc=com. If I 
> do an ipa user-find on this, it comes back empty but I am thinking its 
> because this is not in with the regular user accounts. Is there a way 
> to verify that the account is there?
>

ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com 
uid=passsync

> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Friday, May 18, 2012 7:34 AM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Problems with Passsync
>
> On 05/17/2012 04:10 PM, Kline, Sara wrote:
>
> I was able to fix the import issue, and found some special SSL things 
> for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is 
> no longer stating SSL is may not be setup correctly.
>
> I am running into an issue however. These are the entries in the Pass 
> Sync log file:
>
> PassSync service is running
>
> No entries yet
>
>
> Did you reboot the AD box after installing PassSync?
> Have you changed any passwords in AD?
>
>
> Ldap bind error in Connect 32: No such object
>
>
> What is the bind DN you used when you configured PassSync on AD?  Does 
> that DN correspond to a real user DN in IPA?
>
>
> Can not connect to ldap server in SyncPasswords
>
> Thanks,
>
> Sara Kline
>
> *From:*freeipa-users-bounces at redhat.com 
>  
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Kline, Sara
> *Sent:* Thursday, May 17, 2012 11:06 AM
> *To:* freeipa-users at redhat.com 
> *Subject:* [Freeipa-users] Problems with Passsync
>
> Replication is working great. When I create/delete an account on the 
> AD server it shows up in FreeIPA, hoever I can't get Passsync to work. 
> I believe it is working because the last step in the documentation 
> isn't working. When I try to import the certificate, I get this message:
>
> Certutil.exe: "unable to open 
> "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any 
> ideas?
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From simo at redhat.com  Fri May 18 15:27:57 2012
From: simo at redhat.com (Simo Sorce)
Date: Fri, 18 May 2012 11:27:57 -0400
Subject: [Freeipa-users] howto modify krb principal attributes without
 kadmin.local
In-Reply-To: 
References: 
	<1337120692.16840.29.camel@willson.li.ssimo.org>
	
Message-ID: <1337354877.16840.153.camel@willson.li.ssimo.org>

On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
> 
> 
> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce  wrote:
>         On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
>         > So going through the documentation it's clearly laid out not
>         to use
>         > kadmin or kadmin.local when using freeipa.  I have been
>         unable to find
>         > how to replace this functionality in the documentation.
>         >
>         > If I could use kadmin.local on my kdc I would like to run
>         the
>         > following command....
>         >
>         > modprinc +requires_hwauth user
>         >
>         > Am I going to need to extend/modify the krb5 schema to
>         modify
>         > principals attributes in this way?
>         >
>         
>         For this specific change you can use kadmin.local, but the IPA
>         UI will
>         not report you anything about it.
>         
>         The flags part is still a weak point of the Web UI, if you
>         want you can
>         open a RFE ticket to ask for better support for these flags,
>         we need to
>         do it at some point we simply haven't yet as we concentrated
>         on more
>         important and pressing issue this far.
>         
>         Simo.
>         
>         --
>         Simo Sorce * Red Hat, Inc * New York
>         
> 
> The following errors lead me to believe I am missing something as
> kadmin.local appears to have access issues when trying to modify a
> principle.
> 
> kadmin.local:  modprinc +requires_hwauth user
> modify_principal: User modification failed: Insufficient access while
> modifying "user".
> 
> For good measure I've modified /var/kerberos/krb5kdc/kadm5.
> acl with the correct ACLs for the domain and still encounter the same
> errors.
> 
> -ipa 2.1.3

Ok I took a second look at how to make it simple.

First of all I misremembered about the fact these flags were saved in
the krbExtraData field. They are not, there is a specific attribute for
all ticket flags that is called krbTicketFlags.

This attribute is normally not set on entries, as the defaults for the
realm are used, however the requires_hwauth flag is not a default and
you want to enable it only for user principals, not all principals on
the server.

That can be easily done by adding the krbTicketFlags attribute.
However in order to do this properly you need to calculate what value to
set based on this (partial) table:

KRB5_KDB_DISALLOW_POSTDATED	0x00000001
KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
KRB5_KDB_REQUIRES_PWCHANGE	0x00000200

The default flag for IPA user is KRB5_KDB_REQUIRES_PRE_AUTH, so in order
to properly set the flag you need to combine it with the flag you want
that is KRB5_KDB_REQUIRES_HW_AUTH.

So 0x0100 + 0x0080 = 0x0180

In decimal 0x0180 becomes 384

So you need to change the entry to set krbTicketFlags to 384

Now, normally I would tell you to do that using the following command:
ipa user-mod  --setattr=krbticketflags=384

However, we do restrict even admin from touching that attribute, so you
have 2 options:

1. change the default ACI to allow admin to edit that attribute.
2. do an ldapmodify operation instead using the Directory Manager
credentials.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From simo at redhat.com  Fri May 18 15:31:49 2012
From: simo at redhat.com (Simo Sorce)
Date: Fri, 18 May 2012 11:31:49 -0400
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: <4FB667CC.4030002@redhat.com>
References: 
	
	<4FB65DD3.6050007@redhat.com>
	
	<4FB667CC.4030002@redhat.com>
Message-ID: <1337355109.16840.156.camel@willson.li.ssimo.org>

On Fri, 2012-05-18 at 09:16 -0600, Rich Megginson wrote:
> 
> ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com 
> uid=passsync

This should be:
ldapsearch -xLLL -D "cn=directory manager" -W -b dc=prod,dc=exampled.dc=com uid=passync

You also want to check that this user is properly set according to this
page: http://www.freeipa.org/page/PasswordSynchronization
I think we do hat automatically when the agreement is created, but
checking won't hurt.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From SKline at tnsi.com  Fri May 18 15:56:02 2012
From: SKline at tnsi.com (Kline, Sara)
Date: Fri, 18 May 2012 08:56:02 -0700
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: <4FB667CC.4030002@redhat.com>
References: 
	
	<4FB65DD3.6050007@redhat.com>
	
	<4FB667CC.4030002@redhat.com>
Message-ID: 

Ldapsearch revealed the issue. The documentation in the Integrating AD section says that passsync is in the systemaccounts cn. Ldapsearch revealed it is actually sysaccounts cn. It is successfully binding now. I created a test user, then I logged in as him and changed his password, it took a while but the password was replicated over to FreeIPA and I was able to login using his credentials. Out of curiosity, does PassSync have a set polling period or is it supposed to sync anytime a change is made?

Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 8:16 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/18/2012 09:11 AM, Kline, Sara wrote:
Yes, after installing PassSync I rebooted, and I have not changed any passwords in AD.

If you have not changed any passwords in AD, then the log is correctly reporting "No entries yet"


The bind dn I am using is the one that the documentation says to use which was:
uid=passsync,cn=systemaccounts,cn=etc,dc=prod,dc=example,dc=com. If I do an ipa user-find on this, it comes back empty but I am thinking its because this is not in with the regular user accounts. Is there a way to verify that the account is there?

ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com uid=passsync



Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 7:34 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/17/2012 04:10 PM, Kline, Sara wrote:
I was able to fix the import issue, and found some special SSL things for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is no longer stating SSL is may not be setup correctly.
I am running into an issue however. These are the entries in the Pass Sync log file:
PassSync service is running
No entries yet

Did you reboot the AD box after installing PassSync?
Have you changed any passwords in AD?



Ldap bind error in Connect 32: No such object

What is the bind DN you used when you configured PassSync on AD?  Does that DN correspond to a real user DN in IPA?



Can not connect to ldap server in SyncPasswords

Thanks,
Sara Kline

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Kline, Sara
Sent: Thursday, May 17, 2012 11:06 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Problems with Passsync

Replication is working great. When I create/delete an account on the AD server it shows up in FreeIPA, hoever I can't get Passsync to work. I believe it is working because the last step in the documentation isn't working. When I try to import the certificate, I get this message:
Certutil.exe: "unable to open "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any ideas?

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.






_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Fri May 18 16:04:14 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 10:04:14 -0600
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: 
References: 
	
	<4FB65DD3.6050007@redhat.com>
	
	<4FB667CC.4030002@redhat.com>
	
Message-ID: <4FB672FE.9090107@redhat.com>

On 05/18/2012 09:56 AM, Kline, Sara wrote:
>
> Ldapsearch revealed the issue. The documentation in the Integrating AD 
> section says that passsync is in the systemaccounts cn. Ldapsearch 
> revealed it is actually sysaccounts cn. It is successfully binding 
> now. I created a test user, then I logged in as him and changed his 
> password, it took a while but the password was replicated over to 
> FreeIPA and I was able to login using his credentials. Out of 
> curiosity, does PassSync have a set polling period or is it supposed 
> to sync anytime a change is made?
>

It is supposed to sync immediately.

> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Friday, May 18, 2012 8:16 AM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Problems with Passsync
>
> On 05/18/2012 09:11 AM, Kline, Sara wrote:
>
> Yes, after installing PassSync I rebooted, and I have not changed any 
> passwords in AD.
>
>
> If you have not changed any passwords in AD, then the log is correctly 
> reporting "No entries yet"
>
>
> The bind dn I am using is the one that the documentation says to use 
> which was:
>
> uid=passsync,cn=systemaccounts,cn=etc,dc=prod,dc=example,dc=com. If I 
> do an ipa user-find on this, it comes back empty but I am thinking its 
> because this is not in with the regular user accounts. Is there a way 
> to verify that the account is there?
>
>
> ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com 
> uid=passsync
>
>
> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Friday, May 18, 2012 7:34 AM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com 
> *Subject:* Re: [Freeipa-users] Problems with Passsync
>
> On 05/17/2012 04:10 PM, Kline, Sara wrote:
>
> I was able to fix the import issue, and found some special SSL things 
> for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is 
> no longer stating SSL is may not be setup correctly.
>
> I am running into an issue however. These are the entries in the Pass 
> Sync log file:
>
> PassSync service is running
>
> No entries yet
>
>
> Did you reboot the AD box after installing PassSync?
> Have you changed any passwords in AD?
>
>
>
> Ldap bind error in Connect 32: No such object
>
>
> What is the bind DN you used when you configured PassSync on AD?  Does 
> that DN correspond to a real user DN in IPA?
>
>
>
> Can not connect to ldap server in SyncPasswords
>
> Thanks,
>
> Sara Kline
>
> *From:*freeipa-users-bounces at redhat.com 
>  
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Kline, Sara
> *Sent:* Thursday, May 17, 2012 11:06 AM
> *To:* freeipa-users at redhat.com 
> *Subject:* [Freeipa-users] Problems with Passsync
>
> Replication is working great. When I create/delete an account on the 
> AD server it shows up in FreeIPA, hoever I can't get Passsync to work. 
> I believe it is working because the last step in the documentation 
> isn't working. When I try to import the certificate, I get this message:
>
> Certutil.exe: "unable to open 
> "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any 
> ideas?
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From SKline at tnsi.com  Fri May 18 16:06:38 2012
From: SKline at tnsi.com (Kline, Sara)
Date: Fri, 18 May 2012 09:06:38 -0700
Subject: [Freeipa-users] Problems with Passsync
In-Reply-To: <4FB672FE.9090107@redhat.com>
References: 
	
	<4FB65DD3.6050007@redhat.com>
	
	<4FB667CC.4030002@redhat.com>
	
	<4FB672FE.9090107@redhat.com>
Message-ID: 

Good to know, thank you so much for your help. Everything is up and running now!

Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 9:04 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/18/2012 09:56 AM, Kline, Sara wrote:
Ldapsearch revealed the issue. The documentation in the Integrating AD section says that passsync is in the systemaccounts cn. Ldapsearch revealed it is actually sysaccounts cn. It is successfully binding now. I created a test user, then I logged in as him and changed his password, it took a while but the password was replicated over to FreeIPA and I was able to login using his credentials. Out of curiosity, does PassSync have a set polling period or is it supposed to sync anytime a change is made?

It is supposed to sync immediately.



Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 8:16 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/18/2012 09:11 AM, Kline, Sara wrote:
Yes, after installing PassSync I rebooted, and I have not changed any passwords in AD.

If you have not changed any passwords in AD, then the log is correctly reporting "No entries yet"



The bind dn I am using is the one that the documentation says to use which was:
uid=passsync,cn=systemaccounts,cn=etc,dc=prod,dc=example,dc=com. If I do an ipa user-find on this, it comes back empty but I am thinking its because this is not in with the regular user accounts. Is there a way to verify that the account is there?

ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com uid=passsync




Thanks,
Sara Kline

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Friday, May 18, 2012 7:34 AM
To: Kline, Sara
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Problems with Passsync

On 05/17/2012 04:10 PM, Kline, Sara wrote:
I was able to fix the import issue, and found some special SSL things for Server 2008 when you are wanting to run LDAP/SSL. So Pass Sync is no longer stating SSL is may not be setup correctly.
I am running into an issue however. These are the entries in the Pass Sync log file:
PassSync service is running
No entries yet

Did you reboot the AD box after installing PassSync?
Have you changed any passwords in AD?




Ldap bind error in Connect 32: No such object

What is the bind DN you used when you configured PassSync on AD?  Does that DN correspond to a real user DN in IPA?




Can not connect to ldap server in SyncPasswords

Thanks,
Sara Kline

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Kline, Sara
Sent: Thursday, May 17, 2012 11:06 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Problems with Passsync

Replication is working great. When I create/delete an account on the AD server it shows up in FreeIPA, hoever I can't get Passsync to work. I believe it is working because the last step in the documentation isn't working. When I try to import the certificate, I get this message:
Certutil.exe: "unable to open "C:\Users\Administrator\Documents\ca.crt" for reading (-5950, 2). Any ideas?

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.







_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From danieljamesscott at gmail.com  Fri May 18 16:06:57 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Fri, 18 May 2012 12:06:57 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FB65CB2.5000800@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
Message-ID: 

On Fri, May 18, 2012 at 10:29 AM, Rich Megginson  wrote:
> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>
>> Hi,
>>
>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>> ?wrote:
>>>
>>> Rich Megginson wrote:
>>>>
>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>
>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>
>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>> check replication status?
>>>>>>
>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>> suffix.
>>>>>
>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>> any pointers?
>>>>>
>>>>> Cheers,
>>>>> Ian
>>>>>
>>>>
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>
>>>
>>> We already have some delegated permissions for replication but none
>>> granting
>>> only read access. Off the cuff, something like this might work:
>>>
>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>> changetype: modify
>>> add: aci
>>> aci:
>>>
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>> compare) groupdn = "ldap:///cn=Read Replication
>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>
>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>> changetype: add
>>> objectClass: top
>>> objectClass: groupofnames
>>> objectClass: ipapermission
>>> cn: Read Replication Agreements
>>> ipapermissiontype: SYSTEM
>>>
>>> Note that you'll need to replace $SUFFIX with your base dn
>>> (dc=example,dc=com).
>>>
>>> This is untested so YMMV. If you find that it works and is useful please
>>> let
>>> us know, maybe we can add this for everyone to enjoy :-)
>>
>> Is it safe to allow anonymous access to read this attribute? I added
>> the following ACI:
>>
>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>> changetype: modify
>> add: aci
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>> search, compare) groupdn = "ldap:///anyone";)
>
>
> It would be better to restrict the list of attributes to only those needed
> by the app e.g. (targetattr="foo || bar || baz || ...")

OK, thanks. I had a look through the available data and I think these
would be best:

nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress

>> And I can now get the replication status using an anonymous bind. I
>> also modified the nagios perl script to make an anonymous bind and
>> check the replication status - it's working OK.
>>
>> I don't know if the aci should be a standard feature, option to
>> enable, or just to provide the ldif for anyone who wants it.
>
>
> Sure. ?If you think it should be a standard feature, just file a ticket.

OK, will do, once I've figured out a few more things. I want to enable
this for the PKI-CA directory too. I changed the dn to "dn:
cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
port 7389. Using targetattr=*, everything works fine, but when I
restrict it to the list of attributes above, I don't get any results.
Is there another attribute I need to add?

Thanks,

Dan



From rmeggins at redhat.com  Fri May 18 16:21:06 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 10:21:06 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
Message-ID: <4FB676F2.7040800@redhat.com>

On 05/18/2012 10:06 AM, Dan Scott wrote:
> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson  wrote:
>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>> Hi,
>>>
>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>   wrote:
>>>> Rich Megginson wrote:
>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>
>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>> check replication status?
>>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>>> suffix.
>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>>> any pointers?
>>>>>>
>>>>>> Cheers,
>>>>>> Ian
>>>>>>
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>
>>>> We already have some delegated permissions for replication but none
>>>> granting
>>>> only read access. Off the cuff, something like this might work:
>>>>
>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>> changetype: modify
>>>> add: aci
>>>> aci:
>>>>
>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>
>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>> changetype: add
>>>> objectClass: top
>>>> objectClass: groupofnames
>>>> objectClass: ipapermission
>>>> cn: Read Replication Agreements
>>>> ipapermissiontype: SYSTEM
>>>>
>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>> (dc=example,dc=com).
>>>>
>>>> This is untested so YMMV. If you find that it works and is useful please
>>>> let
>>>> us know, maybe we can add this for everyone to enjoy :-)
>>> Is it safe to allow anonymous access to read this attribute? I added
>>> the following ACI:
>>>
>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>> changetype: modify
>>> add: aci
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>> search, compare) groupdn = "ldap:///anyone";)
>>
>> It would be better to restrict the list of attributes to only those needed
>> by the app e.g. (targetattr="foo || bar || baz || ...")
> OK, thanks. I had a look through the available data and I think these
> would be best:
>
> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>
>>> And I can now get the replication status using an anonymous bind. I
>>> also modified the nagios perl script to make an anonymous bind and
>>> check the replication status - it's working OK.
>>>
>>> I don't know if the aci should be a standard feature, option to
>>> enable, or just to provide the ldif for anyone who wants it.
>>
>> Sure.  If you think it should be a standard feature, just file a ticket.
> OK, will do, once I've figured out a few more things. I want to enable
> this for the PKI-CA directory too. I changed the dn to "dn:
> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
> port 7389. Using targetattr=*, everything works fine, but when I
> restrict it to the list of attributes above, I don't get any results.
> Is there another attribute I need to add?

Not sure why it would be any different for CA replication . . .

>
> Thanks,
>
> Dan



From danieljamesscott at gmail.com  Fri May 18 16:31:59 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Fri, 18 May 2012 12:31:59 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FB676F2.7040800@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
Message-ID: 

On Fri, May 18, 2012 at 12:21 PM, Rich Megginson  wrote:
> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>
>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>> ?wrote:
>>>
>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>
>>>> Hi,
>>>>
>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>> ?wrote:
>>>>>
>>>>> Rich Megginson wrote:
>>>>>>
>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>
>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>
>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>> objectClass
>>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>>> check replication status?
>>>>>>>>
>>>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>>>> suffix.
>>>>>>>
>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>>>> any pointers?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Ian
>>>>>>>
>>>>>>
>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>
>>>>>
>>>>> We already have some delegated permissions for replication but none
>>>>> granting
>>>>> only read access. Off the cuff, something like this might work:
>>>>>
>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>> changetype: modify
>>>>> add: aci
>>>>> aci:
>>>>>
>>>>>
>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>
>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>> changetype: add
>>>>> objectClass: top
>>>>> objectClass: groupofnames
>>>>> objectClass: ipapermission
>>>>> cn: Read Replication Agreements
>>>>> ipapermissiontype: SYSTEM
>>>>>
>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>> (dc=example,dc=com).
>>>>>
>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>> please
>>>>> let
>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>
>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>> the following ACI:
>>>>
>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>> changetype: modify
>>>> add: aci
>>>> aci:
>>>>
>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>> search, compare) groupdn = "ldap:///anyone";)
>>>
>>>
>>> It would be better to restrict the list of attributes to only those
>>> needed
>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>
>> OK, thanks. I had a look through the available data and I think these
>> would be best:
>>
>>
>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>
>>>> And I can now get the replication status using an anonymous bind. I
>>>> also modified the nagios perl script to make an anonymous bind and
>>>> check the replication status - it's working OK.
>>>>
>>>> I don't know if the aci should be a standard feature, option to
>>>> enable, or just to provide the ldif for anyone who wants it.
>>>
>>>
>>> Sure. ?If you think it should be a standard feature, just file a ticket.
>>
>> OK, will do, once I've figured out a few more things. I want to enable
>> this for the PKI-CA directory too. I changed the dn to "dn:
>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>> port 7389. Using targetattr=*, everything works fine, but when I
>> restrict it to the list of attributes above, I don't get any results.
>> Is there another attribute I need to add?
>
>
> Not sure why it would be any different for CA replication . . .

Sorry, I wasn't clear. The difference isn't between CA and main, it's
between restricting to (targetattr="nsDS5ReplicaHost||.....) and
(targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
fine. Neither work when I restrict to particular attributes.

Thanks,

Dan



From rmeggins at redhat.com  Fri May 18 16:38:46 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 10:38:46 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
	
Message-ID: <4FB67B16.6060108@redhat.com>

On 05/18/2012 10:31 AM, Dan Scott wrote:
> On Fri, May 18, 2012 at 12:21 PM, Rich Megginson  wrote:
>> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>>>   wrote:
>>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>> Hi,
>>>>>
>>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>>>   wrote:
>>>>>> Rich Megginson wrote:
>>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>>
>>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>>> objectClass
>>>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>>>> check replication status?
>>>>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>>>>> suffix.
>>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>>>>> any pointers?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Ian
>>>>>>>>
>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>>
>>>>>> We already have some delegated permissions for replication but none
>>>>>> granting
>>>>>> only read access. Off the cuff, something like this might work:
>>>>>>
>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>> changetype: modify
>>>>>> add: aci
>>>>>> aci:
>>>>>>
>>>>>>
>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>
>>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>>> changetype: add
>>>>>> objectClass: top
>>>>>> objectClass: groupofnames
>>>>>> objectClass: ipapermission
>>>>>> cn: Read Replication Agreements
>>>>>> ipapermissiontype: SYSTEM
>>>>>>
>>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>>> (dc=example,dc=com).
>>>>>>
>>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>>> please
>>>>>> let
>>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>>> the following ACI:
>>>>>
>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>> changetype: modify
>>>>> add: aci
>>>>> aci:
>>>>>
>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>> search, compare) groupdn = "ldap:///anyone";)
>>>>
>>>> It would be better to restrict the list of attributes to only those
>>>> needed
>>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>> OK, thanks. I had a look through the available data and I think these
>>> would be best:
>>>
>>>
>>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>>
>>>>> And I can now get the replication status using an anonymous bind. I
>>>>> also modified the nagios perl script to make an anonymous bind and
>>>>> check the replication status - it's working OK.
>>>>>
>>>>> I don't know if the aci should be a standard feature, option to
>>>>> enable, or just to provide the ldif for anyone who wants it.
>>>>
>>>> Sure.  If you think it should be a standard feature, just file a ticket.
>>> OK, will do, once I've figured out a few more things. I want to enable
>>> this for the PKI-CA directory too. I changed the dn to "dn:
>>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>>> port 7389. Using targetattr=*, everything works fine, but when I
>>> restrict it to the list of attributes above, I don't get any results.
>>> Is there another attribute I need to add?
>>
>> Not sure why it would be any different for CA replication . . .
> Sorry, I wasn't clear. The difference isn't between CA and main, it's
> between restricting to (targetattr="nsDS5ReplicaHost||.....) and
> (targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
> fine. Neither work when I restrict to particular attributes.

If you look at the access log it should tell you which attributes it is 
searching for.

>
> Thanks,
>
> Dan



From ilf at ilf.me  Fri May 18 16:37:28 2012
From: ilf at ilf.me (iliyan ilf Stoyanov)
Date: Fri, 18 May 2012 19:37:28 +0300
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <4FB656E4.80502@redhat.com>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
	<4FB656E4.80502@redhat.com>
Message-ID: <1337359048.1878.5.camel@Nokia-N900>

Hi,

i solved the problem by downgrading the 389-ds-base from the one that comes with F17 - 1.2.11.3-1 to the one that comes with F16. I essentially did a rpmbuild --rebuild of the 1.2.10.8-1 srpm. Right now everything seems fine. It seems freeipa doesn't work ok with the 1.2.11 tree of 389-ds.

Br,
--ilf

On Fri May 18 2012 05:04:20 PM EEST, Rob Crittenden  wrote:

> Rich Megginson wrote:
> > On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> > > Hello,
> > > 
> > > I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
> > > running ipa-server-install everything runs alright and IPA is running
> > > fine. 389, kerberos and the rest of the components start up fine.
> > > However after reboot of the machine IPA doesn't want to start,
> > > systemctl status ipa.service reports:
> > > 
> > > ipa.service - Identity, Policy, Audit
> > > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
> > > +0300; 6min ago
> > > Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
> > > status=1/FAILURE)
> > > CGroup: name=systemd:/system/ipa.service
> > > 
> > > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
> > > read data from Directory Service: Unknown error when retrieving list
> > > of services from LDAP: [Errno 111] Connection refused
> > > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting
> > > down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]:
> > > Starting Directory Service
> > > 
> > > and ipactl start just repeats the error:
> > > 
> > > ipactl start
> > > Starting Directory Service
> > > Failed to read data from Directory Service: Unknown error when
> > > retrieving list of services from LDAP: [Errno 111] Connection refused
> > > Shutting down
> > > 
> > > If I start ns-slapd by hand with ns-slapd -D
> > > /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM,
> > > slapd starts, however the MYREALM instance throws
> > > 
> > > etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
> > > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > > descriptors must range from 1 to 4096 (the current process limit).
> > > Server will use a setting of 4096.
> > > [17/May/2012:23:25:29 +0300] - Config Warning: -
> > > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > > descriptors must range from 1 to 4096 (the current process limit).
> > > Server will use a setting of 4096.
> > > 
> > > which however is not a big problem, but it seems ns-slapd doesn't
> > > care about the limits that are setup in the limits.conf.
> > 
> > It cares, but the systemd conf file must also specify NOFILES=8192
> > 
> > > 
> > > after starting the directory server I again try with systemctl start
> > > ipa.service and the result this time is:
> > > 
> > > ipa.service - Identity, Policy, Audit
> > > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
> > > +0300; 25s ago
> > > Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
> > > status=1/FAILURE)
> > > CGroup: name=systemd:/system/ipa.service
> > > 
> > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
> > > See system journal and 'systemctl status' for details.
> > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
> > > start KDC Service
> > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting
> > > down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]:
> > > Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg
> > > ipactl[942]: Starting Directory Service
> > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC
> > > Service
> > > 
> > > the /var/log/krb5kdc.log reports:
> > > 
> > > rb5kdc: Server error - while fetching master key K/M for realm
> > > MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug):
> > > Got signal to request exit
> > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > > down fd 9
> > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > > down fd 10
> > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > > down fd 8
> > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > > down fd 7
> > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting
> > > down krb5kdc: Server error - while fetching master key K/M for realm
> > > MYREALM
> > > 
> > > > From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
> > > seems like the files
> > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > > are missing in that path, however I don't really know what should
> > > generate those pem certs. From my very basic understanding of how IPA
> > > works I assume that is dogtag's job, and again I assume ipactl
> > > start/systemctl start ipa.service probably should take care of that,
> > > however this doesn't happen.
> > > 
> > > So any help with this issue is welcome. I can go for LDAP/KRB setup
> > > to use on my virtual/physical machines, however if going down the
> > > krb/LDAP route I think IPA would be far better to support in the
> > > long run.
> > > 
> > > If that might be some help, I'm running x86_64 F17 inside Xen domU.
> > > The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and
> > > NetBSD6 DomU.
> > > 
> > > I have the exact same situation also with FreeIPA built from git. The
> > > packages from git are version 2.99:
> > > 
> > > freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> > > freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> > > freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> > > freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> > > freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
> > > 
> > > the 2.2.0 version I also ran was the one in F17.
> > > 
> > > Thanks in advance,
> > > BR
> > > ilf
> 
> It could be a timeout problem. ipactl starts the dirsrv instance to get 
> the list of services it needs to start. If this connect fails it would 
> behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second 
> timeout. I'd try bumping that up to a higher value.
> 
> rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rcritten at redhat.com  Fri May 18 17:24:35 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 18 May 2012 13:24:35 -0400
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <1337359048.1878.5.camel@Nokia-N900>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
	<4FB656E4.80502@redhat.com> <1337359048.1878.5.camel@Nokia-N900>
Message-ID: <4FB685D3.2050000@redhat.com>

iliyan ilf Stoyanov wrote:
> Hi,
>
> i solved the problem by downgrading the 389-ds-base from the one that
> comes with F17 - 1.2.11.3-1 to the one that comes with F16. I
> essentially did a rpmbuild --rebuild of the 1.2.10.8-1 srpm. Right now
> everything seems fine. It seems freeipa doesn't work ok with the 1.2.11
> tree of 389-ds.
>

The 1.2.11 release has a number of problems with IPA the 389-ds team is 
working hard to resolve.

rob

> Br,
> --ilf
>
> On Fri May 18 2012 05:04:20 PM EEST, Rob Crittenden  > wrote:
>
>  > Rich Megginson wrote:
>  > > On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
>  > > > Hello,
>  > > >
>  > > > I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
>  > > > running ipa-server-install everything runs alright and IPA is
> running
>  > > > fine. 389, kerberos and the rest of the components start up fine.
>  > > > However after reboot of the machine IPA doesn't want to start,
>  > > > systemctl status ipa.service reports:
>  > > >
>  > > > ipa.service - Identity, Policy, Audit
>  > > > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>  > > > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
>  > > > +0300; 6min ago
>  > > > Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
>  > > > status=1/FAILURE)
>  > > > CGroup: name=systemd:/system/ipa.service
>  > > >
>  > > > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
>  > > > read data from Directory Service: Unknown error when retrieving list
>  > > > of services from LDAP: [Errno 111] Connection refused
>  > > > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting
>  > > > down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]:
>  > > > Starting Directory Service
>  > > >
>  > > > and ipactl start just repeats the error:
>  > > >
>  > > > ipactl start
>  > > > Starting Directory Service
>  > > > Failed to read data from Directory Service: Unknown error when
>  > > > retrieving list of services from LDAP: [Errno 111] Connection
> refused
>  > > > Shutting down
>  > > >
>  > > > If I start ns-slapd by hand with ns-slapd -D
>  > > > /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM,
>  > > > slapd starts, however the MYREALM instance throws
>  > > >
>  > > > etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
>  > > > nsslapd-maxdescriptors: invalid value "8192", maximum file
>  > > > descriptors must range from 1 to 4096 (the current process limit).
>  > > > Server will use a setting of 4096.
>  > > > [17/May/2012:23:25:29 +0300] - Config Warning: -
>  > > > nsslapd-maxdescriptors: invalid value "8192", maximum file
>  > > > descriptors must range from 1 to 4096 (the current process limit).
>  > > > Server will use a setting of 4096.
>  > > >
>  > > > which however is not a big problem, but it seems ns-slapd doesn't
>  > > > care about the limits that are setup in the limits.conf.
>  > >
>  > > It cares, but the systemd conf file must also specify NOFILES=8192
>  > >
>  > > >
>  > > > after starting the directory server I again try with systemctl start
>  > > > ipa.service and the result this time is:
>  > > >
>  > > > ipa.service - Identity, Policy, Audit
>  > > > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>  > > > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
>  > > > +0300; 25s ago
>  > > > Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
>  > > > status=1/FAILURE)
>  > > > CGroup: name=systemd:/system/ipa.service
>  > > >
>  > > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
>  > > > See system journal and 'systemctl status' for details.
>  > > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
>  > > > start KDC Service
>  > > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting
>  > > > down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]:
>  > > > Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg
>  > > > ipactl[942]: Starting Directory Service
>  > > > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
> KDC
>  > > > Service
>  > > >
>  > > > the /var/log/krb5kdc.log reports:
>  > > >
>  > > > rb5kdc: Server error - while fetching master key K/M for realm
>  > > > MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug):
>  > > > Got signal to request exit
>  > > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>  > > > down fd 9
>  > > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>  > > > down fd 10
>  > > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>  > > > down fd 8
>  > > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
>  > > > down fd 7
>  > > > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting
>  > > > down krb5kdc: Server error - while fetching master key K/M for realm
>  > > > MYREALM
>  > > >
>  > > > > From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
>  > > > seems like the files
>  > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>  > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>  > > > are missing in that path, however I don't really know what should
>  > > > generate those pem certs. From my very basic understanding of how
> IPA
>  > > > works I assume that is dogtag's job, and again I assume ipactl
>  > > > start/systemctl start ipa.service probably should take care of that,
>  > > > however this doesn't happen.
>  > > >
>  > > > So any help with this issue is welcome. I can go for LDAP/KRB setup
>  > > > to use on my virtual/physical machines, however if going down the
>  > > > krb/LDAP route I think IPA would be far better to support in the
>  > > > long run.
>  > > >
>  > > > If that might be some help, I'm running x86_64 F17 inside Xen domU.
>  > > > The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and
>  > > > NetBSD6 DomU.
>  > > >
>  > > > I have the exact same situation also with FreeIPA built from git.
> The
>  > > > packages from git are version 2.99:
>  > > >
>  > > > freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
>  > > > freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
>  > > > freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
>  > > > freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
>  > > > freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
>  > > >
>  > > > the 2.2.0 version I also ran was the one in F17.
>  > > >
>  > > > Thanks in advance,
>  > > > BR
>  > > > ilf
>  >
>  > It could be a timeout problem. ipactl starts the dirsrv instance to get
>  > the list of services it needs to start. If this connect fails it would
>  > behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second
>  > timeout. I'd try bumping that up to a higher value.
>  >
>  > rob
>



From danieljamesscott at gmail.com  Fri May 18 17:46:32 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Fri, 18 May 2012 13:46:32 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FB67B16.6060108@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
	
	<4FB67B16.6060108@redhat.com>
Message-ID: 

On Fri, May 18, 2012 at 12:38 PM, Rich Megginson  wrote:
> On 05/18/2012 10:31 AM, Dan Scott wrote:
>>
>> On Fri, May 18, 2012 at 12:21 PM, Rich Megginson
>> ?wrote:
>>>
>>> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>>>
>>>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>>>> ?wrote:
>>>>>
>>>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>>>> ?wrote:
>>>>>>>
>>>>>>> Rich Megginson wrote:
>>>>>>>>
>>>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>>>
>>>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>>>
>>>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>>>> objectClass
>>>>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>>>>> check replication status?
>>>>>>>>>>
>>>>>>>>>> You also need to expose the RUV tombstone entry at the base of
>>>>>>>>>> each
>>>>>>>>>> suffix.
>>>>>>>>>
>>>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA
>>>>>>>>> before;
>>>>>>>>> any pointers?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Ian
>>>>>>>>>
>>>>>>>>
>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>>>
>>>>>>>
>>>>>>> We already have some delegated permissions for replication but none
>>>>>>> granting
>>>>>>> only read access. Off the cuff, something like this might work:
>>>>>>>
>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>> changetype: modify
>>>>>>> add: aci
>>>>>>> aci:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>> search,
>>>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>>
>>>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>>>> changetype: add
>>>>>>> objectClass: top
>>>>>>> objectClass: groupofnames
>>>>>>> objectClass: ipapermission
>>>>>>> cn: Read Replication Agreements
>>>>>>> ipapermissiontype: SYSTEM
>>>>>>>
>>>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>>>> (dc=example,dc=com).
>>>>>>>
>>>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>>>> please
>>>>>>> let
>>>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>>>
>>>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>>>> the following ACI:
>>>>>>
>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>> changetype: modify
>>>>>> add: aci
>>>>>> aci:
>>>>>>
>>>>>>
>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>> search, compare) groupdn = "ldap:///anyone";)
>>>>>
>>>>>
>>>>> It would be better to restrict the list of attributes to only those
>>>>> needed
>>>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>>>
>>>> OK, thanks. I had a look through the available data and I think these
>>>> would be best:
>>>>
>>>>
>>>>
>>>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>>>
>>>>>> And I can now get the replication status using an anonymous bind. I
>>>>>> also modified the nagios perl script to make an anonymous bind and
>>>>>> check the replication status - it's working OK.
>>>>>>
>>>>>> I don't know if the aci should be a standard feature, option to
>>>>>> enable, or just to provide the ldif for anyone who wants it.
>>>>>
>>>>>
>>>>> Sure. ?If you think it should be a standard feature, just file a
>>>>> ticket.
>>>>
>>>> OK, will do, once I've figured out a few more things. I want to enable
>>>> this for the PKI-CA directory too. I changed the dn to "dn:
>>>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>>>> port 7389. Using targetattr=*, everything works fine, but when I
>>>> restrict it to the list of attributes above, I don't get any results.
>>>> Is there another attribute I need to add?
>>>
>>>
>>> Not sure why it would be any different for CA replication . . .
>>
>> Sorry, I wasn't clear. The difference isn't between CA and main, it's
>> between restricting to (targetattr="nsDS5ReplicaHost||.....) and
>> (targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
>> fine. Neither work when I restrict to particular attributes.
>
>
> If you look at the access log it should tell you which attributes it is
> searching for.

Nothing shows up in the log. Does it show failed access attempts by default?



From rmeggins at redhat.com  Fri May 18 17:52:05 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 11:52:05 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
	
	<4FB67B16.6060108@redhat.com>
	
Message-ID: <4FB68C45.1020306@redhat.com>

On 05/18/2012 11:46 AM, Dan Scott wrote:
> On Fri, May 18, 2012 at 12:38 PM, Rich Megginson  wrote:
>> On 05/18/2012 10:31 AM, Dan Scott wrote:
>>> On Fri, May 18, 2012 at 12:21 PM, Rich Megginson
>>>   wrote:
>>>> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>>>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>>>>>   wrote:
>>>>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>>>>>   wrote:
>>>>>>>> Rich Megginson wrote:
>>>>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>>>>
>>>>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>>>>> objectClass
>>>>>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>>>>>> check replication status?
>>>>>>>>>>> You also need to expose the RUV tombstone entry at the base of
>>>>>>>>>>> each
>>>>>>>>>>> suffix.
>>>>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA
>>>>>>>>>> before;
>>>>>>>>>> any pointers?
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Ian
>>>>>>>>>>
>>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>>>>
>>>>>>>> We already have some delegated permissions for replication but none
>>>>>>>> granting
>>>>>>>> only read access. Off the cuff, something like this might work:
>>>>>>>>
>>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>>> changetype: modify
>>>>>>>> add: aci
>>>>>>>> aci:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>>> search,
>>>>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>>>
>>>>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>>>>> changetype: add
>>>>>>>> objectClass: top
>>>>>>>> objectClass: groupofnames
>>>>>>>> objectClass: ipapermission
>>>>>>>> cn: Read Replication Agreements
>>>>>>>> ipapermissiontype: SYSTEM
>>>>>>>>
>>>>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>>>>> (dc=example,dc=com).
>>>>>>>>
>>>>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>>>>> please
>>>>>>>> let
>>>>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>>>>> the following ACI:
>>>>>>>
>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>> changetype: modify
>>>>>>> add: aci
>>>>>>> aci:
>>>>>>>
>>>>>>>
>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>> search, compare) groupdn = "ldap:///anyone";)
>>>>>>
>>>>>> It would be better to restrict the list of attributes to only those
>>>>>> needed
>>>>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>>>> OK, thanks. I had a look through the available data and I think these
>>>>> would be best:
>>>>>
>>>>>
>>>>>
>>>>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>>>>
>>>>>>> And I can now get the replication status using an anonymous bind. I
>>>>>>> also modified the nagios perl script to make an anonymous bind and
>>>>>>> check the replication status - it's working OK.
>>>>>>>
>>>>>>> I don't know if the aci should be a standard feature, option to
>>>>>>> enable, or just to provide the ldif for anyone who wants it.
>>>>>>
>>>>>> Sure.  If you think it should be a standard feature, just file a
>>>>>> ticket.
>>>>> OK, will do, once I've figured out a few more things. I want to enable
>>>>> this for the PKI-CA directory too. I changed the dn to "dn:
>>>>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>>>>> port 7389. Using targetattr=*, everything works fine, but when I
>>>>> restrict it to the list of attributes above, I don't get any results.
>>>>> Is there another attribute I need to add?
>>>>
>>>> Not sure why it would be any different for CA replication . . .
>>> Sorry, I wasn't clear. The difference isn't between CA and main, it's
>>> between restricting to (targetattr="nsDS5ReplicaHost||.....) and
>>> (targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
>>> fine. Neither work when I restrict to particular attributes.
>>
>> If you look at the access log it should tell you which attributes it is
>> searching for.
> Nothing shows up in the log. Does it show failed access attempts by default?
Yes.  The access log is buffered, so it may take a while for the request 
to show up.



From danieljamesscott at gmail.com  Fri May 18 18:05:28 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Fri, 18 May 2012 14:05:28 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FB68C45.1020306@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
	
	<4FB67B16.6060108@redhat.com>
	
	<4FB68C45.1020306@redhat.com>
Message-ID: 

On Fri, May 18, 2012 at 1:52 PM, Rich Megginson  wrote:
> On 05/18/2012 11:46 AM, Dan Scott wrote:
>>
>> On Fri, May 18, 2012 at 12:38 PM, Rich Megginson
>> ?wrote:
>>>
>>> On 05/18/2012 10:31 AM, Dan Scott wrote:
>>>>
>>>> On Fri, May 18, 2012 at 12:21 PM, Rich Megginson
>>>> ?wrote:
>>>>>
>>>>> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>>>>>
>>>>>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>>>>>> ?wrote:
>>>>>>>
>>>>>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>>>>>> ?wrote:
>>>>>>>>>
>>>>>>>>> Rich Megginson wrote:
>>>>>>>>>>
>>>>>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>>>>>
>>>>>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>>>>>
>>>>>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>>>>>> objectClass
>>>>>>>>>>>>> to a less privileged account; i.e., an account solely designed
>>>>>>>>>>>>> to
>>>>>>>>>>>>> check replication status?
>>>>>>>>>>>>
>>>>>>>>>>>> You also need to expose the RUV tombstone entry at the base of
>>>>>>>>>>>> each
>>>>>>>>>>>> suffix.
>>>>>>>>>>>
>>>>>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA
>>>>>>>>>>> before;
>>>>>>>>>>> any pointers?
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Ian
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We already have some delegated permissions for replication but none
>>>>>>>>> granting
>>>>>>>>> only read access. Off the cuff, something like this might work:
>>>>>>>>>
>>>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>>>> changetype: modify
>>>>>>>>> add: aci
>>>>>>>>> aci:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>>>> search,
>>>>>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>>>>
>>>>>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>>>>>> changetype: add
>>>>>>>>> objectClass: top
>>>>>>>>> objectClass: groupofnames
>>>>>>>>> objectClass: ipapermission
>>>>>>>>> cn: Read Replication Agreements
>>>>>>>>> ipapermissiontype: SYSTEM
>>>>>>>>>
>>>>>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>>>>>> (dc=example,dc=com).
>>>>>>>>>
>>>>>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>>>>>> please
>>>>>>>>> let
>>>>>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>>>>>
>>>>>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>>>>>> the following ACI:
>>>>>>>>
>>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>>> changetype: modify
>>>>>>>> add: aci
>>>>>>>> aci:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>>> search, compare) groupdn = "ldap:///anyone";)
>>>>>>>
>>>>>>>
>>>>>>> It would be better to restrict the list of attributes to only those
>>>>>>> needed
>>>>>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>>>>>
>>>>>> OK, thanks. I had a look through the available data and I think these
>>>>>> would be best:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>>>>>
>>>>>>>> And I can now get the replication status using an anonymous bind. I
>>>>>>>> also modified the nagios perl script to make an anonymous bind and
>>>>>>>> check the replication status - it's working OK.
>>>>>>>>
>>>>>>>> I don't know if the aci should be a standard feature, option to
>>>>>>>> enable, or just to provide the ldif for anyone who wants it.
>>>>>>>
>>>>>>>
>>>>>>> Sure. ?If you think it should be a standard feature, just file a
>>>>>>> ticket.
>>>>>>
>>>>>> OK, will do, once I've figured out a few more things. I want to enable
>>>>>> this for the PKI-CA directory too. I changed the dn to "dn:
>>>>>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>>>>>> port 7389. Using targetattr=*, everything works fine, but when I
>>>>>> restrict it to the list of attributes above, I don't get any results.
>>>>>> Is there another attribute I need to add?
>>>>>
>>>>>
>>>>> Not sure why it would be any different for CA replication . . .
>>>>
>>>> Sorry, I wasn't clear. The difference isn't between CA and main, it's
>>>> between restricting to (targetattr="nsDS5ReplicaHost||.....) and
>>>> (targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
>>>> fine. Neither work when I restrict to particular attributes.
>>>
>>>
>>> If you look at the access log it should tell you which attributes it is
>>> searching for.
>>
>> Nothing shows up in the log. Does it show failed access attempts by
>> default?
>
> Yes. ?The access log is buffered, so it may take a while for the request to
> show up.

Ahh, OK thanks.

The request is:

[18/May/2012:13:59:02 -0400] conn=10516 fd=86 slot=86 connection from
192.168.1.202 to 192.168.1.201
[18/May/2012:13:59:02 -0400] conn=10516 op=0 BIND dn="" method=128 version=3
[18/May/2012:13:59:02 -0400] conn=10516 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/May/2012:13:59:02 -0400] conn=10516 op=1 SRCH base="cn=config"
scope=2 filter="(objectClass=nsDS5ReplicationAgreement)" attrs=ALL
[18/May/2012:13:59:02 -0400] conn=10516 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[18/May/2012:13:59:02 -0400] conn=10516 op=-1 fd=86 closed - B1

If I search for 'ALL' attrs, but only have permission for some. Will I
get no results? Or only those I have permission to read?



From ilf at ilf.me  Fri May 18 17:49:45 2012
From: ilf at ilf.me (iliyan ilf Stoyanov)
Date: Fri, 18 May 2012 20:49:45 +0300
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <4FB685D3.2050000@redhat.com>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
	<4FB656E4.80502@redhat.com> <1337359048.1878.5.camel@Nokia-N900>
	<4FB685D3.2050000@redhat.com>
Message-ID: <1337363385.2117.5.camel@Nokia-N900>

Hi,

unfortunately I didn't know that beforehand. Probably it will be good if this is mentioned somewhere on the FreeIPA install pages up on the website.

Br,
--ilf

On Fri May 18 2012 08:24:35 PM EEST, Rob Crittenden  wrote:

> iliyan ilf Stoyanov wrote:
> > Hi,
> > 
> > i solved the problem by downgrading the 389-ds-base from the one that
> > comes with F17 - 1.2.11.3-1 to the one that comes with F16. I
> > essentially did a rpmbuild --rebuild of the 1.2.10.8-1 srpm. Right now
> > everything seems fine. It seems freeipa doesn't work ok with the 1.2.11
> > tree of 389-ds.
> > 
> 
> The 1.2.11 release has a number of problems with IPA the 389-ds team is 
> working hard to resolve.
> 
> rob
> 
> > Br,
> > --ilf
> > 
> > On Fri May 18 2012 05:04:20 PM EEST, Rob Crittenden
> > > wrote:
> > 
> > Rich Megginson wrote:
> > On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> > Hello,
> > 
> > I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
> > running ipa-server-install everything runs alright and IPA is
> > running
> > fine. 389, kerberos and the rest of the components start up fine.
> > However after reboot of the machine IPA doesn't want to start,
> > systemctl status ipa.service reports:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
> > +0300; 6min ago
> > Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
> > read data from Directory Service: Unknown error when retrieving list
> > of services from LDAP: [Errno 111] Connection refused
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting
> > down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]:
> > Starting Directory Service
> > 
> > and ipactl start just repeats the error:
> > 
> > ipactl start
> > Starting Directory Service
> > Failed to read data from Directory Service: Unknown error when
> > retrieving list of services from LDAP: [Errno 111] Connection
> > refused
> > Shutting down
> > 
> > If I start ns-slapd by hand with ns-slapd -D
> > /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM,
> > slapd starts, however the MYREALM instance throws
> > 
> > etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > [17/May/2012:23:25:29 +0300] - Config Warning: -
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > 
> > which however is not a big problem, but it seems ns-slapd doesn't
> > care about the limits that are setup in the limits.conf.
> > 
> > It cares, but the systemd conf file must also specify NOFILES=8192
> > 
> > 
> > after starting the directory server I again try with systemctl start
> > ipa.service and the result this time is:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
> > +0300; 25s ago
> > Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
> > See system journal and 'systemctl status' for details.
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
> > start KDC Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting
> > down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]:
> > Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg
> > ipactl[942]: Starting Directory Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
> > KDC
> > Service
> > 
> > the /var/log/krb5kdc.log reports:
> > 
> > rb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug):
> > Got signal to request exit
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 9
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 10
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 8
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 7
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting
> > down krb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM
> > 
> > From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
> > seems like the files
> > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > are missing in that path, however I don't really know what should
> > generate those pem certs. From my very basic understanding of how
> > IPA
> > works I assume that is dogtag's job, and again I assume ipactl
> > start/systemctl start ipa.service probably should take care of that,
> > however this doesn't happen.
> > 
> > So any help with this issue is welcome. I can go for LDAP/KRB setup
> > to use on my virtual/physical machines, however if going down the
> > krb/LDAP route I think IPA would be far better to support in the
> > long run.
> > 
> > If that might be some help, I'm running x86_64 F17 inside Xen domU.
> > The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and
> > NetBSD6 DomU.
> > 
> > I have the exact same situation also with FreeIPA built from git.
> > The
> > packages from git are version 2.99:
> > 
> > freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
> > 
> > the 2.2.0 version I also ran was the one in F17.
> > 
> > Thanks in advance,
> > BR
> > ilf
> > 
> > It could be a timeout problem. ipactl starts the dirsrv instance to get
> > the list of services it needs to start. If this connect fails it would
> > behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second
> > timeout. I'd try bumping that up to a higher value.
> > 
> > rob
> > 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ilf at ilf.me  Fri May 18 17:49:45 2012
From: ilf at ilf.me (iliyan ilf Stoyanov)
Date: Fri, 18 May 2012 20:49:45 +0300
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <4FB685D3.2050000@redhat.com>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
	<4FB656E4.80502@redhat.com> <1337359048.1878.5.camel@Nokia-N900>
	<4FB685D3.2050000@redhat.com>
Message-ID: <1337363385.2117.5.camel@Nokia-N900>

Hi,

unfortunately I didn't know that beforehand. Probably it will be good if this is mentioned somewhere on the FreeIPA install pages up on the website.

Br,
--ilf

On Fri May 18 2012 08:24:35 PM EEST, Rob Crittenden  wrote:

> iliyan ilf Stoyanov wrote:
> > Hi,
> > 
> > i solved the problem by downgrading the 389-ds-base from the one that
> > comes with F17 - 1.2.11.3-1 to the one that comes with F16. I
> > essentially did a rpmbuild --rebuild of the 1.2.10.8-1 srpm. Right now
> > everything seems fine. It seems freeipa doesn't work ok with the 1.2.11
> > tree of 389-ds.
> > 
> 
> The 1.2.11 release has a number of problems with IPA the 389-ds team is 
> working hard to resolve.
> 
> rob
> 
> > Br,
> > --ilf
> > 
> > On Fri May 18 2012 05:04:20 PM EEST, Rob Crittenden
> > > wrote:
> > 
> > Rich Megginson wrote:
> > On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> > Hello,
> > 
> > I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
> > running ipa-server-install everything runs alright and IPA is
> > running
> > fine. 389, kerberos and the rest of the components start up fine.
> > However after reboot of the machine IPA doesn't want to start,
> > systemctl status ipa.service reports:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
> > +0300; 6min ago
> > Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
> > read data from Directory Service: Unknown error when retrieving list
> > of services from LDAP: [Errno 111] Connection refused
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting
> > down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]:
> > Starting Directory Service
> > 
> > and ipactl start just repeats the error:
> > 
> > ipactl start
> > Starting Directory Service
> > Failed to read data from Directory Service: Unknown error when
> > retrieving list of services from LDAP: [Errno 111] Connection
> > refused
> > Shutting down
> > 
> > If I start ns-slapd by hand with ns-slapd -D
> > /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM,
> > slapd starts, however the MYREALM instance throws
> > 
> > etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > [17/May/2012:23:25:29 +0300] - Config Warning: -
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > 
> > which however is not a big problem, but it seems ns-slapd doesn't
> > care about the limits that are setup in the limits.conf.
> > 
> > It cares, but the systemd conf file must also specify NOFILES=8192
> > 
> > 
> > after starting the directory server I again try with systemctl start
> > ipa.service and the result this time is:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
> > +0300; 25s ago
> > Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
> > See system journal and 'systemctl status' for details.
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
> > start KDC Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting
> > down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]:
> > Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg
> > ipactl[942]: Starting Directory Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
> > KDC
> > Service
> > 
> > the /var/log/krb5kdc.log reports:
> > 
> > rb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug):
> > Got signal to request exit
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 9
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 10
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 8
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 7
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting
> > down krb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM
> > 
> > From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
> > seems like the files
> > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > are missing in that path, however I don't really know what should
> > generate those pem certs. From my very basic understanding of how
> > IPA
> > works I assume that is dogtag's job, and again I assume ipactl
> > start/systemctl start ipa.service probably should take care of that,
> > however this doesn't happen.
> > 
> > So any help with this issue is welcome. I can go for LDAP/KRB setup
> > to use on my virtual/physical machines, however if going down the
> > krb/LDAP route I think IPA would be far better to support in the
> > long run.
> > 
> > If that might be some help, I'm running x86_64 F17 inside Xen domU.
> > The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and
> > NetBSD6 DomU.
> > 
> > I have the exact same situation also with FreeIPA built from git.
> > The
> > packages from git are version 2.99:
> > 
> > freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
> > 
> > the 2.2.0 version I also ran was the one in F17.
> > 
> > Thanks in advance,
> > BR
> > ilf
> > 
> > It could be a timeout problem. ipactl starts the dirsrv instance to get
> > the list of services it needs to start. If this connect fails it would
> > behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second
> > timeout. I'd try bumping that up to a higher value.
> > 
> > rob
> > 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ilf at ilf.me  Fri May 18 17:49:45 2012
From: ilf at ilf.me (iliyan ilf Stoyanov)
Date: Fri, 18 May 2012 20:49:45 +0300
Subject: [Freeipa-users] FreeIPA v2.2.0 on F17 not starting
In-Reply-To: <4FB685D3.2050000@redhat.com>
References: <1337289212.24421.16.camel@tablet> <4FB5733C.8010303@redhat.com>
	<4FB656E4.80502@redhat.com> <1337359048.1878.5.camel@Nokia-N900>
	<4FB685D3.2050000@redhat.com>
Message-ID: <1337363385.2117.5.camel@Nokia-N900>

Hi,

unfortunately I didn't know that beforehand. Probably it will be good if this is mentioned somewhere on the FreeIPA install pages up on the website.

Br,
--ilf

On Fri May 18 2012 08:24:35 PM EEST, Rob Crittenden  wrote:

> iliyan ilf Stoyanov wrote:
> > Hi,
> > 
> > i solved the problem by downgrading the 389-ds-base from the one that
> > comes with F17 - 1.2.11.3-1 to the one that comes with F16. I
> > essentially did a rpmbuild --rebuild of the 1.2.10.8-1 srpm. Right now
> > everything seems fine. It seems freeipa doesn't work ok with the 1.2.11
> > tree of 389-ds.
> > 
> 
> The 1.2.11 release has a number of problems with IPA the 389-ds team is 
> working hard to resolve.
> 
> rob
> 
> > Br,
> > --ilf
> > 
> > On Fri May 18 2012 05:04:20 PM EEST, Rob Crittenden
> > > wrote:
> > 
> > Rich Megginson wrote:
> > On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> > Hello,
> > 
> > I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
> > running ipa-server-install everything runs alright and IPA is
> > running
> > fine. 389, kerberos and the rest of the components start up fine.
> > However after reboot of the machine IPA doesn't want to start,
> > systemctl status ipa.service reports:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
> > +0300; 6min ago
> > Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
> > read data from Directory Service: Unknown error when retrieving list
> > of services from LDAP: [Errno 111] Connection refused
> > May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting
> > down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]:
> > Starting Directory Service
> > 
> > and ipactl start just repeats the error:
> > 
> > ipactl start
> > Starting Directory Service
> > Failed to read data from Directory Service: Unknown error when
> > retrieving list of services from LDAP: [Errno 111] Connection
> > refused
> > Shutting down
> > 
> > If I start ns-slapd by hand with ns-slapd -D
> > /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM,
> > slapd starts, however the MYREALM instance throws
> > 
> > etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > [17/May/2012:23:25:29 +0300] - Config Warning: -
> > nsslapd-maxdescriptors: invalid value "8192", maximum file
> > descriptors must range from 1 to 4096 (the current process limit).
> > Server will use a setting of 4096.
> > 
> > which however is not a big problem, but it seems ns-slapd doesn't
> > care about the limits that are setup in the limits.conf.
> > 
> > It cares, but the systemd conf file must also specify NOFILES=8192
> > 
> > 
> > after starting the directory server I again try with systemctl start
> > ipa.service and the result this time is:
> > 
> > ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
> > Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
> > +0300; 25s ago
> > Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > CGroup: name=systemd:/system/ipa.service
> > 
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
> > See system journal and 'systemctl status' for details.
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
> > start KDC Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting
> > down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]:
> > Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg
> > ipactl[942]: Starting Directory Service
> > May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
> > KDC
> > Service
> > 
> > the /var/log/krb5kdc.log reports:
> > 
> > rb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug):
> > Got signal to request exit
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 9
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 10
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 8
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
> > down fd 7
> > May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting
> > down krb5kdc: Server error - while fetching master key K/M for realm
> > MYREALM
> > 
> > From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
> > seems like the files
> > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > are missing in that path, however I don't really know what should
> > generate those pem certs. From my very basic understanding of how
> > IPA
> > works I assume that is dogtag's job, and again I assume ipactl
> > start/systemctl start ipa.service probably should take care of that,
> > however this doesn't happen.
> > 
> > So any help with this issue is welcome. I can go for LDAP/KRB setup
> > to use on my virtual/physical machines, however if going down the
> > krb/LDAP route I think IPA would be far better to support in the
> > long run.
> > 
> > If that might be some help, I'm running x86_64 F17 inside Xen domU.
> > The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and
> > NetBSD6 DomU.
> > 
> > I have the exact same situation also with FreeIPA built from git.
> > The
> > packages from git are version 2.99:
> > 
> > freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> > freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
> > 
> > the 2.2.0 version I also ran was the one in F17.
> > 
> > Thanks in advance,
> > BR
> > ilf
> > 
> > It could be a timeout problem. ipactl starts the dirsrv instance to get
> > the list of services it needs to start. If this connect fails it would
> > behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second
> > timeout. I'd try bumping that up to a higher value.
> > 
> > rob
> > 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Fri May 18 18:20:40 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 12:20:40 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FB676F2.7040800@redhat.com>
	
	<4FB67B16.6060108@redhat.com>
	
	<4FB68C45.1020306@redhat.com>
	
Message-ID: <4FB692F8.2000703@redhat.com>

On 05/18/2012 12:05 PM, Dan Scott wrote:
> On Fri, May 18, 2012 at 1:52 PM, Rich Megginson  wrote:
>> On 05/18/2012 11:46 AM, Dan Scott wrote:
>>> On Fri, May 18, 2012 at 12:38 PM, Rich Megginson
>>>   wrote:
>>>> On 05/18/2012 10:31 AM, Dan Scott wrote:
>>>>> On Fri, May 18, 2012 at 12:21 PM, Rich Megginson
>>>>>   wrote:
>>>>>> On 05/18/2012 10:06 AM, Dan Scott wrote:
>>>>>>> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson
>>>>>>>   wrote:
>>>>>>>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>>>>>>>   wrote:
>>>>>>>>>> Rich Megginson wrote:
>>>>>>>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>>>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement
>>>>>>>>>>>>>> objectClass
>>>>>>>>>>>>>> to a less privileged account; i.e., an account solely designed
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> check replication status?
>>>>>>>>>>>>> You also need to expose the RUV tombstone entry at the base of
>>>>>>>>>>>>> each
>>>>>>>>>>>>> suffix.
>>>>>>>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA
>>>>>>>>>>>> before;
>>>>>>>>>>>> any pointers?
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Ian
>>>>>>>>>>>>
>>>>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>>>>>>>
>>>>>>>>>> We already have some delegated permissions for replication but none
>>>>>>>>>> granting
>>>>>>>>>> only read access. Off the cuff, something like this might work:
>>>>>>>>>>
>>>>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>>>>> changetype: modify
>>>>>>>>>> add: aci
>>>>>>>>>> aci:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>>>>> search,
>>>>>>>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>>>>>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>>>>>
>>>>>>>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>>>>>>>> changetype: add
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: groupofnames
>>>>>>>>>> objectClass: ipapermission
>>>>>>>>>> cn: Read Replication Agreements
>>>>>>>>>> ipapermissiontype: SYSTEM
>>>>>>>>>>
>>>>>>>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>>>>>>>> (dc=example,dc=com).
>>>>>>>>>>
>>>>>>>>>> This is untested so YMMV. If you find that it works and is useful
>>>>>>>>>> please
>>>>>>>>>> let
>>>>>>>>>> us know, maybe we can add this for everyone to enjoy :-)
>>>>>>>>> Is it safe to allow anonymous access to read this attribute? I added
>>>>>>>>> the following ACI:
>>>>>>>>>
>>>>>>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>>>>>>> changetype: modify
>>>>>>>>> add: aci
>>>>>>>>> aci:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>>>>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>>>>>>>> search, compare) groupdn = "ldap:///anyone";)
>>>>>>>>
>>>>>>>> It would be better to restrict the list of attributes to only those
>>>>>>>> needed
>>>>>>>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>>>>>> OK, thanks. I had a look through the available data and I think these
>>>>>>> would be best:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>>>>>>>
>>>>>>>>> And I can now get the replication status using an anonymous bind. I
>>>>>>>>> also modified the nagios perl script to make an anonymous bind and
>>>>>>>>> check the replication status - it's working OK.
>>>>>>>>>
>>>>>>>>> I don't know if the aci should be a standard feature, option to
>>>>>>>>> enable, or just to provide the ldif for anyone who wants it.
>>>>>>>>
>>>>>>>> Sure.  If you think it should be a standard feature, just file a
>>>>>>>> ticket.
>>>>>>> OK, will do, once I've figured out a few more things. I want to enable
>>>>>>> this for the PKI-CA directory too. I changed the dn to "dn:
>>>>>>> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
>>>>>>> port 7389. Using targetattr=*, everything works fine, but when I
>>>>>>> restrict it to the list of attributes above, I don't get any results.
>>>>>>> Is there another attribute I need to add?
>>>>>>
>>>>>> Not sure why it would be any different for CA replication . . .
>>>>> Sorry, I wasn't clear. The difference isn't between CA and main, it's
>>>>> between restricting to (targetattr="nsDS5ReplicaHost||.....) and
>>>>> (targetattr=*). If I add the targetattr=* to the CA dirsrv, it works
>>>>> fine. Neither work when I restrict to particular attributes.
>>>>
>>>> If you look at the access log it should tell you which attributes it is
>>>> searching for.
>>> Nothing shows up in the log. Does it show failed access attempts by
>>> default?
>> Yes.  The access log is buffered, so it may take a while for the request to
>> show up.
> Ahh, OK thanks.
>
> The request is:
>
> [18/May/2012:13:59:02 -0400] conn=10516 fd=86 slot=86 connection from
> 192.168.1.202 to 192.168.1.201
> [18/May/2012:13:59:02 -0400] conn=10516 op=0 BIND dn="" method=128 version=3
> [18/May/2012:13:59:02 -0400] conn=10516 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [18/May/2012:13:59:02 -0400] conn=10516 op=1 SRCH base="cn=config"
> scope=2 filter="(objectClass=nsDS5ReplicationAgreement)" attrs=ALL
> [18/May/2012:13:59:02 -0400] conn=10516 op=1 RESULT err=0 tag=101
> nentries=0 etime=0
> [18/May/2012:13:59:02 -0400] conn=10516 op=-1 fd=86 closed - B1
>
> If I search for 'ALL' attrs, but only have permission for some. Will I
> get no results? Or only those I have permission to read?
Hmm - not sure
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html



From Weston.Adamson at netapp.com  Fri May 18 19:20:38 2012
From: Weston.Adamson at netapp.com (Adamson, Dros)
Date: Fri, 18 May 2012 19:20:38 +0000
Subject: [Freeipa-users] ipa-server hang on shutdown/reboot of F16
Message-ID: <24CE92E5-AF58-4548-9E70-CB69F3D414F9@netapp.com>

Hey All,

Ever since upgrading to Fedora 16 I've noticed that ipa-server causes reboot / shutdown to hang indefinitely (I've only actually waited ~30 minutes).  If I run "service ipa stop" before rebooting, there is no hang.

I've searched bugzilla a bit and couldn't see any reports of this - is this a known issue?  Should I file a bug?

-dros
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1374 bytes
Desc: not available
URL: 

From rcritten at redhat.com  Fri May 18 19:53:53 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 18 May 2012 15:53:53 -0400
Subject: [Freeipa-users] ipa-server hang on shutdown/reboot of F16
In-Reply-To: <24CE92E5-AF58-4548-9E70-CB69F3D414F9@netapp.com>
References: <24CE92E5-AF58-4548-9E70-CB69F3D414F9@netapp.com>
Message-ID: <4FB6A8D1.1010701@redhat.com>

Adamson, Dros wrote:
> Hey All,
>
> Ever since upgrading to Fedora 16 I've noticed that ipa-server causes reboot / shutdown to hang indefinitely (I've only actually waited ~30 minutes).  If I run "service ipa stop" before rebooting, there is no hang.
>
> I've searched bugzilla a bit and couldn't see any reports of this - is this a known issue?  Should I file a bug?
>
> -dros


BZ https://bugzilla.redhat.com/show_bug.cgi?id=783943 and related ticket 
https://fedorahosted.org/freeipa/ticket/2302

rob



From cao2dan at yahoo.com  Fri May 18 20:57:52 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Fri, 18 May 2012 13:57:52 -0700 (PDT)
Subject: [Freeipa-users] Any ways for IPA users to reset expired passwords
	by themselves over web?
Message-ID: <1337374672.71120.YahooMailNeo@web125701.mail.ne1.yahoo.com>

Hi all,

?Is there any Web interfaces for IPA users to reset their expired password over web? Currently we let test users to ssh/login to a particular Linux server, and sssd will let the users to authenticate with their old expired password and then reset to newer password.

?the IPA web UI could be a choice, but it could not logout (2.1.3-9 version on Redhat 6.2), and, the users may see too many other unrelated stuff which post challenges to them and open a door for mis-operations.


?Thanks.

--David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hahaha_30k at yahoo.com  Fri May 18 21:27:15 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Fri, 18 May 2012 14:27:15 -0700 (PDT)
Subject: [Freeipa-users] HBAC rules take in effect on IPA clients
	immediately after installation?
Message-ID: <1337376435.93089.YahooMailNeo@web160706.mail.bf1.yahoo.com>

Hi all,

?Just like to clarify my confusion: Are the HBAC (Host Based Access Control) rules immediately in effect after IPA client software configurations through sssd? Do we have any options inside sssd.conf to enable/disable the HBAC rules per machine (inside IPA domain)? I have this question because some important servers needs to be available all the time, even badly written HBAC rules could block access to all other servers.

?Another very close question is: what are the scenarios to use ?'--permit' option to 'ipa-client-install'? the manual says 'Configure SSSD to permit all access.?Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server.'. So is this the solution to the above problem??

?Thanks a lot.

--Gelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hahaha_30k at yahoo.com  Fri May 18 21:35:18 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Fri, 18 May 2012 14:35:18 -0700 (PDT)
Subject: [Freeipa-users] sudo rules in IPA infrastructure
Message-ID: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>

Hi all,

?Are the sudo rules applied to IPA clients through nss_ldap, instead of sssd??

?I tried that on Redhat 6.2 clients, and some documents said that sudo rules would work when enabled inside /etc/nslcd.conf, but we need to hack the script /etc/init.d/nslcd.conf a little bit -- basically to mess around the sudo config statement before/after nslcd daemon runs as the latter still can not handle sudo statements very well.

?Then on 5.8, where nslcd daemon is not available, should we edit /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a lot.

--Gelen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From sbingram at gmail.com  Fri May 18 21:58:26 2012
From: sbingram at gmail.com (Stephen Ingram)
Date: Fri, 18 May 2012 14:58:26 -0700
Subject: [Freeipa-users] sudo rules in IPA infrastructure
In-Reply-To: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
References: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
Message-ID: 

On Fri, May 18, 2012 at 2:35 PM, Gelen James  wrote:
> Hi all,
>
> ?Are the sudo rules applied to IPA clients through nss_ldap, instead of
> sssd?
>
> ?I tried that on Redhat 6.2 clients, and some documents said that sudo rules
> would work when enabled inside /etc/nslcd.conf, but we need to hack the
> script /etc/init.d/nslcd.conf a little bit -- basically to mess around the
> sudo config statement before/after nslcd daemon runs as the latter still can
> not handle sudo statements very well.

I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you
don't have to install the nslcd daemon to get it working. It just
looks to that file for the config. So remove nslcd and then just
create the /etc/nslcd.conf from scratch and put in what they specify
on the documentation. Make all of the other changes they mention and
it will just work!

> ?Then on 5.8, where nslcd daemon is not available, should we edit
> /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a
> lot.

Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it
is /etc/ldap.conf). I haven't set this up yet, but I assume that you
can just add the config mentioned in the docs to ldap.conf along with
all of the other changes and you're off. As it worked perfectly on
6.2, I'm guessing it will also work on 5.8.

You can look through bugzilla and see the various discussions about
all of this, but suffice it to say there has been a fair amount of
discussion as to where to locate this sudo ldap config. I think it is
headed for /etc/ldap.sudo or something like that in 6.3, but as long
as you put it where sudo is looking for it, everything should work.

If you still can't get it to work, Adam Young has written a script
that you can look at to explain the process:
http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/.

Steve



From hahaha_30k at yahoo.com  Fri May 18 23:20:02 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Fri, 18 May 2012 16:20:02 -0700 (PDT)
Subject: [Freeipa-users] sudo rules in IPA infrastructure
In-Reply-To: 
References: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
	
Message-ID: <1337383202.23228.YahooMailNeo@web160702.mail.bf1.yahoo.com>

Hi Stephen,

?That's very helpful. Thanks a lot.

--Gelen


________________________________
 From: Stephen Ingram 
To: Gelen James  
Cc: "freeipa-users at redhat.com" ; Rob Crittenden ; Rich Megginson  
Sent: Friday, May 18, 2012 2:58 PM
Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure
 
On Fri, May 18, 2012 at 2:35 PM, Gelen James  wrote:
> Hi all,
>
> ?Are the sudo rules applied to IPA clients through nss_ldap, instead of
> sssd?
>
> ?I tried that on Redhat 6.2 clients, and some documents said that sudo rules
> would work when enabled inside /etc/nslcd.conf, but we need to hack the
> script /etc/init.d/nslcd.conf a little bit -- basically to mess around the
> sudo config statement before/after nslcd daemon runs as the latter still can
> not handle sudo statements very well.

I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you
don't have to install the nslcd daemon to get it working. It just
looks to that file for the config. So remove nslcd and then just
create the /etc/nslcd.conf from scratch and put in what they specify
on the documentation. Make all of the other changes they mention and
it will just work!

> ?Then on 5.8, where nslcd daemon is not available, should we edit
> /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a
> lot.

Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it
is /etc/ldap.conf). I haven't set this up yet, but I assume that you
can just add the config mentioned in the docs to ldap.conf along with
all of the other changes and you're off. As it worked perfectly on
6.2, I'm guessing it will also work on 5.8.

You can look through bugzilla and see the various discussions about
all of this, but suffice it to say there has been a fair amount of
discussion as to where to locate this sudo ldap config. I think it is
headed for /etc/ldap.sudo or something like that in 6.3, but as long
as you put it where sudo is looking for it, everything should work.

If you still can't get it to work, Adam Young has written a script
that you can look at to explain the process:
http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/.

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Sat May 19 01:38:42 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Fri, 18 May 2012 18:38:42 -0700 (PDT)
Subject: [Freeipa-users] Strange error messages on IPA Master
Message-ID: <1337391522.98318.YahooMailNeo@web125705.mail.ne1.yahoo.com>

Hi all,

?I've the following messages logged on my IPA master server's /var/log/dirsvr/slapd-EXAMPLE.COM/errors log file:

[17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to convert DN cn=CA to RDN
[17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 128, string="rdn"
[17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to convert DN cn=KDC to RDN
[17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 144, string="rdn"
[17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to convert DN cn=KPASSWD to RDN
[17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 145, string="rdn"
[17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to convert DN cn=HTTP to RDN
[17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 148, string="rdn"

Any one know what does that mean, whether it is harmful? if it is then how to fix it?

Thanks a lot.

--David.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Sat May 19 03:10:06 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 18 May 2012 21:10:06 -0600
Subject: [Freeipa-users] Strange error messages on IPA Master
In-Reply-To: <1337391522.98318.YahooMailNeo@web125705.mail.ne1.yahoo.com>
References: <1337391522.98318.YahooMailNeo@web125705.mail.ne1.yahoo.com>
Message-ID: <4FB70F0E.1040904@redhat.com>

On 05/18/2012 07:38 PM, David Copperfield wrote:
> Hi all,
>
>  I've the following messages logged on my IPA master server's 
> /var/log/dirsvr/slapd-EXAMPLE.COM/errors log file:
>
> [17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to 
> convert DN cn=CA to RDN
> [17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 
> 128, string="rdn"
> [17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to 
> convert DN cn=KDC to RDN
> [17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 
> 144, string="rdn"
> [17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to 
> convert DN cn=KPASSWD to RDN
> [17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 
> 145, string="rdn"
> [17/May/2012:04:02:42 -0700] _entry_set_tombstone_rdn - Failed to 
> convert DN cn=HTTP to RDN
> [17/May/2012:04:02:42 -0700] id2entry - str2entry returned NULL for id 
> 148, string="rdn"
>
> Any one know what does that mean, whether it is harmful? if it is then 
> how to fix it?
What version of 389-ds-base?
>
> Thanks a lot.
>
> --David.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From jhrozek at redhat.com  Sat May 19 17:12:37 2012
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Sat, 19 May 2012 19:12:37 +0200
Subject: [Freeipa-users] HBAC rules take in effect on IPA clients
 immediately after installation?
In-Reply-To: <1337376435.93089.YahooMailNeo@web160706.mail.bf1.yahoo.com>
References: <1337376435.93089.YahooMailNeo@web160706.mail.bf1.yahoo.com>
Message-ID: <20120519171237.GC9477@hendrix.redhat.com>

On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote:
>    Hi all,
>     Just like to clarify my confusion: Are the HBAC (Host Based Access
>    Control) rules immediately in effect after IPA client software
>    configurations through sssd? Do we have any options inside sssd.conf to
>    enable/disable the HBAC rules per machine (inside IPA domain)? I have this
>    question because some important servers needs to be available all the
>    time, even badly written HBAC rules could block access to all other
>    servers.
>     Another very close question is: what are the scenarios to use  '--permit'
>    option to 'ipa-client-install'? the manual says 'Configure SSSD to permit
>    all access. Otherwise the machine will be controlled by the Host-based
>    Access Controls (HBAC) on the IPA server.'. So is this the solution to the
>    above problem? 
>     Thanks a lot.
>    --Gelen

Yes, passing --permit to ipa-client install is the solution to your
problem.

What it does under the hood is setting access_provider = permit in the
sssd.conf, which means "always allow access". See man sssd.conf(5) for
more information on the default access providers.



From jhrozek at redhat.com  Sat May 19 17:16:39 2012
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Sat, 19 May 2012 19:16:39 +0200
Subject: [Freeipa-users] sudo rules in IPA infrastructure
In-Reply-To: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
References: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
Message-ID: <20120519171639.GD9477@hendrix.redhat.com>

On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote:
>    Hi all,
>     Are the sudo rules applied to IPA clients through nss_ldap, instead of
>    sssd? 

Neither :-)

sudo looks up the user information via the standard name-service-switch
maps, so if your machine is configured to fetch user and group
information using the sss NSS module in nsswitch.conf, then the requests
get to sssd.

As Stephen Ingram pointed out elsewhere in this thread, sudo only reads
the nss_ldap/nss-pam-ldapd config files but establishes the connection
to the LDAP server and fetches the data on its own.



From cao2dan at yahoo.com  Sat May 19 22:11:44 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Sat, 19 May 2012 15:11:44 -0700 (PDT)
Subject: [Freeipa-users] sudo rules in IPA infrastructure
In-Reply-To: <20120519171639.GD9477@hendrix.redhat.com>
References: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
	<20120519171639.GD9477@hendrix.redhat.com>
Message-ID: <1337465504.61171.YahooMailNeo@web125705.mail.ne1.yahoo.com>

Hi Jakub and Rich,

Got it.

Thanks a lot on the HBAC and sudoes maps access. I think I got confused with the graph in the powerpoint presentation?http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf. The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go through sssd, while other maps (sudo, autofs?) ?would goes through nss_ldap.

?So it could be that FreeIPA has been further developed to provide DIRECTLY more mappings without the help of pam_(ldap/kerberos) and nss_ldap? To Rich, could you confirm that -- and probably more mappings -- in this version 2.1.3-9 on red hat 6.2? If not, how about 2.2 on Redhat 6.3Beta? ?Thanks a lot.

?Have a nice weekend.

--Gelen





________________________________
 From: Jakub Hrozek 
To: Gelen James  
Cc: "freeipa-users at redhat.com"  
Sent: Saturday, May 19, 2012 10:16 AM
Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure
 
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote:
>? ? Hi all,
>? ?  Are the sudo rules applied to IPA clients through nss_ldap, instead of
>? ? sssd? 

Neither :-)

sudo looks up the user information via the standard name-service-switch
maps, so if your machine is configured to fetch user and group
information using the sss NSS module in nsswitch.conf, then the requests
get to sssd.

As Stephen Ingram pointed out elsewhere in this thread, sudo only reads
the nss_ldap/nss-pam-ldapd config files but establishes the connection
to the LDAP server and fetches the data on its own.

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Sat May 19 22:26:32 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Sat, 19 May 2012 15:26:32 -0700 (PDT)
Subject: [Freeipa-users] Bug or feature? IPA replicas at the beginning can
	not see other replicas installed later
Message-ID: <1337466392.94089.YahooMailNeo@web125701.mail.ne1.yahoo.com>

Hi Rich, Rob and all,

?I'm trying to test the IPA replica restoration solutions, with a daily IPA replica backup, following your steps in another email. ?But I got interrupted by another problem popped up. The problem is here: (all IPA masters are replicas are 2.1.3 on redhat 6.2).

?The same setup is tested: A is the master, B, C, D are replicas. ?A works as a HUB, and B,C,D are replicated with A directly and only.

? ?A
/ ? | ?\
B C D

The setup procedure is as the following:

1, Install A and restart IPA services (ipactl restart)
2, create replicas information files for B, C, D.
3, install replica B.
4, install replica C.
5, Install replica D.

At here run 'ipa-replica-manage list' on A, B, C, D separately and we found the following odd results:

1, on Master A:
see all A, B, C, D

?2, on replica B: (the first installed replica)
see only A, B

3, on replica C: (the second installed replica)
see only A, B, C

4, on the replica D: (the last installed replica)
see all A, B, C, D
?
?wait for 10 minutes and check again still no change; ?restart IPA services on A, B, C, D still see no changes; reboot all A, B, C, D still see no changes. Though the 'ipa-csreplica-mange list' command shows ALL A,B,C,D servers on all A,B,C,D servers.

?And so the command 'ipa-manage-list D' on replicas C reports that 'D is not in the public server list.'

The setup and testing environment takes no more than one hour to duplicate. ?

Thanks.

--Gelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Sun May 20 00:29:16 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Sat, 19 May 2012 17:29:16 -0700 (PDT)
Subject: [Freeipa-users] Bug or feature? IPA replicas at the beginning
	can not see other replicas installed later
In-Reply-To: <1337466392.94089.YahooMailNeo@web125701.mail.ne1.yahoo.com>
References: <1337466392.94089.YahooMailNeo@web125701.mail.ne1.yahoo.com>
Message-ID: <1337473756.35952.YahooMailNeo@web125705.mail.ne1.yahoo.com>

Hi all,

I tried another way below to install replicas one by one, and this time it works as expected -- all replicas, installed at the beginning and later, all see everyone.

1, install Master A, restart IPA service.

2, prepare replication file and install Replica B, restart IPA service on B, then A.?

3, prepare replication file and install Replica C, restart IPA services on C, then B, then A.

4, prepare replication file and install Replica D, restart IPA services on D, then C, then B, then A.

Now all IPA servers can see all.

The major differences from the steps included in the former emails:

1, create replication info files at different times. this time the file(s) are created after at every step, against all at the same time before the first replica is installed.

2, restart IPA services after each replica installation. the intention is trying to sync replication information at IPA services startup.

3, Misc. before installation of IPA master and all replicas, I synced time difference to inside one second across. and then reboot all servers A, B, C and D. Double check that the time difference is still inside one second.

Not sure this is related to the IPA's replication info file preparation timing, or the IPA services restarts, or other preparation work, But it will do no harm if some other can duplicate the steps and see whether we end up the same results.

BTW, any one knows how the replication servers info is propagated from one replica to another replica via IPA master hub? How long it takes, etc.

Thanks.

--David

________________________________
 From: David Copperfield 
To: Rich Megginson ; "dpal at redhat.com" ; Rob Crittenden  
Cc: "freeipa-users at redhat.com"  
Sent: Saturday, May 19, 2012 3:26 PM
Subject: [Freeipa-users] Bug or feature? IPA replicas at the beginning can not see other replicas installed later
 

Hi Rich, Rob and all,

?I'm trying to test the IPA replica restoration solutions, with a daily IPA replica backup, following your steps in another email. ?But I got interrupted by another problem popped up. The problem is here: (all IPA masters are replicas are 2.1.3 on redhat 6.2).

?The same setup is tested: A is the master, B, C, D are replicas. ?A works as a HUB, and B,C,D are replicated with A directly and only.

? ?A
/ ? | ?\
B C D

The setup procedure is as the following:

1, Install A and restart IPA services (ipactl restart)
2, create replicas information files for B, C, D.
3, install replica B.
4, install replica C.
5, Install replica D.

At here run 'ipa-replica-manage list' on A, B, C, D separately and we found the following odd results:

1, on Master A:
see all A, B, C, D

?2, on replica B: (the first installed replica)
see only A, B

3, on replica C: (the second installed replica)
see only A, B, C

4, on the replica D: (the last installed replica)
see all A, B, C, D
?
?wait for 10 minutes and check again still no change; ?restart IPA services on A, B, C, D still see no changes; reboot all A, B, C, D still see no changes. Though the 'ipa-csreplica-mange list' command shows ALL A,B,C,D servers on all A,B,C,D servers.

?And so the command 'ipa-manage-list D' on replicas C reports that 'D is not in the public server list.'

The setup and testing environment takes no more than one hour to duplicate. ?

Thanks.

--Gelen





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hahaha_30k at yahoo.com  Sun May 20 07:08:39 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Sun, 20 May 2012 00:08:39 -0700 (PDT)
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
	from daily IPA Replica setup???
In-Reply-To: <4FB28B0D.5080201@redhat.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
Message-ID: <1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>

Hi Mmitri, Rob and all.

?Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. ?The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly.

?It took me more than one week and still no clues.?Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled.

The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. ?

Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication??In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first?

The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas.?

[19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[19/May/2012:19:40:48 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
[19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests
[19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null))
[19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[root@ ~]#??

After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already.

on B,
?
ipa-csreplica-manage connect C
ipa-csreplica-manage connect D
ipa-csreplica-manage del A --force
ipactl restart?

on C,?
ipa-csreplica-manage del A --force
ipactl restart?

on D,
ipa-csreplica-manage del A --force
ipactl restart?


[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect C.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect D.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com --force
Unable to connect to replica A.example.com, forcing removal
Failed to get data from 'A.example.com': Can't contact LDAP server
Forcing removal on 'B.example.com'
[root at B ~]#?

....

After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file.?

But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':

[root at B ~] ipa-replica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-replica-manage list B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list B.example.com
## Nothing at all!

Please have a check and give correct command and sequences for us IPA users. It is such a pain to spend so much time and still can not get restoration work as expected. ?Even worse is, Have no idea how the 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the scene.

Thanks a lot.

--Gelen





________________________________
 From: Rob Crittenden 
To: Robinson Tiemuqinke  
Cc: "Freeipa-users at redhat.com" ; Rich Megginson ; Dmitri Pal  
Sent: Tuesday, May 15, 2012 9:57 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
 
Robinson Tiemuqinke wrote:
> Hi Dmitri, Rich and all,
>
> I am a newbie to Redhat IPA, It looks like pretty cool compared with
> other solutions I've tried before. Thanks a lot for this great product! :)
>
> But there are still some things I needs your help. My main question is:
> How to restore the IPA setup with a daily machine-level IPA Replica backup?
>
> Please let me explain my IPA setup background and backup/restore goals
> trying to reach:
>
> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
> with Dogtag CA system. It is installed first. Then two IPA replicas are
> installed -- with '--setup-ca' options -- for load balancing and
> failover purposes.
>
> To describe my problems/objectives, I'll name the IPA Master as machine
> A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
> (virtual machine) setup ONLY for backup purposes.
> The setup looks like the following, A is the configuration Hub. B,C,D
> are siblings.
>
> A
> / | \
> B C D
>
> The following are the steps I backup IPA setups and LDAP backends daily
> -- it is a whole machine-level backup (through virtual machine D).
>
> 1, First, IPA replica D is backed up daily. The backup happens like this:
>
> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
> On the Hypervisor which holds virtual machine D, do a daily backup of
> the whole virtual disk that D is on.
> 1.2 turn on the IP replica D again.
> 1.3 after virtual machine D is up, on D optionally run a
> 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> forcibly.
>
> Now comes to restore part, which is pretty confusing to me. I've tried
> several times, and every times it comes this or that kinds of issues and
> so I am wondering that correct steps/ineraction of IPA Master/replicas
> are the king :(
>
> 2, case #1, A is broken, like disc failure, and then re-imaged after
> several days.
>
> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
> daily backup from IPA replica D?

The first thing you'll need to do is to connect your other replias 
together, either by picking a new hub or adding links to each one. Then 
you'll need to delete the replication agreement to A. You should be left 
with a set of servers that continues to replicate.

So, for arguments sake, we promote B to be the new hub:

On B:

# ipa-replica-manage connect C
# ipa-replica-manage connect D
# ipa-replica-manage del --force A
# ipactl restart

On C:

# ipa-replica-manage del --force A
# ipactl restart

On D:

# ipa-replica-manage del --force A
# ipactl restart

It is unclear what you mean by re-imaged. Are you restoring from backup 
or installing it fresh? I'll assume it is a new install. You'll need to 
prepare a replica file for A and install it as a replica. Then if you 
want to keep A as the primary you'll need to change the replication 
agreements back to it is the hub (using ipa-replica-manage connect and 
disconnect).

When you install the new A server it should get all the changes needed, 
you should be done.

You'll want to check the documentation on promoting a master to verify 
that only one server is the CRL generator (at this point there may be none).

> 2.2 do I have to check some files on A into subversion immediately after
> A was initially installed?

The only thing you really need to save is the cacert.p12 file. This is 
your root CA.

> 2.3 Please describe the steps. I'll follow exactly and report the results.
>
> 3, case #2, A is working, but either B, or C is broken.
>
> 3.1 It looks that I don't need the daily backup of D to kick in, is that
> right?

No, D is unrelated.

> 3.2 What are the correct steps on A; and B after it is re-imaged?

On A:
# ipa-replica-manage del B
# ipactl restart
# ipa-replica-prepare B

On B
# ipa-replica-install B

You'll probably need/want to clean RUV, 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

> 3.3 Please describe the steps. I'll follow exactly and report the results.
>
> 4, case #3, If some un-expected IPA changes happens on A -- like all
> users are deleted by human mistakes --, and even worse, all the changes
> are propagated to B and C in minutes.
>
> 4.1 How can I recover the IPA setup from daily backup from D?

We have not yet documented how to recover from tombstones or an offline 
replica.

> 4.2 which IPA master/replicas I should recover first? IPA master A, or
> IPA replicas B/C? and then how to recover others left one by one?

If the entries are re-added on any of the replicas it will be propogated 
out.

> 4.3 Do I have to disconnect replication agreement of B,C,D from A first?

Depends on how 4.1 gets answered which we are still investigating.

> 4.4 Please describe the steps. I'll follow exactly and report the results.
>
> I've heard something about tombstone records too, Not sure whether the
> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
> avoid it with correct recovery steps/interactions.

It is RUV that is the problem. This 389-ds wiki page describes how to 
clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

The 389-ds team is working to make this less manual.

rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hahaha_30k at yahoo.com  Sun May 20 08:28:13 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Sun, 20 May 2012 01:28:13 -0700 (PDT)
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
	from daily IPA Replica setup???
In-Reply-To: <1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
Message-ID: <1337502493.99772.YahooMailNeo@web160705.mail.bf1.yahoo.com>

rebuild the old IPA master A is half success ?too. The error also happens at CA replication side.?

After replica preparation at replica B, nuke and reinstall old A, and create A from the replica info file prepared on B, The user LDAP replication works fine. while the CA replication broken terribly. the error messages on A inside file /var/log/dirsrv/slapd-PKI-IPA/errors are pasted below:

[20/May/2012:01:17:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[20/May/2012:01:17:36 -0700] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data for replica o=ipaca does not match the data in the changelog (replica data (4fb8a7f3000404430000) > changelog (4fb84ba7000000560000)). Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized.
[20/May/2012:01:17:37 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
[20/May/2012:01:17:37 -0700] - Listening on All Interfaces port 7390 for LDAPS requests
[root@ ~]#?

check the RUV records shows a number too big: 1091, while all others are smaller than 100. There are no RUV records to delete/clear.

dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 4fb8187f000000600000
nsds50ruv: {replica 97 ldap://B.example.com:7389} 4fb81886000000
?610000 4fb8a7ca000100610000
nsds50ruv: {replica 1091 ldap://A.example.com:7389} 4fb8a7c60001044
?30000 4fb8a8a9000104430000
nsds50ruv: {replica 91 ldap://C.example.com:7389} 4fb81f54000000
?5b0000 4fb84db60000005b0000
nsds50ruv: {replica 86 ldap://D.example.com:7389} 4fb821a6000000
?560000 4fb84ba7000000560000
o: ipaca?
nsruvReplicaLastModified: {replica 97 ldap://B.example.com:7389}
? 4fb8a7c7
nsruvReplicaLastModified: {replica 1091 ldap://A.example.com:7389}?
?4fb8a8a6
nsruvReplicaLastModified: {replica 91 ldap://C.example.com:7389}
? 00000000
nsruvReplicaLastModified: {replica 86 ldap://D.example.com:7389}
? 00000000

Please advise. Thanks.

--Gelen





?


________________________________
 From: Gelen James 
To: Rob Crittenden ; Dmitri Pal  
Cc: "Freeipa-users at redhat.com"  
Sent: Sunday, May 20, 2012 12:08 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
 

Hi Mmitri, Rob and all.

?Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. ?The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly.

?It took me more than one week and still no clues.?Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled.

The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. ?

Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication??In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first?

The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas.?

[19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[19/May/2012:19:40:48 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
[19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests
[19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null))
[19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[root@ ~]#??

After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already.

on B,
?
ipa-csreplica-manage connect C
ipa-csreplica-manage connect D
ipa-csreplica-manage del A --force
ipactl restart?

on C,?
ipa-csreplica-manage del A --force
ipactl restart?

on D,
ipa-csreplica-manage del A --force
ipactl restart?


[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect C.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect D.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com --force
Unable to connect to replica A.example.com, forcing removal
Failed to get data from 'A.example.com': Can't contact LDAP server
Forcing removal on 'B.example.com'
[root at B ~]#?

....

After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file.?

But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':

[root at B ~] ipa-replica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-replica-manage list B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list B.example.com
## Nothing at all!

Please have a check and give correct command and sequences for us IPA users. It is such a pain to spend so much time and still can not get restoration work as expected. ?Even worse is, Have no idea how the 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the scene.

Thanks a lot.

--Gelen





________________________________
 From: Rob Crittenden 
To: Robinson Tiemuqinke  
Cc: "Freeipa-users at redhat.com" ; Rich Megginson ; Dmitri Pal  
Sent: Tuesday, May 15, 2012 9:57 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
 
Robinson Tiemuqinke wrote:
> Hi Dmitri, Rich and all,
>
> I am a newbie to Redhat IPA, It looks like pretty cool compared with
> other solutions I've tried before. Thanks a lot for this great product! :)
>
> But there are still some things I needs your help. My main question is:
> How to restore the IPA setup with a daily machine-level IPA Replica backup?
>
> Please let me explain my IPA setup background and backup/restore goals
> trying to reach:
>
> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
> with Dogtag CA system. It is installed first. Then two IPA replicas are
> installed -- with '--setup-ca' options -- for load balancing and
> failover purposes.
>
> To describe my problems/objectives, I'll name the IPA Master as machine
> A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
> (virtual
 machine) setup ONLY for backup purposes.
> The setup looks like the following, A is the configuration Hub. B,C,D
> are siblings.
>
> A
> / | \
> B C D
>
> The following are the steps I backup IPA setups and LDAP backends daily
> -- it is a whole machine-level backup (through virtual machine D).
>
> 1, First, IPA replica D is backed up daily. The backup happens like this:
>
> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
> On the Hypervisor which holds virtual machine D, do a daily backup of
> the whole virtual disk that D is on.
> 1.2 turn on the IP replica D again.
> 1.3 after virtual machine D is up, on D optionally run a
> 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> forcibly.
>
> Now comes to restore part, which is pretty confusing to me. I've tried
>
 several times, and every times it comes this or that kinds of issues and
> so I am wondering that correct steps/ineraction of IPA Master/replicas
> are the king :(
>
> 2, case #1, A is broken, like disc failure, and then re-imaged after
> several days.
>
> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
> daily backup from IPA replica D?

The first thing you'll need to do is to connect your other replias 
together, either by picking a new hub or adding links to each one. Then 
you'll need to delete the replication agreement to A. You should be left 
with a set of servers that continues to replicate.

So, for arguments sake, we promote B to be the new hub:

On B:

# ipa-replica-manage connect C
# ipa-replica-manage connect D
# ipa-replica-manage del --force A
# ipactl restart

On C:

# ipa-replica-manage del --force A
# ipactl
 restart

On D:

# ipa-replica-manage del --force A
# ipactl restart

It is unclear what you mean by re-imaged. Are you restoring from backup 
or installing it fresh? I'll assume it is a new install. You'll need to 
prepare a replica file for A and install it as a replica. Then if you 
want to keep A as the primary you'll need to change the replication 
agreements back to it is the hub (using ipa-replica-manage connect and 
disconnect).

When you install the new A server it should get all the changes needed, 
you should be done.

You'll want to check the documentation on promoting a master to verify 
that only one server is the CRL generator (at this point there may be none).

> 2.2 do I have to check some files on A into subversion immediately after
> A was initially installed?

The only thing you really need to save is the cacert.p12 file. This is 
your root CA.

>
 2.3 Please describe the steps. I'll follow exactly and report the results.
>
> 3, case #2, A is working, but either B, or C is broken.
>
> 3.1 It looks that I don't need the daily backup of D to kick in, is that
> right?

No, D is unrelated.

> 3.2 What are the correct steps on A; and B after it is re-imaged?

On A:
# ipa-replica-manage del B
# ipactl restart
# ipa-replica-prepare B

On B
# ipa-replica-install B

You'll probably need/want to clean RUV, 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

> 3.3 Please describe the steps. I'll follow exactly and report the results.
>
> 4, case #3, If some un-expected IPA changes happens on A -- like all
> users are deleted by human mistakes --, and even worse, all the changes
> are propagated to B and C in minutes.
>
> 4.1 How can I recover the IPA setup from daily backup from
 D?

We have not yet documented how to recover from tombstones or an offline 
replica.

> 4.2 which IPA master/replicas I should recover first? IPA master A, or
> IPA replicas B/C? and then how to recover others left one by one?

If the entries are re-added on any of the replicas it will be propogated 
out.

> 4.3 Do I have to disconnect replication agreement of B,C,D from A first?

Depends on how 4.1 gets answered which we are still investigating.

> 4.4 Please describe the steps. I'll follow exactly and report the results.
>
> I've heard something about tombstone records too, Not sure whether the
> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
> avoid it with correct recovery steps/interactions.

It is RUV that is the problem. This 389-ds wiki page describes how to 
clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

The 389-ds team is working to make this less manual.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From shelltoesuperstar at gmail.com  Sun May 20 09:46:58 2012
From: shelltoesuperstar at gmail.com (Charlie Derwent)
Date: Sun, 20 May 2012 10:46:58 +0100
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing
Message-ID: 

Hi

I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing random
DNS failures on my Master and Replica servers. I thought it may have been
down to the version of bind I was running and updated it it to
bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like
there is an automated process to reload zones as the log files show it
working the day before at the exact same time.

I've included the log files below. If anyone can help me get to the bottom
of the problem it would be greatly appreciated.

Thanks,
Charlie.

***Working zone reload***
--------------------------------------
May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
May 17 03:46:01 ipa named[6938]: loading configuration from
'/etc/named.conf'
May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024,
65535]
May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024,
65535]
May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found
May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
disabling forwarding
May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
disabling forwarding
May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not found
May 17 03:46:01 ipa named[6938]: couldn't add command channel
127.0.0.1#953: file not found
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed
May 17 03:46:01 ipa named[6938]: reloading configuration succeeded
May 17 03:46:01 ipa named[6938]: reloading zones succeeded
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies
(serial[REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
notifies (serial [REMOVED])
--------------------------------------


***Failed zone reload***
--------------------------------------
May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
May 18 03:46:01 ipa named[6938]: loading configuration from
'/etc/named.conf'
May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024,
65535]
May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024,
65535]
May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found
May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has
expired (Unknown error)
May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error
May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure
May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRE((((rbt) != ((void *)0))
&& (((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 |
('T') << 8 | ('+')))))) failed, back trace
May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ??
May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ??
May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ??
May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ??
May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
May 18 03:46:01 ipa named[6938]: #5 0x7f18f1164379 in ??
May 18 03:46:01 ipa named[6938]: #6 0x7f18f791d597 in ??
May 18 03:46:01 ipa named[6938]: #7 0x7f18f792119a in ??
May 18 03:46:01 ipa named[6938]: #8 0x7f18f790d129 in ??
May 18 03:46:01 ipa named[6938]: #9 0x7f18f6301fe8 in ??
May 18 03:46:01 ipa named[6938]: #10 0x7f18f5ebc7f1 in ??
May 18 03:46:01 ipa named[6938]: #11 0x7f18f540e70d in ??
May 18 03:46:01 ipa named[6938]: exiting (due to assertion failure)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rmeggins at redhat.com  Sun May 20 19:55:54 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Sun, 20 May 2012 13:55:54 -0600
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
 from daily IPA Replica setup???
In-Reply-To: <1337502493.99772.YahooMailNeo@web160705.mail.bf1.yahoo.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337502493.99772.YahooMailNeo@web160705.mail.bf1.yahoo.com>
Message-ID: <4FB94C4A.90306@redhat.com>

On 05/20/2012 02:28 AM, Gelen James wrote:
> rebuild the old IPA master A is half success  too. The error also 
> happens at CA replication side.
>
> After replica preparation at replica B, nuke and reinstall old A, and 
> create A from the replica info file prepared on B, The user LDAP 
> replication works fine. while the CA replication broken terribly. the 
> error messages on A inside file /var/log/dirsrv/slapd-PKI-IPA/errors 
> are pasted below:
>
> [20/May/2012:01:17:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 
> starting up
> [20/May/2012:01:17:36 -0700] NSMMReplicationPlugin - 
> replica_check_for_data_reload: Warning: data for replica o=ipaca does 
> not match the data in the changelog (replica data 
> (4fb8a7f3000404430000) > changelog (4fb84ba7000000560000)). Recreating 
> the changelog file. This could affect replication with replica's 
> consumers in which case the consumers should be reinitialized.

This error message is normal  - you should only see this once, just 
after a replica has been initialized.

> [20/May/2012:01:17:37 -0700] - slapd started.  Listening on All 
> Interfaces port 7389 for LDAP requests
> [20/May/2012:01:17:37 -0700] - Listening on All Interfaces port 7390 
> for LDAPS requests
> [root@ ~]#
>
> check the RUV records shows a number too big: 1091, while all others 
> are smaller than 100.

It's not "too big" as far as the protocol is concerned, but it is 
strange that it is so much larger than the other values.


> There are no RUV records to delete/clear.
>
> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca
> objectClass: top
> objectClass: nsTombstone
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 4fb8187f000000600000
> nsds50ruv: {replica 97 ldap://B.example.com:7389} 4fb81886000000
>  610000 4fb8a7ca000100610000
> nsds50ruv: {replica 1091 ldap://A.example.com:7389} 4fb8a7c60001044
>  30000 4fb8a8a9000104430000
> nsds50ruv: {replica 91 ldap://C.example.com:7389} 4fb81f54000000
>  5b0000 4fb84db60000005b0000
> nsds50ruv: {replica 86 ldap://D.example.com:7389} 4fb821a6000000
>  560000 4fb84ba7000000560000
> o: ipaca
> nsruvReplicaLastModified: {replica 97 ldap://B.example.com:7389}
>   4fb8a7c7
> nsruvReplicaLastModified: {replica 1091 ldap://A.example.com:7389}
>  4fb8a8a6
> nsruvReplicaLastModified: {replica 91 ldap://C.example.com:7389}
>   00000000
> nsruvReplicaLastModified: {replica 86 ldap://D.example.com:7389}
>   00000000
>
> Please advise. Thanks.
>
> --Gelen
>
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Gelen James 
> *To:* Rob Crittenden ; Dmitri Pal 
> *Cc:* "Freeipa-users at redhat.com" 
> *Sent:* Sunday, May 20, 2012 12:08 AM
> *Subject:* Re: [Freeipa-users] Please help: How to restore IPA 
> Master/Replicas from daily IPA Replica setup???
>
> Hi Mmitri, Rob and all.
>
>  Thanks for your instructions. I've performed your steps on case#1: 
> replacing failed IPA master.  The results, and my confusion and 
> questions, are all detailed below. In general, please setup your own 
> real test environment, and write down the detailed steps one by one 
> clearly.
>
> It took me more than one week and still no clues. Frankly, your steps 
> in the formal email are kind of over-simplified for normal IPA users, 
> and not covering how the CA LDAP backend will be handled.
>
> The problem is the CA backend. All the replicas still trying to sync 
> to old failed IPA master, even after reboot.
>
> Could be that the 'ipa-replica-manage' only manages the user data 
> replication? and 'ipa-csreplica-manage' only handles CA-end 
> replication? In other words, when build, or tear down, IPA replication 
> between two servers, do we need to deal with both replication types 
> with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why 
> who should run first?
>
> The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are 
> attached, same from B,C,D replicas.
>
> [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 
> starting up
> [19/May/2012:19:40:48 -0700] - slapd started.  Listening on All 
> Interfaces port 7389 for LDAP requests
> [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 
> for LDAPS requests
> [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - 
> agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication 
> bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP 
> server) ((null))
> [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server)
> [root@ ~]#
>
> After seeing the above messages, I tried to run similar commands for 
> CA replication, it shows that replication agreement (which replication 
> agreement? User data, or CA data ?? ) exists already.
>
> on B,
> ipa-csreplica-manage connect C
> ipa-csreplica-manage connect D
> ipa-csreplica-manage del A --force
> ipactl restart
>
> on C,
> ipa-csreplica-manage del A --force
> ipactl restart
>
> on D,
> ipa-csreplica-manage del A --force
> ipactl restart
>
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect 
> C.example.com 
> This replication agreement already exists.
> [root at B ~]#
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect 
> D.example.com 
> This replication agreement already exists.
> [root at B ~]#
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com 
> --force
> Unable to connect to replica A.example.com , 
> forcing removal
> Failed to get data from 'A.example.com': Can't contact LDAP server
> Forcing removal on 'B.example.com '
> [root at B ~]#
>
> ....
>
> After restarting IPA services on B, C, D, and now the error messages 
> finally got away from CA errors log file.
>
> But we still can not find the CA replication setups. Please see the 
> difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':
>
> [root at B ~] ipa-replica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-replica-manage list B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list B.example.com
> ## Nothing at all!
>
> Please have a check and give correct command and sequences for us IPA 
> users. It is such a pain to spend so much time and still can not get 
> restoration work as expected.  Even worse is, Have no idea how the 
> 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind 
> the scene.
>
> Thanks a lot.
>
> --Gelen
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden 
> *To:* Robinson Tiemuqinke 
> *Cc:* "Freeipa-users at redhat.com" ; Rich 
> Megginson ; Dmitri Pal 
> *Sent:* Tuesday, May 15, 2012 9:57 AM
> *Subject:* Re: [Freeipa-users] Please help: How to restore IPA 
> Master/Replicas from daily IPA Replica setup???
>
> Robinson Tiemuqinke wrote:
> > Hi Dmitri, Rich and all,
> >
> > I am a newbie to Redhat IPA, It looks like pretty cool compared with
> > other solutions I've tried before. Thanks a lot for this great 
> product! :)
> >
> > But there are still some things I needs your help. My main question is:
> > How to restore the IPA setup with a daily machine-level IPA Replica 
> backup?
> >
> > Please let me explain my IPA setup background and backup/restore goals
> > trying to reach:
> >
> > I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
> > with Dogtag CA system. It is installed first. Then two IPA replicas are
> > installed -- with '--setup-ca' options -- for load balancing and
> > failover purposes.
> >
> > To describe my problems/objectives, I'll name the IPA Master as machine
> > A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
> > (virtual machine) setup ONLY for backup purposes.
> > The setup looks like the following, A is the configuration Hub. B,C,D
> > are siblings.
> >
> > A
> > / | \
> > B C D
> >
> > The following are the steps I backup IPA setups and LDAP backends daily
> > -- it is a whole machine-level backup (through virtual machine D).
> >
> > 1, First, IPA replica D is backed up daily. The backup happens like 
> this:
> >
> > 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
> > On the Hypervisor which holds virtual machine D, do a daily backup of
> > the whole virtual disk that D is on.
> > 1.2 turn on the IP replica D again.
> > 1.3 after virtual machine D is up, on D optionally run a
> > 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> > forcibly.
> >
> > Now comes to restore part, which is pretty confusing to me. I've tried
> > several times, and every times it comes this or that kinds of issues and
> > so I am wondering that correct steps/ineraction of IPA Master/replicas
> > are the king :(
> >
> > 2, case #1, A is broken, like disc failure, and then re-imaged after
> > several days.
> >
> > 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
> > daily backup from IPA replica D?
>
> The first thing you'll need to do is to connect your other replias
> together, either by picking a new hub or adding links to each one. Then
> you'll need to delete the replication agreement to A. You should be left
> with a set of servers that continues to replicate.
>
> So, for arguments sake, we promote B to be the new hub:
>
> On B:
>
> # ipa-replica-manage connect C
> # ipa-replica-manage connect D
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On C:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On D:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> It is unclear what you mean by re-imaged. Are you restoring from backup
> or installing it fresh? I'll assume it is a new install. You'll need to
> prepare a replica file for A and install it as a replica. Then if you
> want to keep A as the primary you'll need to change the replication
> agreements back to it is the hub (using ipa-replica-manage connect and
> disconnect).
>
> When you install the new A server it should get all the changes needed,
> you should be done.
>
> You'll want to check the documentation on promoting a master to verify
> that only one server is the CRL generator (at this point there may be 
> none).
>
> > 2.2 do I have to check some files on A into subversion immediately after
> > A was initially installed?
>
> The only thing you really need to save is the cacert.p12 file. This is
> your root CA.
>
> > 2.3 Please describe the steps. I'll follow exactly and report the 
> results.
> >
> > 3, case #2, A is working, but either B, or C is broken.
> >
> > 3.1 It looks that I don't need the daily backup of D to kick in, is that
> > right?
>
> No, D is unrelated.
>
> > 3.2 What are the correct steps on A; and B after it is re-imaged?
>
> On A:
> # ipa-replica-manage del B
> # ipactl restart
> # ipa-replica-prepare B
>
> On B
> # ipa-replica-install B
>
> You'll probably need/want to clean RUV,
> http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
> > 3.3 Please describe the steps. I'll follow exactly and report the 
> results.
> >
> > 4, case #3, If some un-expected IPA changes happens on A -- like all
> > users are deleted by human mistakes --, and even worse, all the changes
> > are propagated to B and C in minutes.
> >
> > 4.1 How can I recover the IPA setup from daily backup from D?
>
> We have not yet documented how to recover from tombstones or an offline
> replica.
>
> > 4.2 which IPA master/replicas I should recover first? IPA master A, or
> > IPA replicas B/C? and then how to recover others left one by one?
>
> If the entries are re-added on any of the replicas it will be propogated
> out.
>
> > 4.3 Do I have to disconnect replication agreement of B,C,D from A first?
>
> Depends on how 4.1 gets answered which we are still investigating.
>
> > 4.4 Please describe the steps. I'll follow exactly and report the 
> results.
> >
> > I've heard something about tombstone records too, Not sure whether the
> > problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
> > avoid it with correct recovery steps/interactions.
>
> It is RUV that is the problem. This 389-ds wiki page describes how to
> clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
> The 389-ds team is working to make this less manual.
>
> rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Steven.Jones at vuw.ac.nz  Sun May 20 20:47:52 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Sun, 20 May 2012 20:47:52 +0000
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing
In-Reply-To: 
References: 
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC961EE@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Yes I have problems with DNS as well....but right now I have worse issues...just dont upgrade IPA to 6.3/6.3beta versions.

:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Charlie Derwent [shelltoesuperstar at gmail.com]
Sent: Sunday, 20 May 2012 9:46 p.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing

Hi

I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing random DNS failures on my Master and Replica servers. I thought it may have been down to the version of bind I was running and updated it it to bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like there is an automated process to reload zones as the log files show it working the day before at the exact same time.

I've included the log files below. If anyone can help me get to the bottom of the problem it would be greatly appreciated.

Thanks,
Charlie.

***Working zone reload***
--------------------------------------
May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
May 17 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf'
May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535]
May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535]
May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found
May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding
May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding
May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not found
May 17 03:46:01 ipa named[6938]: couldn't add command channel 127.0.0.1#953: file not found
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed
May 17 03:46:01 ipa named[6938]: reloading configuration succeeded
May 17 03:46:01 ipa named[6938]: reloading zones succeeded
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies (serial[REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
--------------------------------------


***Failed zone reload***
--------------------------------------
May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
May 18 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf'
May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535]
May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535]
May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found
May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has expired (Unknown error)
May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error
May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure
May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRE((((rbt) != ((void *)0)) && (((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 | ('T') << 8 | ('+')))))) failed, back trace
May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ??
May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ??
May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ??
May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ??
May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
May 18 03:46:01 ipa named[6938]: #5 0x7f18f1164379 in ??
May 18 03:46:01 ipa named[6938]: #6 0x7f18f791d597 in ??
May 18 03:46:01 ipa named[6938]: #7 0x7f18f792119a in ??
May 18 03:46:01 ipa named[6938]: #8 0x7f18f790d129 in ??
May 18 03:46:01 ipa named[6938]: #9 0x7f18f6301fe8 in ??
May 18 03:46:01 ipa named[6938]: #10 0x7f18f5ebc7f1 in ??
May 18 03:46:01 ipa named[6938]: #11 0x7f18f540e70d in ??
May 18 03:46:01 ipa named[6938]: exiting (due to assertion failure)



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From pspacek at redhat.com  Mon May 21 08:44:53 2012
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 21 May 2012 10:44:53 +0200
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing
In-Reply-To: 
References: 
Message-ID: <4FBA0085.9010401@redhat.com>

Hello,

please provide your version of bind-dyndb-ldap package. It is interface 
between BIND and LDAP database. Latest version is 0.2.0-7.el6.
# rpm -q bind-dyndb-ldap

If you reload BIND manually, it crashes also? Every time?
# rndc reload

How long is log rotation period?

What is Kerberos ticket lifetime?
# ipa krbtpolicy-show

If you can reproduce it (in worst case wait a day ...), please install debug 
informations:
# debuginfo-install bind bind-dyndb-ldap

and then send logs again.


Thanks for your time.

Petr^2 Spacek

On 05/20/2012 11:46 AM, Charlie Derwent wrote:
> Hi
> I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing random DNS
> failures on my Master and Replica servers. I thought it may have been down to
> the version of bind I was running and updated it it to
> bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like there
> is an automated process to reload zones as the log files show it working the
> day before at the exact same time.
> I've included the log files below. If anyone can help me get to the bottom of
> the problem it would be greatly appreciated.
> Thanks,
> Charlie.
> ***Working zone reload***
> --------------------------------------
> May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
> May 17 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf'
> May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535]
> May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535]
> May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found
> May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
> May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
> disabling forwarding
> May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
> disabling forwarding
> May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not found
> May 17 03:46:01 ipa named[6938]: couldn't add command channel 127.0.0.1#953:
> file not found
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed
> May 17 03:46:01 ipa named[6938]: reloading configuration succeeded
> May 17 03:46:01 ipa named[6938]: reloading zones succeeded
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies
> (serial[REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
> notifies (serial [REMOVED])
> --------------------------------------
> ***Failed zone reload***
> --------------------------------------
> May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
> May 18 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf'
> May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535]
> May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535]
> May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found
> May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
> May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has
> expired (Unknown error)
> May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error
> May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure
> May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRE((((rbt) != ((void *)0)) &&
> (((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 | ('T')
> << 8 | ('+')))))) failed, back trace
> May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ??
> May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ??
> May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ??
> May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ??
> May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
> May 18 03:46:01 ipa named[6938]: #5 0x7f18f1164379 in ??
> May 18 03:46:01 ipa named[6938]: #6 0x7f18f791d597 in ??
> May 18 03:46:01 ipa named[6938]: #7 0x7f18f792119a in ??
> May 18 03:46:01 ipa named[6938]: #8 0x7f18f790d129 in ??
> May 18 03:46:01 ipa named[6938]: #9 0x7f18f6301fe8 in ??
> May 18 03:46:01 ipa named[6938]: #10 0x7f18f5ebc7f1 in ??
> May 18 03:46:01 ipa named[6938]: #11 0x7f18f540e70d in ??
> May 18 03:46:01 ipa named[6938]: exiting (due to assertion failure)



From jhrozek at redhat.com  Mon May 21 08:51:51 2012
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 21 May 2012 10:51:51 +0200
Subject: [Freeipa-users] sudo rules in IPA infrastructure
In-Reply-To: <1337465504.61171.YahooMailNeo@web125705.mail.ne1.yahoo.com>
References: <1337376918.9323.YahooMailNeo@web160704.mail.bf1.yahoo.com>
	<20120519171639.GD9477@hendrix.redhat.com>
	<1337465504.61171.YahooMailNeo@web125705.mail.ne1.yahoo.com>
Message-ID: <20120521085151.GA11350@zeppelin.brq.redhat.com>

On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote:
>    Hi Jakub and Rich,
>    Got it.
>    Thanks a lot on the HBAC and sudoes maps access. I think I got confused
>    with the graph in the powerpoint
>    presentation?http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf.
>    The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go
>    through sssd, while other maps (sudo, autofs?) ?would goes through
>    nss_ldap.

There's no hard rule, we've historically developed support for the most
important name-service-switch libc maps such as groups and passwd, then
gradually added support for other maps like netgroups depending on demand
for them.

In some special cases, we even add application-specific responders such
as the ones for sudo and autofs in 1.8. These communicate with the app
using their own protocol via a unix pipe, not through the name service
switch maps (even though both sudo and autofs are configured in the
nsswitch.conf file).



From pviktori at redhat.com  Mon May 21 12:01:10 2012
From: pviktori at redhat.com (Petr Viktorin)
Date: Mon, 21 May 2012 14:01:10 +0200
Subject: [Freeipa-users] Any ways for IPA users to reset expired
 passwords by themselves over web?
In-Reply-To: <1337374672.71120.YahooMailNeo@web125701.mail.ne1.yahoo.com>
References: <1337374672.71120.YahooMailNeo@web125701.mail.ne1.yahoo.com>
Message-ID: <4FBA2E86.3060507@redhat.com>

On 05/18/2012 10:57 PM, David Copperfield wrote:
> Hi all,
>
> Is there any Web interfaces for IPA users to reset their expired
> password over web? Currently we let test users to ssh/login to a
> particular Linux server, and sssd will let the users to authenticate
> with their old expired password and then reset to newer password.
>
> the IPA web UI could be a choice, but it could not logout (2.1.3-9
> version on Redhat 6.2), and, the users may see too many other unrelated
> stuff which post challenges to them and open a door for mis-operations.
>
>
> Thanks.
>
> --David
>

Hello,
This is planned for 3.0; the ticket is at 
https://fedorahosted.org/freeipa/ticket/2276. It's planned to be a part 
of the Web UI.


-- 
Petr?



From danieljamesscott at gmail.com  Mon May 21 13:13:52 2012
From: danieljamesscott at gmail.com (Dan Scott)
Date: Mon, 21 May 2012 09:13:52 -0400
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FB65CB2.5000800@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
Message-ID: 

On Fri, May 18, 2012 at 10:29 AM, Rich Megginson  wrote:
> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>
>> Hi,
>>
>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>> ?wrote:
>>>
>>> Rich Megginson wrote:
>>>>
>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>
>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>
>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>> check replication status?
>>>>>>
>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>> suffix.
>>>>>
>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>> any pointers?
>>>>>
>>>>> Cheers,
>>>>> Ian
>>>>>
>>>>
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>
>>>
>>> We already have some delegated permissions for replication but none
>>> granting
>>> only read access. Off the cuff, something like this might work:
>>>
>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>> changetype: modify
>>> add: aci
>>> aci:
>>>
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>> compare) groupdn = "ldap:///cn=Read Replication
>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>
>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>> changetype: add
>>> objectClass: top
>>> objectClass: groupofnames
>>> objectClass: ipapermission
>>> cn: Read Replication Agreements
>>> ipapermissiontype: SYSTEM
>>>
>>> Note that you'll need to replace $SUFFIX with your base dn
>>> (dc=example,dc=com).
>>>
>>> This is untested so YMMV. If you find that it works and is useful please
>>> let
>>> us know, maybe we can add this for everyone to enjoy :-)
>>
>> Is it safe to allow anonymous access to read this attribute? I added
>> the following ACI:
>>
>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>> changetype: modify
>> add: aci
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>> search, compare) groupdn = "ldap:///anyone";)
>
>
> It would be better to restrict the list of attributes to only those needed
> by the app e.g. (targetattr="foo || bar || baz || ...")
>
>
>>
>> And I can now get the replication status using an anonymous bind. I
>> also modified the nagios perl script to make an anonymous bind and
>> check the replication status - it's working OK.
>>
>> I don't know if the aci should be a standard feature, option to
>> enable, or just to provide the ldif for anyone who wants it.
>
>
> Sure. ?If you think it should be a standard feature, just file a ticket.

OK, done.

https://fedorahosted.org/freeipa/ticket/2770

I've modified the nagios perl script that I got from:

http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring

to do anonymous binds and to allow an additional parameter with the
port number. Should I send it to someone?

Dan



From rmeggins at redhat.com  Mon May 21 13:21:31 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 21 May 2012 07:21:31 -0600
Subject: [Freeipa-users] Replication status
In-Reply-To: 
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
Message-ID: <4FBA415B.2090902@redhat.com>

On 05/21/2012 07:13 AM, Dan Scott wrote:
> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson  wrote:
>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>> Hi,
>>>
>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden
>>>   wrote:
>>>> Rich Megginson wrote:
>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>
>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>> check replication status?
>>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>>> suffix.
>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>>> any pointers?
>>>>>>
>>>>>> Cheers,
>>>>>> Ian
>>>>>>
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>
>>>> We already have some delegated permissions for replication but none
>>>> granting
>>>> only read access. Off the cuff, something like this might work:
>>>>
>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>> changetype: modify
>>>> add: aci
>>>> aci:
>>>>
>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>
>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>> changetype: add
>>>> objectClass: top
>>>> objectClass: groupofnames
>>>> objectClass: ipapermission
>>>> cn: Read Replication Agreements
>>>> ipapermissiontype: SYSTEM
>>>>
>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>> (dc=example,dc=com).
>>>>
>>>> This is untested so YMMV. If you find that it works and is useful please
>>>> let
>>>> us know, maybe we can add this for everyone to enjoy :-)
>>> Is it safe to allow anonymous access to read this attribute? I added
>>> the following ACI:
>>>
>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>> changetype: modify
>>> add: aci
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>> search, compare) groupdn = "ldap:///anyone";)
>>
>> It would be better to restrict the list of attributes to only those needed
>> by the app e.g. (targetattr="foo || bar || baz || ...")
>>
>>
>>> And I can now get the replication status using an anonymous bind. I
>>> also modified the nagios perl script to make an anonymous bind and
>>> check the replication status - it's working OK.
>>>
>>> I don't know if the aci should be a standard feature, option to
>>> enable, or just to provide the ldif for anyone who wants it.
>>
>> Sure.  If you think it should be a standard feature, just file a ticket.
> OK, done.
>
> https://fedorahosted.org/freeipa/ticket/2770
>
> I've modified the nagios perl script that I got from:
>
> http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring
>
> to do anonymous binds and to allow an additional parameter with the
> port number. Should I send it to someone?
I don't know who maintains that nagios script.
>
> Dan



From natxo.asenjo at gmail.com  Mon May 21 13:51:58 2012
From: natxo.asenjo at gmail.com (Natxo Asenjo)
Date: Mon, 21 May 2012 15:51:58 +0200
Subject: [Freeipa-users] Replication status
In-Reply-To: <4FBA415B.2090902@redhat.com>
References: <28FD1FA9-4DE7-4BA0-B0CF-8C136A2BEF0A@crystal.harvard.edu>
	<4FA1ADA3.70209@redhat.com>
	<7535BDA3-AF10-408A-B84F-DFAE6645497A@crystal.harvard.edu>
	<4FA1B9C2.2020500@redhat.com>
	
	<4FA1E241.3040606@redhat.com> <4FA1F7D1.50703@redhat.com>
	
	<4FB65CB2.5000800@redhat.com>
	
	<4FBA415B.2090902@redhat.com>
Message-ID: 

On Mon, May 21, 2012 at 3:21 PM, Rich Megginson  wrote:

> On 05/21/2012 07:13 AM, Dan Scott wrote:
>
>>
>>

> https://fedorahosted.org/**freeipa/ticket/2770
>>
>> I've modified the nagios perl script that I got from:
>>
>> http://directory.**fedoraproject.org/wiki/Howto:**ReplicationMonitoring
>>
>> to do anonymous binds and to allow an additional parameter with the
>> port number. Should I send it to someone?
>>
> I don't know who maintains that nagios script.
>

you can always post it to the nagios exchange site (
http://exchange.nagios.org/) so others can benefit from it.

-- 
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cevich at redhat.com  Mon May 21 13:53:31 2012
From: cevich at redhat.com (Chris Evich)
Date: Mon, 21 May 2012 09:53:31 -0400
Subject: [Freeipa-users] Doc. mixup
Message-ID: <4FBA48DB.2010706@redhat.com>

Hi,

Not sure if this is the right place or not, but I noticed that the 
freeipa.org documentation link for 2.0 goes to 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html 
which is for version 2.1.3.

Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 
docs at 
https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html 
show the version as 2.2 and as I've learned (the hard way) there are new 
features not supported in 2.1 :D

Are there plans to rebase FreeIPA to 2.2 in Fedora 16?

If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to 
point at the version which actually ships with it?

Thanks



From cevich at redhat.com  Mon May 21 13:53:44 2012
From: cevich at redhat.com (Chris Evich)
Date: Mon, 21 May 2012 09:53:44 -0400
Subject: [Freeipa-users] Doc. mixup
Message-ID: <4FBA48E8.80903@redhat.com>

Hi,

Not sure if this is the right place or not, but I noticed that the 
freeipa.org documentation link for 2.0 goes to 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html 
which is for version 2.1.3.

Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 
docs at 
https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html 
show the version as 2.2 and as I've learned (the hard way) there are new 
features not supported in 2.1 :D

Are there plans to rebase FreeIPA to 2.2 in Fedora 16?

If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to 
point at the version which actually ships with it?

Thanks



From rcritten at redhat.com  Mon May 21 14:10:16 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 21 May 2012 10:10:16 -0400
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
 from daily IPA Replica setup???
In-Reply-To: <1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
Message-ID: <4FBA4CC8.6040302@redhat.com>

Gelen James wrote:
> Hi Mmitri, Rob and all.
>
> Thanks for your instructions. I've performed your steps on case#1:
> replacing failed IPA master. The results, and my confusion and
> questions, are all detailed below. In general, please setup your own
> real test environment, and write down the detailed steps one by one clearly.
>
> It took me more than one week and still no clues. Frankly, your steps in
> the formal email are kind of over-simplified for normal IPA users, and
> not covering how the CA LDAP backend will be handled.
>
> The problem is the CA backend. All the replicas still trying to sync to
> old failed IPA master, even after reboot.
>
> Could be that the 'ipa-replica-manage' only manages the user data
> replication? and 'ipa-csreplica-manage' only handles CA-end replication?
> In other words, when build, or tear down, IPA replication between two
> servers, do we need to deal with both replication types with
> 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who
> should run first?

Yes, the replication agreements are managed separately which is why 
there are separate tools. This allows you to have a different 
replication topology for the CA than IPA user data.

The order the commands are executed doesn't matter.

>
> The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached,
> same from B,C,D replicas.
>
> [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214
> starting up
> [19/May/2012:19:40:48 -0700] - slapd started. Listening on All
> Interfaces port 7389 for LDAP requests
> [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for
> LDAPS requests
> [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin -
> agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication
> bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server)
> ((null))
> [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [root@ ~]#
>
> After seeing the above messages, I tried to run similar commands for CA
> replication, it shows that replication agreement (which replication
> agreement? User data, or CA data ?? ) exists already.
>
> on B,
> ipa-csreplica-manage connect C
> ipa-csreplica-manage connect D
> ipa-csreplica-manage del A --force
> ipactl restart
>
> on C,
> ipa-csreplica-manage del A --force
> ipactl restart
>
> on D,
> ipa-csreplica-manage del A --force
> ipactl restart
>
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect C.example.com
> This replication agreement already exists.
> [root at B ~]#
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect D.example.com
> This replication agreement already exists.
> [root at B ~]#
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com
> --force
> Unable to connect to replica A.example.com, forcing removal
> Failed to get data from 'A.example.com': Can't contact LDAP server
> Forcing removal on 'B.example.com'
> [root at B ~]#
>
> ....
>
> After restarting IPA services on B, C, D, and now the error messages
> finally got away from CA errors log file.
>
> But we still can not find the CA replication setups. Please see the
> difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':
>
> [root at B ~] ipa-replica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-replica-manage list B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list B.example.com
> ## Nothing at all!
>
> Please have a check and give correct command and sequences for us IPA
> users. It is such a pain to spend so much time and still can not get
> restoration work as expected. Even worse is, Have no idea how the
> 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the
> scene.
>
> Thanks a lot.
>
> --Gelen
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden 
> *To:* Robinson Tiemuqinke 
> *Cc:* "Freeipa-users at redhat.com" ; Rich
> Megginson ; Dmitri Pal 
> *Sent:* Tuesday, May 15, 2012 9:57 AM
> *Subject:* Re: [Freeipa-users] Please help: How to restore IPA
> Master/Replicas from daily IPA Replica setup???
>
> Robinson Tiemuqinke wrote:
>  > Hi Dmitri, Rich and all,
>  >
>  > I am a newbie to Redhat IPA, It looks like pretty cool compared with
>  > other solutions I've tried before. Thanks a lot for this great
> product! :)
>  >
>  > But there are still some things I needs your help. My main question is:
>  > How to restore the IPA setup with a daily machine-level IPA Replica
> backup?
>  >
>  > Please let me explain my IPA setup background and backup/restore goals
>  > trying to reach:
>  >
>  > I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
>  > with Dogtag CA system. It is installed first. Then two IPA replicas are
>  > installed -- with '--setup-ca' options -- for load balancing and
>  > failover purposes.
>  >
>  > To describe my problems/objectives, I'll name the IPA Master as machine
>  > A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
>  > (virtual machine) setup ONLY for backup purposes.
>  > The setup looks like the following, A is the configuration Hub. B,C,D
>  > are siblings.
>  >
>  > A
>  > / | \
>  > B C D
>  >
>  > The following are the steps I backup IPA setups and LDAP backends daily
>  > -- it is a whole machine-level backup (through virtual machine D).
>  >
>  > 1, First, IPA replica D is backed up daily. The backup happens like this:
>  >
>  > 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
>  > On the Hypervisor which holds virtual machine D, do a daily backup of
>  > the whole virtual disk that D is on.
>  > 1.2 turn on the IP replica D again.
>  > 1.3 after virtual machine D is up, on D optionally run a
>  > 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
>  > forcibly.
>  >
>  > Now comes to restore part, which is pretty confusing to me. I've tried
>  > several times, and every times it comes this or that kinds of issues and
>  > so I am wondering that correct steps/ineraction of IPA Master/replicas
>  > are the king :(
>  >
>  > 2, case #1, A is broken, like disc failure, and then re-imaged after
>  > several days.
>  >
>  > 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
>  > daily backup from IPA replica D?
>
> The first thing you'll need to do is to connect your other replias
> together, either by picking a new hub or adding links to each one. Then
> you'll need to delete the replication agreement to A. You should be left
> with a set of servers that continues to replicate.
>
> So, for arguments sake, we promote B to be the new hub:
>
> On B:
>
> # ipa-replica-manage connect C
> # ipa-replica-manage connect D
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On C:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On D:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> It is unclear what you mean by re-imaged. Are you restoring from backup
> or installing it fresh? I'll assume it is a new install. You'll need to
> prepare a replica file for A and install it as a replica. Then if you
> want to keep A as the primary you'll need to change the replication
> agreements back to it is the hub (using ipa-replica-manage connect and
> disconnect).
>
> When you install the new A server it should get all the changes needed,
> you should be done.
>
> You'll want to check the documentation on promoting a master to verify
> that only one server is the CRL generator (at this point there may be none).
>
>  > 2.2 do I have to check some files on A into subversion immediately after
>  > A was initially installed?
>
> The only thing you really need to save is the cacert.p12 file. This is
> your root CA.
>
>  > 2.3 Please describe the steps. I'll follow exactly and report the
> results.
>  >
>  > 3, case #2, A is working, but either B, or C is broken.
>  >
>  > 3.1 It looks that I don't need the daily backup of D to kick in, is that
>  > right?
>
> No, D is unrelated.
>
>  > 3.2 What are the correct steps on A; and B after it is re-imaged?
>
> On A:
> # ipa-replica-manage del B
> # ipactl restart
> # ipa-replica-prepare B
>
> On B
> # ipa-replica-install B
>
> You'll probably need/want to clean RUV,
> http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
>  > 3.3 Please describe the steps. I'll follow exactly and report the
> results.
>  >
>  > 4, case #3, If some un-expected IPA changes happens on A -- like all
>  > users are deleted by human mistakes --, and even worse, all the changes
>  > are propagated to B and C in minutes.
>  >
>  > 4.1 How can I recover the IPA setup from daily backup from D?
>
> We have not yet documented how to recover from tombstones or an offline
> replica.
>
>  > 4.2 which IPA master/replicas I should recover first? IPA master A, or
>  > IPA replicas B/C? and then how to recover others left one by one?
>
> If the entries are re-added on any of the replicas it will be propogated
> out.
>
>  > 4.3 Do I have to disconnect replication agreement of B,C,D from A first?
>
> Depends on how 4.1 gets answered which we are still investigating.
>
>  > 4.4 Please describe the steps. I'll follow exactly and report the
> results.
>  >
>  > I've heard something about tombstone records too, Not sure whether the
>  > problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
>  > avoid it with correct recovery steps/interactions.
>
> It is RUV that is the problem. This 389-ds wiki page describes how to
> clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
> The 389-ds team is working to make this less manual.
>
> rob
>
>



From rcritten at redhat.com  Mon May 21 14:12:53 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 21 May 2012 10:12:53 -0400
Subject: [Freeipa-users] Doc. mixup
In-Reply-To: <4FBA48DB.2010706@redhat.com>
References: <4FBA48DB.2010706@redhat.com>
Message-ID: <4FBA4D65.7030700@redhat.com>

Chris Evich wrote:
> Hi,
>
> Not sure if this is the right place or not, but I noticed that the
> freeipa.org documentation link for 2.0 goes to
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html
> which is for version 2.1.3.

Ok, I'll take a look. We should probably change the name of the link, at 
one time it pointed to the 2.0 docs.

> Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16
> docs at
> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html
> show the version as 2.2 and as I've learned (the hard way) there are new
> features not supported in 2.1 :D
>
> Are there plans to rebase FreeIPA to 2.2 in Fedora 16?

No. It can be possible to run a 2.2 server on F-16 but there are some 
things missing.

> If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to
> point at the version which actually ships with it?

That would be great, thanks.

rob



From shelltoesuperstar at gmail.com  Mon May 21 17:17:30 2012
From: shelltoesuperstar at gmail.com (Charlie Derwent)
Date: Mon, 21 May 2012 18:17:30 +0100
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing
In-Reply-To: <4FBA0085.9010401@redhat.com>
References: 
	<4FBA0085.9010401@redhat.com>
Message-ID: 

Hi Petr
I'm running bind-dyndb-ldap-0.2.0-7el6.x86_64

rndc reload doesn't work as "neither /etc/rndc.conf nor /etc/rndc.key was
found"

Logrotate is weekly

Kerberos ticket lifetime is
Max life: 86400
Max renew: 604800

Looking at the time between errors it's very infrequent but of course it's
quite serious
ipa1 - Apr 1st then Apr 5th
ipa2 - Apr 13th then Apr 26th
ipa3 - Mar 26th then May 18th

Worst of all I can't reproduce it. It just works, until it doesn't

Regards
Charlie



On Mon, May 21, 2012 at 9:44 AM, Petr Spacek  wrote:

> Hello,
>
> please provide your version of bind-dyndb-ldap package. It is interface
> between BIND and LDAP database. Latest version is 0.2.0-7.el6.
> # rpm -q bind-dyndb-ldap
>
> If you reload BIND manually, it crashes also? Every time?
> # rndc reload
>
> How long is log rotation period?
>
> What is Kerberos ticket lifetime?
> # ipa krbtpolicy-show
>
> If you can reproduce it (in worst case wait a day ...), please install
> debug informations:
> # debuginfo-install bind bind-dyndb-ldap
>
> and then send logs again.
>
>
> Thanks for your time.
>
> Petr^2 Spacek
>
>
> On 05/20/2012 11:46 AM, Charlie Derwent wrote:
>
>> Hi
>> I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing
>> random DNS
>> failures on my Master and Replica servers. I thought it may have been
>> down to
>> the version of bind I was running and updated it it to
>> bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like
>> there
>> is an automated process to reload zones as the log files show it working
>> the
>> day before at the exact same time.
>> I've included the log files below. If anyone can help me get to the
>> bottom of
>> the problem it would be greatly appreciated.
>> Thanks,
>> Charlie.
>> ***Working zone reload***
>> ------------------------------**--------
>> May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
>> May 17 03:46:01 ipa named[6938]: loading configuration from
>> '/etc/named.conf'
>> May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range:
>> [1024, 65535]
>> May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range:
>> [1024, 65535]
>> May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found
>> May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
>> May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
>> disabling forwarding
>> May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
>> disabling forwarding
>> May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not
>> found
>> May 17 03:46:01 ipa named[6938]: couldn't add command channel
>> 127.0.0.1#953:
>> file not found
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master)
>> removed
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed
>> May 17 03:46:01 ipa named[6938]: reloading configuration succeeded
>> May 17 03:46:01 ipa named[6938]: reloading zones succeeded
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies
>> (serial[REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>> notifies (serial [REMOVED])
>> ------------------------------**--------
>> ***Failed zone reload***
>> ------------------------------**--------
>> May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
>> May 18 03:46:01 ipa named[6938]: loading configuration from
>> '/etc/named.conf'
>> May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range:
>> [1024, 65535]
>> May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range:
>> [1024, 65535]
>> May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found
>> May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
>> May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has
>> expired (Unknown error)
>> May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error
>> May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure
>> May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRE((((rbt) != ((void
>> *)0)) &&
>> (((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 |
>> ('T')
>> << 8 | ('+')))))) failed, back trace
>> May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ??
>> May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ??
>> May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ??
>> May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ??
>> May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
>> May 18 03:46:01 ipa named[6938]: #5 0x7f18f1164379 in ??
>> May 18 03:46:01 ipa named[6938]: #6 0x7f18f791d597 in ??
>> May 18 03:46:01 ipa named[6938]: #7 0x7f18f792119a in ??
>> May 18 03:46:01 ipa named[6938]: #8 0x7f18f790d129 in ??
>> May 18 03:46:01 ipa named[6938]: #9 0x7f18f6301fe8 in ??
>> May 18 03:46:01 ipa named[6938]: #10 0x7f18f5ebc7f1 in ??
>> May 18 03:46:01 ipa named[6938]: #11 0x7f18f540e70d in ??
>> May 18 03:46:01 ipa named[6938]: exiting (due to assertion failure)
>>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From pspacek at redhat.com  Mon May 21 17:28:47 2012
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 21 May 2012 19:28:47 +0200
Subject: [Freeipa-users] DNS portion of IPA Server randomly crashing
In-Reply-To: 
References: 
	<4FBA0085.9010401@redhat.com>
	
Message-ID: <4FBA7B4F.2080408@redhat.com>

On 05/21/2012 07:17 PM, Charlie Derwent wrote:
> Hi Petr
> I'm running bind-dyndb-ldap-0.2.0-7el6.x86_64
> rndc reload doesn't work as "neither /etc/rndc.conf nor /etc/rndc.key was found"
You can fix it with
# rndc-confgen -a

(It probably doesn't help to reproduce it, unfortunately.)

> Logrotate is weekly
> Kerberos ticket lifetime is
> Max life: 86400
> Max renew: 604800
> Looking at the time between errors it's very infrequent but of course it's
> quite serious
> ipa1 - Apr 1st then Apr 5th
How it's possible if logrotate is weekly? Was it reloaded manually? Can you 
explore logs? Are there another "symptoms"?

> ipa2 - Apr 13th then Apr 26th
> ipa3 - Mar 26th then May 18th
> Worst of all I can't reproduce it. It just works, until it doesn't
In that case, please install debug info to all machines. If it's possible, 
please install ABRT also - it can catch some useful information after crash. I 
will look into it ...

Good night from Europe.

Petr^2 Spacek

> Regards
> Charlie
> On Mon, May 21, 2012 at 9:44 AM, Petr Spacek  > wrote:
>
>     Hello,
>
>     please provide your version of bind-dyndb-ldap package. It is interface
>     between BIND and LDAP database. Latest version is 0.2.0-7.el6.
>     # rpm -q bind-dyndb-ldap
>
>     If you reload BIND manually, it crashes also? Every time?
>     # rndc reload
>
>     How long is log rotation period?
>
>     What is Kerberos ticket lifetime?
>     # ipa krbtpolicy-show
>
>     If you can reproduce it (in worst case wait a day ...), please install
>     debug informations:
>     # debuginfo-install bind bind-dyndb-ldap
>
>     and then send logs again.
>
>
>     Thanks for your time.
>
>     Petr^2 Spacek
>
>
>     On 05/20/2012 11:46 AM, Charlie Derwent wrote:
>
>         Hi
>         I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing
>         random DNS
>         failures on my Master and Replica servers. I thought it may have been
>         down to
>         the version of bind I was running and updated it it to
>         bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks
>         like there
>         is an automated process to reload zones as the log files show it
>         working the
>         day before at the exact same time.
>         I've included the log files below. If anyone can help me get to the
>         bottom of
>         the problem it would be greatly appreciated.
>         Thanks,
>         Charlie.
>         ***Working zone reload***
>         ------------------------------__--------
>         May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
>         May 17 03:46:01 ipa named[6938]: loading configuration from
>         '/etc/named.conf'
>         May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range:
>         [1024, 65535]
>         May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range:
>         [1024, 65535]
>         May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found
>         May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
>         May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
>         disabling forwarding
>         May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen;
>         disabling forwarding
>         May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not
>         found
>         May 17 03:46:01 ipa named[6938]: couldn't add command channel
>         127.0.0.1#953:
>         file not found
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN:
>         (master) removed
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed
>         May 17 03:46:01 ipa named[6938]: reloading configuration succeeded
>         May 17 03:46:01 ipa named[6938]: reloading zones succeeded
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies
>         (serial[REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending
>         notifies (serial [REMOVED])
>         ------------------------------__--------
>         ***Failed zone reload***
>         ------------------------------__--------
>         May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones
>         May 18 03:46:01 ipa named[6938]: loading configuration from
>         '/etc/named.conf'
>         May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range:
>         [1024, 65535]
>         May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range:
>         [1024, 65535]
>         May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found
>         May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1]
>         May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has
>         expired (Unknown error)
>         May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error
>         May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure
>         May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRE((((rbt) != ((void
>         *)0)) &&
>         (((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 |
>         ('T')
>         << 8 | ('+')))))) failed, back trace
>         May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ??
>         May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ??
>         May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ??
>         May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ??
>         May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
>         May 18 03:46:01 ipa named[6938]: #5 0x7f18f1164379 in ??
>         May 18 03:46:01 ipa named[6938]: #6 0x7f18f791d597 in ??
>         May 18 03:46:01 ipa named[6938]: #7 0x7f18f792119a in ??
>         May 18 03:46:01 ipa named[6938]: #8 0x7f18f790d129 in ??
>         May 18 03:46:01 ipa named[6938]: #9 0x7f18f6301fe8 in ??
>         May 18 03:46:01 ipa named[6938]: #10 0x7f18f5ebc7f1 in ??
>         May 18 03:46:01 ipa named[6938]: #11 0x7f18f540e70d in ??
>         May 18 03:46:01 ipa named[6938]: exiting (due to assertion failure)
>
>
>     _________________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com 
>     https://www.redhat.com/__mailman/listinfo/freeipa-users
>     
>
>



From hahaha_30k at yahoo.com  Mon May 21 17:25:21 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Mon, 21 May 2012 10:25:21 -0700 (PDT)
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
	from daily IPA Replica setup???
In-Reply-To: <1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
Message-ID: <1337621121.23884.YahooMailNeo@web160701.mail.bf1.yahoo.com>

Hi Rob,

Just wonder whether your guys have abandoned IPA 2.1.3 users on Redhat 6.2 or not. :(

The IPA replication/restoration procedure/document request has been submitted for more than a week, but I can not see any meaningful work has done for customers although IPA replication and restoration is so vital to users' production IPA reliability!?

Even when after I've done a lot of investigation work and asking for helps/suggestions, there is still no much attentions paid from you guys. Am I, or any others users here, are just non-paid Q/A IPA team stuff could be ignored for no reasons :)

?I've mentioned this again and again, and urging IPA team to setup a typical user setup, because only this way you can see what the problems IPA administrators/users are facing and scared of. ?But unfortunately, we don't have a feeling that you have done so.?
??
?Thanks.

--Gelen


________________________________
 From: Gelen James 
To: Rob Crittenden ; Dmitri Pal  
Cc: "Freeipa-users at redhat.com"  
Sent: Sunday, May 20, 2012 12:08 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
 

Hi Mmitri, Rob and all.

?Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. ?The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly.

?It took me more than one week and still no clues.?Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled.

The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. ?

Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication??In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first?

The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas.?

[19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[19/May/2012:19:40:48 -0700] - slapd started. ?Listening on All Interfaces port 7389 for LDAP requests
[19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests
[19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null))
[19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server)
[root@ ~]#??

After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already.

on B,
?
ipa-csreplica-manage connect C
ipa-csreplica-manage connect D
ipa-csreplica-manage del A --force
ipactl restart?

on C,?
ipa-csreplica-manage del A --force
ipactl restart?

on D,
ipa-csreplica-manage del A --force
ipactl restart?


[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect C.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect D.example.com
This replication agreement already exists.
[root at B ~]#?

[root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com --force
Unable to connect to replica A.example.com, forcing removal
Failed to get data from 'A.example.com': Can't contact LDAP server
Forcing removal on 'B.example.com'
[root at B ~]#?

....

After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file.?

But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':

[root at B ~] ipa-replica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list
B.example.com
C.example.com
D.example.com

[root at B ~] ipa-replica-manage list B.example.com
C.example.com
D.example.com

[root at B ~] ipa-csreplica-manage list B.example.com
## Nothing at all!

Please have a check and give correct command and sequences for us IPA users. It is such a pain to spend so much time and still can not get restoration work as expected. ?Even worse is, Have no idea how the 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the scene.

Thanks a lot.

--Gelen





________________________________
 From: Rob Crittenden 
To: Robinson Tiemuqinke  
Cc: "Freeipa-users at redhat.com" ; Rich Megginson ; Dmitri Pal  
Sent: Tuesday, May 15, 2012 9:57 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
 
Robinson Tiemuqinke wrote:
> Hi Dmitri, Rich and all,
>
> I am a newbie to Redhat IPA, It looks like pretty cool compared with
> other solutions I've tried before. Thanks a lot for this great product! :)
>
> But there are still some things I needs your help. My main question is:
> How to restore the IPA setup with a daily machine-level IPA Replica backup?
>
> Please let me explain my IPA setup background and backup/restore goals
> trying to reach:
>
> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
> with Dogtag CA system. It is installed first. Then two IPA replicas are
> installed -- with '--setup-ca' options -- for load balancing and
> failover purposes.
>
> To describe my problems/objectives, I'll name the IPA Master as machine
> A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
> (virtual
 machine) setup ONLY for backup purposes.
> The setup looks like the following, A is the configuration Hub. B,C,D
> are siblings.
>
> A
> / | \
> B C D
>
> The following are the steps I backup IPA setups and LDAP backends daily
> -- it is a whole machine-level backup (through virtual machine D).
>
> 1, First, IPA replica D is backed up daily. The backup happens like this:
>
> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
> On the Hypervisor which holds virtual machine D, do a daily backup of
> the whole virtual disk that D is on.
> 1.2 turn on the IP replica D again.
> 1.3 after virtual machine D is up, on D optionally run a
> 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> forcibly.
>
> Now comes to restore part, which is pretty confusing to me. I've tried
>
 several times, and every times it comes this or that kinds of issues and
> so I am wondering that correct steps/ineraction of IPA Master/replicas
> are the king :(
>
> 2, case #1, A is broken, like disc failure, and then re-imaged after
> several days.
>
> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
> daily backup from IPA replica D?

The first thing you'll need to do is to connect your other replias 
together, either by picking a new hub or adding links to each one. Then 
you'll need to delete the replication agreement to A. You should be left 
with a set of servers that continues to replicate.

So, for arguments sake, we promote B to be the new hub:

On B:

# ipa-replica-manage connect C
# ipa-replica-manage connect D
# ipa-replica-manage del --force A
# ipactl restart

On C:

# ipa-replica-manage del --force A
# ipactl
 restart

On D:

# ipa-replica-manage del --force A
# ipactl restart

It is unclear what you mean by re-imaged. Are you restoring from backup 
or installing it fresh? I'll assume it is a new install. You'll need to 
prepare a replica file for A and install it as a replica. Then if you 
want to keep A as the primary you'll need to change the replication 
agreements back to it is the hub (using ipa-replica-manage connect and 
disconnect).

When you install the new A server it should get all the changes needed, 
you should be done.

You'll want to check the documentation on promoting a master to verify 
that only one server is the CRL generator (at this point there may be none).

> 2.2 do I have to check some files on A into subversion immediately after
> A was initially installed?

The only thing you really need to save is the cacert.p12 file. This is 
your root CA.

>
 2.3 Please describe the steps. I'll follow exactly and report the results.
>
> 3, case #2, A is working, but either B, or C is broken.
>
> 3.1 It looks that I don't need the daily backup of D to kick in, is that
> right?

No, D is unrelated.

> 3.2 What are the correct steps on A; and B after it is re-imaged?

On A:
# ipa-replica-manage del B
# ipactl restart
# ipa-replica-prepare B

On B
# ipa-replica-install B

You'll probably need/want to clean RUV, 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

> 3.3 Please describe the steps. I'll follow exactly and report the results.
>
> 4, case #3, If some un-expected IPA changes happens on A -- like all
> users are deleted by human mistakes --, and even worse, all the changes
> are propagated to B and C in minutes.
>
> 4.1 How can I recover the IPA setup from daily backup from
 D?

We have not yet documented how to recover from tombstones or an offline 
replica.

> 4.2 which IPA master/replicas I should recover first? IPA master A, or
> IPA replicas B/C? and then how to recover others left one by one?

If the entries are re-added on any of the replicas it will be propogated 
out.

> 4.3 Do I have to disconnect replication agreement of B,C,D from A first?

Depends on how 4.1 gets answered which we are still investigating.

> 4.4 Please describe the steps. I'll follow exactly and report the results.
>
> I've heard something about tombstone records too, Not sure whether the
> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
> avoid it with correct recovery steps/interactions.

It is RUV that is the problem. This 389-ds wiki page describes how to 
clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV

The 389-ds team is working to make this less manual.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cevich at redhat.com  Mon May 21 19:35:15 2012
From: cevich at redhat.com (Chris Evich)
Date: Mon, 21 May 2012 15:35:15 -0400
Subject: [Freeipa-users] Doc. mixup
In-Reply-To: <4FBA4D65.7030700@redhat.com>
References: <4FBA48DB.2010706@redhat.com> <4FBA4D65.7030700@redhat.com>
Message-ID: <4FBA98F3.1030406@redhat.com>

On 05/21/2012 10:12 AM, Rob Crittenden wrote:
> Chris Evich wrote:
>> Are there plans to rebase FreeIPA to 2.2 in Fedora 16?
>
> No. It can be possible to run a 2.2 server on F-16 but there are some
> things missing.
>
>> If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to
>> point at the version which actually ships with it?
>
> That would be great, thanks.
>
> rob
>

Thanks for the info.  I opened a fedora docs bug here: 
https://bugzilla.redhat.com/show_bug.cgi?id=823654 w/ keywords 
Documentation & EasyFix.

-- 
Chris Evich, RHCA, RHCE, RHCDS, RHCSS
Quality Assurance Engineer
e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214



From TChow at eexchange.com  Mon May 21 19:55:46 2012
From: TChow at eexchange.com (TChow at eexchange.com)
Date: Mon, 21 May 2012 12:55:46 -0700
Subject: Message removed by Red Hat, Inc. adminstrators
Message-ID: <201205211955.q4LJtWrB025483@mx1.redhat.com>

A non-text attachment was scrubbed...
Name: not available
Type: multipart/related
Size: 49 bytes
Desc: not available
URL: 

From ben13ho at hotmail.com  Mon May 21 20:26:25 2012
From: ben13ho at hotmail.com (Ben Ho)
Date: Mon, 21 May 2012 16:26:25 -0400
Subject: [Freeipa-users] Help with ipa-replica-manage
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC93A72@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: , ,
	<4FB2AB62.6080002@redhat.com>, ,
	,
	<833D8E48405E064EBC54C84EC6B36E404CC93A72@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: 


Sorry for the late reply Steven - No, there is no firewall.
-Ben
From: Steven.Jones at vuw.ac.nz
CC: freeipa-users at redhat.com
Date: Tue, 15 May 2012 21:04:04 +0000
Subject: Re: [Freeipa-users] Help with ipa-replica-manage







firewall?




regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272






From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Ben Ho [ben13ho at hotmail.com]

Sent: Wednesday, 16 May 2012 8:49 a.m.

To: rmeggins at redhat.com

Cc: freeipa-users at redhat.com

Subject: Re: [Freeipa-users] Help with ipa-replica-manage







This is the information I retrieved about my server.



ipa-server-selinux-2.1.3-9.el6.x86_64

ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64

CentOS release 6.2
389-ds-base-1.2.9.14-1.el6_2.2.x86_64



Thanks again.



-Ben





Date: Tue, 15 May 2012 13:15:46 -0600

From: rmeggins at redhat.com

To: ben13ho at hotmail.com

CC: freeipa-users at redhat.com

Subject: Re: [Freeipa-users] Help with ipa-replica-manage



On 05/15/2012 01:00 PM, Ben Ho wrote:


Hello,
  I am pretty new to IPA.  Right now I have three servers that are running IPA.  I am trying to replicate one server to two other servers.  I use this command:



ipa-replica-manage re-initialize --from example2.edu



  On the first server I need to replicate, it works fine.  However, on the second server I get this message in my log files.  The errors get printed out once every 1 to 5 minutes.



[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1






  Again, I am pretty new to this, so any help or tips would be appreciated.




What platform and what version of 389-ds-base and ipa-server for all of your servers?








  Thanks!



-Ben






 

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users











_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From cao2dan at yahoo.com  Mon May 21 20:30:30 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Mon, 21 May 2012 13:30:30 -0700 (PDT)
Subject: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?
Message-ID: <1337632230.67472.YahooMailNeo@web125701.mail.ne1.yahoo.com>

Hi all,

?Any one has successfully do a IPA replica promotion when IPA master(Hub) failed, by following the IPA replica document for 2.1.3 and 2.2.0??

I've tried at my side and see that all the steps involved are very confusing and may be out-of-dated. my IPA master is installed with Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'.

In case of ipamaster is not reachable, how can I promote ipareplica01??

the master.ca.agent.host/port are not setup on either ipareplica01 nor ipareplica02 to forward to IPA master at beginning. do that means all three IPA servers' Dogtag runs independently?

And what is the value of 'IssuingPointId' in step 3.e and 3.f??

Is that possible for the document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, or wiki/email, to give a SOLID use case instead of depicting statement? which is ambiguous and not easy to follow.?


[root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'"; done
ipamaster
ipareplica01
ipareplica02

[root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL"; doneipamaster
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica01
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica02
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
[root at ipamaster ~]#?

Thanks.

--David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From janfrode at tanso.net  Mon May 21 21:00:59 2012
From: janfrode at tanso.net (Jan-Frode Myklebust)
Date: Mon, 21 May 2012 23:00:59 +0200
Subject: [Freeipa-users] IPA dogtag as CA for puppet ?
Message-ID: <20120521210059.GA2325@dibs.tanso.net>


If joining a machine to IPA automatically gives it a SSL keyset, it 
seems silly to also join the puppetca for config management. 

Has anybody looked into using IPA-dogtag as CA for puppet and func?


  -jf



From sigbjorn at nixtra.com  Mon May 21 21:10:37 2012
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 21 May 2012 23:10:37 +0200
Subject: [Freeipa-users] Slight confusion about groups, netgroups,
 sudo rules etc.
In-Reply-To: 
References: 
Message-ID: <4FBAAF4D.9060307@nixtra.com>

On 03/13/2012 11:27 AM, Eivind Olsen wrote:
> Hello.
>
> I'm currently looking at implementing IPA in a mixed environment,
> consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is
> the most recent one bundled with RHEL 6.2.
>
> I have some general rules I'll need to follow as best as I can, but I'm
> not really sure how to do this in IPA without it seeming like a huge
> work-around. This seems easy enough had it been for a pure RHEL6
> environment, but with Solaris there's no SSSD, I apparantly might need to
> downgrade the encryption types for "older" Solaris 10, etc. All of this is
> making my head dizzy, and I'd appreciate any help and pointers to clear my
> mind :)
>
> Examples of the basic rules are (there's more of them, it's not only for
> the DNS servers for example, but the other cases can be solved in the same
> way):
> - all sysadmins should be allowed to log into every system in the realm
> - all sysadmins should be allowed to run certain commands (or to make it
> easy, any command) through the use of "sudo", on all systems
> - some users will be part of certain groups, giving them permission to log
> into certain servers and run a set of commands through "sudo", for
> example: members of the dns-managers group should be allowed to ssh into
> the DNS servers (which consist of both RHEL6 and Solaris 10), and run
> certain commands through "sudo"
> - certain other users will be allowed to log into some systems, but
> without any additional access through "sudo" (the fact that they're
> allowed to log into system X doesn't mean they should be allowed to become
> root, etc).
>
> I've read a suggestion about making a host group for the Red Hat systems,
> a netgroup for the Solaris systems, and creating a user group which is
> added as a member of both the host group and netgroup. But, will I still
> need to worry about the old issue of Solaris apparantly not coping well
> with users that have>16 additional groups to their name?
>
> I have also read about having to add / change compatibility plugins,
> having to downgrade the algorithm for the Solaris 10 encryption type for
> older Solaris 10 releases, etc. And there's probably a few more things I
> need to watch out for and that aren't directly mentioned in the IPA
> documentation.
>
> Oh, in case it matters - there's no common NFS home directories, so I'll
> also need to automatically create the home directories (I've got this bit
> sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read
> suggestions about using executable autofs maps to create home directories
> in /export/home and have tham loopback-mounted to /home so they match the
> homeDirectory attribute.
>
>

Hi,

I have implemented Solaris 10 with IPA with success. AES256 did not come 
to Solaris 10 until around update 7 or 8. There is still a bug where the 
required crypto provider is not enabled.

Check with:
# cryptoadm list
You should have "pkcs11_softtoken_extra.so" listed for aes256 support. 
If not, use the cryptoadm command to install and enable the provider. We 
have deployed the kerberos keytabs retreived with ipa-getkeytab without 
any limitations on encryption types for all Solaris 10 clients as soon 
as this provider was enabled.

For access restrictions on Solaris 10, adding a user group to 
AllowGroups in /etc/ssh/sshd_config is probably your best bet for 
locking down Solaris machines. We've used the netgroup way of 
controlling access to services with NIS, but I could not get the same 
working properly for LDAP.

There is also a nscd bug we recently discovered which keeps nscd 
stalling at random intervals, preventing user logins. Search at 
support.oracle.com, I don't have the patch number available just now.

More than 16 groups: NFS and AUTH_SYS with the Solaris NFS server still 
have an issue with more than 16 groups, as per the IETF standard. 
Solaris can still see all the groups with "# groups username". Using 
NFS4+Krb5 solves that issue. I have not met the 16 group issue anywhere 
else.

If you want to lock down your Directory Server to not serve anonymous 
users, you need a fairly recent patched Solaris ldapclient that supports 
"-D bindDN" and "-w bindPassword" options. "-a proxyDN" and "-a 
proxyPassword" is not enough as the Solaris ldapclient expects nisDomain 
in the directory root to be available anonymously.

I opened request https://bugzilla.redhat.com/show_bug.cgi?id=815515 for 
an updated DUAConfigProfile supporting more nss databases.

I also opened https://bugzilla.redhat.com/show_bug.cgi?id=815533 for 
updating the Solaris 10 IPA Client documentation.

Hope this helps.


Regards,
Siggi




From erinn.looneytriggs at gmail.com  Mon May 21 21:16:54 2012
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Mon, 21 May 2012 13:16:54 -0800
Subject: [Freeipa-users] IPA dogtag as CA for puppet ?
In-Reply-To: <20120521210059.GA2325@dibs.tanso.net>
References: <20120521210059.GA2325@dibs.tanso.net>
Message-ID: <4FBAB0C6.2040305@gmail.com>

On 05/21/2012 01:00 PM, Jan-Frode Myklebust wrote:
> 
> If joining a machine to IPA automatically gives it a SSL keyset, it 
> seems silly to also join the puppetca for config management. 
> 
> Has anybody looked into using IPA-dogtag as CA for puppet and func?
> 
> 
>   -jf
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

This has been something of a project for me, but it has been on the back
burner whilst I deal with other things (the usual story right).

There shouldn't be any technical reason why this can't be done, it is
just a matter of getting the certs in the right format, I expect a
bridge between puppet, func, and certmonger is on order and then you
would be good to go.

In my mind there are too many CAs running around and I like one to rule
them all. I, like you I suspect, run func and puppet as well as IPA
giving me three CAs. Now func can rely on puppet as the CA if you
configure it to, but I want just one :).

Anyway just my thoughts, no real progress in that direction though yet,

-Erinn



From ben13ho at hotmail.com  Mon May 21 21:57:54 2012
From: ben13ho at hotmail.com (Ben Ho)
Date: Mon, 21 May 2012 17:57:54 -0400
Subject: [Freeipa-users] Help with ipa-replica-manage
In-Reply-To: <4FB2F5DE.5030308@redhat.com>
References: ,
	<4FB2AB62.6080002@redhat.com>
	,
	<4FB2F5DE.5030308@redhat.com>
Message-ID: 


Hi Rich,  Yes, replication is working otherwise on these two servers:
Server1 and Server2:freeipa-server-selinux-2.1.4-7.fc16.x86_64freeipa-client-2.1.4-7.fc16.x86_64freeipa-server-2.1.4-7.fc16.x86_64Fedora release 16389-ds-base-1.2.10.6-1.fc16.x86_64
Date: Tue, 15 May 2012 18:33:34 -0600
From: rmeggins at redhat.com
To: ben13ho at hotmail.com
CC: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage


  
    
  
  
    On 05/15/2012 02:49 PM, Ben Ho wrote:
    
      
      
        This is the information I retrieved about my server.
        

        
        ipa-server-selinux-2.1.3-9.el6.x86_64
        
          ipa-client-2.1.3-9.el6.x86_64
          ipa-server-2.1.3-9.el6.x86_64
        
        CentOS release 6.2
        389-ds-base-1.2.9.14-1.el6_2.2.x86_64
        

        
        Thanks again.
      
    
    

    Is replication otherwise working?

    

    
      
        

        
        -Ben
        

        
          Date: Tue, 15 May 2012 13:15:46 -0600

          From: rmeggins at redhat.com

          To: ben13ho at hotmail.com

          CC: freeipa-users at redhat.com

          Subject: Re: [Freeipa-users] Help with ipa-replica-manage

          

          On 05/15/2012 01:00 PM, Ben Ho wrote:
          
            
            
              Hello,
                I am pretty new to IPA.  Right now I have three
                servers that are running IPA.  I am trying to replicate
                one server to two other servers.  I use this command:
              

              
              ipa-replica-manage re-initialize --from example2.edu
              

              
                On the first server I need to replicate, it works
                fine.  However, on the second server I get this message
                in my log files.  The errors get printed out once every
                1 to 5 minutes.
              

              
              [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
                agmt="cn=meToexample1.edu" (example1:389): Schema
                replication update failed: Type or value exists
              [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
                agmt="cn=meToexample1.edu" (example1:389): Warning:
                unable to replicate schema: rc=1
              [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
                agmt="cn=meToexample2.edu" (example2:389): Schema
                replication update failed: Type or value exists
              [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
                agmt="cn=meToexample2.edu" (example2:389): Warning:
                unable to replicate schema: rc=1
              

              
              

              
                Again, I am pretty new to this, so any help or tips
                would be appreciated.
            
          
          

          What platform and what version of 389-ds-base and ipa-server
          for all of your servers?

          

          
            
              

              
                Thanks!
              

              
              -Ben
              

              
            
            

            
            

            _______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
          
          

        
      
    
    
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From eivind at aminor.no  Mon May 21 22:17:06 2012
From: eivind at aminor.no (Eivind Olsen)
Date: Tue, 22 May 2012 00:17:06 +0200
Subject: [Freeipa-users] Slight confusion about groups, netgroups,
	sudo rules etc.
In-Reply-To: <4FBAAF4D.9060307@nixtra.com>
References: 
	<4FBAAF4D.9060307@nixtra.com>
Message-ID: 

Sigbjorn Lie wrote:

> I have implemented Solaris 10 with IPA with success. AES256 did not come
> to Solaris 10 until around update 7 or 8. There is still a bug where the
> required crypto provider is not enabled.

[etc.. lots of useful information]

Thanks! I've postponed using FreeIPA with Solaris so far, due to a lack of
time to really dig into these issues. Your answer really helps me get this
back on track! :)

Regards
Eivind Olsen




From rmeggins at redhat.com  Mon May 21 22:24:45 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 21 May 2012 16:24:45 -0600
Subject: [Freeipa-users] Help with ipa-replica-manage
In-Reply-To: 
References: ,
	<4FB2AB62.6080002@redhat.com>
	,
	<4FB2F5DE.5030308@redhat.com>
	
Message-ID: <4FBAC0AD.1060800@redhat.com>

On 05/21/2012 03:57 PM, Ben Ho wrote:
> Hi Rich,
>   Yes, replication is working otherwise on these two servers:
>
> *Server1 and Server2:*
> freeipa-server-selinux-2.1.4-7.fc16.x86_64
> freeipa-client-2.1.4-7.fc16.x86_64
> freeipa-server-2.1.4-7.fc16.x86_64
> Fedora release 16
> 389-ds-base-1.2.10.6-1.fc16.x86_64

Ok.  I'm not sure what's going on.  But as long as replication is 
working otherwise, you can ignore this.

>
> ------------------------------------------------------------------------
> Date: Tue, 15 May 2012 18:33:34 -0600
> From: rmeggins at redhat.com
> To: ben13ho at hotmail.com
> CC: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Help with ipa-replica-manage
>
> On 05/15/2012 02:49 PM, Ben Ho wrote:
>
>     This is the information I retrieved about my server.
>
>     *ipa-server-selinux-2.1.3-9.el6.x86_64*
>     *ipa-client-2.1.3-9.el6.x86_64*
>     *ipa-server-2.1.3-9.el6.x86_64*
>     *CentOS release 6.2*
>     *389-ds-base-1.2.9.14-1.el6_2.2.x86_64*
>
>     Thanks again.
>
>
> Is replication otherwise working?
>
>
>     -Ben
>
>     ------------------------------------------------------------------------
>     Date: Tue, 15 May 2012 13:15:46 -0600
>     From: rmeggins at redhat.com 
>     To: ben13ho at hotmail.com 
>     CC: freeipa-users at redhat.com 
>     Subject: Re: [Freeipa-users] Help with ipa-replica-manage
>
>     On 05/15/2012 01:00 PM, Ben Ho wrote:
>
>         Hello,
>           I am pretty new to IPA.  Right now I have three servers that
>         are running IPA.  I am trying to replicate one server to two
>         other servers.  I use this command:
>
>         ipa-replica-manage re-initialize --from example2.edu
>
>           On the first server I need to replicate, it works fine.
>          However, on the second server I get this message in my log
>         files.  The errors get printed out once every 1 to 5 minutes.
>
>         [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
>         agmt="cn=meToexample1.edu" (example1:389): Schema replication
>         update failed: Type or value exists
>         [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
>         agmt="cn=meToexample1.edu" (example1:389): Warning: unable to
>         replicate schema: rc=1
>         [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
>         agmt="cn=meToexample2.edu" (example2:389): Schema replication
>         update failed: Type or value exists
>         [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
>         agmt="cn=meToexample2.edu" (example2:389): Warning: unable to
>         replicate schema: rc=1
>
>
>           Again, I am pretty new to this, so any help or tips would be
>         appreciated.
>
>
>     What platform and what version of 389-ds-base and ipa-server for
>     all of your servers?
>
>
>           Thanks!
>
>         -Ben
>
>
>
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com  
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From dpal at redhat.com  Mon May 21 23:01:20 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 21 May 2012 19:01:20 -0400
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
 from daily IPA Replica setup???
In-Reply-To: <1337621121.23884.YahooMailNeo@web160701.mail.bf1.yahoo.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337621121.23884.YahooMailNeo@web160701.mail.bf1.yahoo.com>
Message-ID: <4FBAC940.9060906@redhat.com>

On 05/21/2012 01:25 PM, Gelen James wrote:
> Hi Rob,
>
> Just wonder whether your guys have abandoned IPA 2.1.3 users on Redhat
> 6.2 or not. :(
>
> The IPA replication/restoration procedure/document request has been
> submitted for more than a week, but I can not see any meaningful work
> has done for customers although IPA replication and restoration is so
> vital to users' production IPA reliability! 
>
> Even when after I've done a lot of investigation work and asking for
> helps/suggestions, there is still no much attentions paid from you
> guys. Am I, or any others users here, are just non-paid Q/A IPA team
> stuff could be ignored for no reasons :)
>
>  I've mentioned this again and again, and urging IPA team to setup a
> typical user setup, because only this way you can see what the
> problems IPA administrators/users are facing and scared of.  But
> unfortunately, we don't have a feeling that you have done so. 
>   
>  Thanks.
>
> --Gelen
>

Hello Glen,

We have not done so because we are pretty busy preparing next release
and were hoping that our replies were sufficient to help you to figure
out the best procedure that works for you. JR has a running environment
so his guidance is first hand. We tried to provide as much help as we can.

We also have not been going the path of setting the environment because
we are not sure what is your typical environment and what are the main
concerns. Your input is very valuable but it is one of the first clearly
spelled data points. We need to get a bit more info to make sure that we
are addressing the right use case and problem.
We apologize for the delays but the turn around would not be fast. It
will  take us at least several weeks to come up with something we are
comfortable with upstream and downstream. I hear your frustration and
feel the urgency but we can't move faster than we can, sorry. Please do
not feel abandoned we are working hard too.
 
Also it seems that setting the environment and crafting the guidelines
should also be combined with attempt to automate the process. I already
contacted Foreman project developers in attempt to integrate the replica
provisioning for scalability and disaster recovery cases. We will have a
conversation with them later this week. This might help with doing
automatic provisioning of replicas rather than manually performing
couple dozen of steps. Would such integration help?

Also if you need some immediate help opening a support ticket might be a
better avenue to get the situation prioritized accordingly. 

Sorry for delays,
Thanks
Dmitri 


> ------------------------------------------------------------------------
> *From:* Gelen James 
> *To:* Rob Crittenden ; Dmitri Pal 
> *Cc:* "Freeipa-users at redhat.com" 
> *Sent:* Sunday, May 20, 2012 12:08 AM
> *Subject:* Re: [Freeipa-users] Please help: How to restore IPA
> Master/Replicas from daily IPA Replica setup???
>
> Hi Mmitri, Rob and all.
>
>  Thanks for your instructions. I've performed your steps on case#1:
> replacing failed IPA master.  The results, and my confusion and
> questions, are all detailed below. In general, please setup your own
> real test environment, and write down the detailed steps one by one
> clearly.
>
>  It took me more than one week and still no clues. Frankly, your steps
> in the formal email are kind of over-simplified for normal IPA users,
> and not covering how the CA LDAP backend will be handled.
>
> The problem is the CA backend. All the replicas still trying to sync
> to old failed IPA master, even after reboot.  
>
> Could be that the 'ipa-replica-manage' only manages the user data
> replication? and 'ipa-csreplica-manage' only handles CA-end
> replication? In other words, when build, or tear down, IPA replication
> between two servers, do we need to deal with both replication types
> with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why
> who should run first?
>
> The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are
> attached, same from B,C,D replicas. 
>
> [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214
> starting up
> [19/May/2012:19:40:48 -0700] - slapd started.  Listening on All
> Interfaces port 7389 for LDAP requests
> [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390
> for LDAPS requests
> [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin -
> agmt="cn=cloneAgreement1-B.example.com-pki-ca" (:7389): Replication
> bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP
> server) ((null))
> [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send
> startTLS request: error -1 (Can't contact LDAP server)
> [root@ ~]#  
>
> After seeing the above messages, I tried to run similar commands for
> CA replication, it shows that replication agreement (which replication
> agreement? User data, or CA data ?? ) exists already.
>
> on B,
>  
> ipa-csreplica-manage connect C
> ipa-csreplica-manage connect D
> ipa-csreplica-manage del A --force
> ipactl restart 
>
> on C, 
> ipa-csreplica-manage del A --force
> ipactl restart 
>
> on D,
> ipa-csreplica-manage del A --force
> ipactl restart 
>
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect
> C.example.com 
> This replication agreement already exists.
> [root at B ~]# 
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx connect
> D.example.com 
> This replication agreement already exists.
> [root at B ~]# 
>
> [root at B ~]# ipa-csreplica-manage --password=xxxxxxx del C.example.com
> --force
> Unable to connect to replica A.example.com ,
> forcing removal
> Failed to get data from 'A.example.com': Can't contact LDAP server
> Forcing removal on 'B.example.com '
> [root at B ~]# 
>
> ....
>
> After restarting IPA services on B, C, D, and now the error messages
> finally got away from CA errors log file. 
>
> But we still can not find the CA replication setups. Please see the
> difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage':
>
> [root at B ~] ipa-replica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list
> B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-replica-manage list B.example.com
> C.example.com
> D.example.com
>
> [root at B ~] ipa-csreplica-manage list B.example.com
> ## Nothing at all!
>
> Please have a check and give correct command and sequences for us IPA
> users. It is such a pain to spend so much time and still can not get
> restoration work as expected.  Even worse is, Have no idea how the
> 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind
> the scene.
>
> Thanks a lot.
>
> --Gelen
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden 
> *To:* Robinson Tiemuqinke 
> *Cc:* "Freeipa-users at redhat.com" ; Rich
> Megginson ; Dmitri Pal 
> *Sent:* Tuesday, May 15, 2012 9:57 AM
> *Subject:* Re: [Freeipa-users] Please help: How to restore IPA
> Master/Replicas from daily IPA Replica setup???
>
> Robinson Tiemuqinke wrote:
> > Hi Dmitri, Rich and all,
> >
> > I am a newbie to Redhat IPA, It looks like pretty cool compared with
> > other solutions I've tried before. Thanks a lot for this great
> product! :)
> >
> > But there are still some things I needs your help. My main question is:
> > How to restore the IPA setup with a daily machine-level IPA Replica
> backup?
> >
> > Please let me explain my IPA setup background and backup/restore goals
> > trying to reach:
> >
> > I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
> > with Dogtag CA system. It is installed first. Then two IPA replicas are
> > installed -- with '--setup-ca' options -- for load balancing and
> > failover purposes.
> >
> > To describe my problems/objectives, I'll name the IPA Master as machine
> > A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
> > (virtual machine) setup ONLY for backup purposes.
> > The setup looks like the following, A is the configuration Hub. B,C,D
> > are siblings.
> >
> > A
> > / | \
> > B C D
> >
> > The following are the steps I backup IPA setups and LDAP backends daily
> > -- it is a whole machine-level backup (through virtual machine D).
> >
> > 1, First, IPA replica D is backed up daily. The backup happens like
> this:
> >
> > 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
> > On the Hypervisor which holds virtual machine D, do a daily backup of
> > the whole virtual disk that D is on.
> > 1.2 turn on the IP replica D again.
> > 1.3 after virtual machine D is up, on D optionally run a
> > 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> > forcibly.
> >
> > Now comes to restore part, which is pretty confusing to me. I've tried
> > several times, and every times it comes this or that kinds of issues and
> > so I am wondering that correct steps/ineraction of IPA Master/replicas
> > are the king :(
> >
> > 2, case #1, A is broken, like disc failure, and then re-imaged after
> > several days.
> >
> > 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
> > daily backup from IPA replica D?
>
> The first thing you'll need to do is to connect your other replias
> together, either by picking a new hub or adding links to each one. Then
> you'll need to delete the replication agreement to A. You should be left
> with a set of servers that continues to replicate.
>
> So, for arguments sake, we promote B to be the new hub:
>
> On B:
>
> # ipa-replica-manage connect C
> # ipa-replica-manage connect D
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On C:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> On D:
>
> # ipa-replica-manage del --force A
> # ipactl restart
>
> It is unclear what you mean by re-imaged. Are you restoring from backup
> or installing it fresh? I'll assume it is a new install. You'll need to
> prepare a replica file for A and install it as a replica. Then if you
> want to keep A as the primary you'll need to change the replication
> agreements back to it is the hub (using ipa-replica-manage connect and
> disconnect).
>
> When you install the new A server it should get all the changes needed,
> you should be done.
>
> You'll want to check the documentation on promoting a master to verify
> that only one server is the CRL generator (at this point there may be
> none).
>
> > 2.2 do I have to check some files on A into subversion immediately after
> > A was initially installed?
>
> The only thing you really need to save is the cacert.p12 file. This is
> your root CA.
>
> > 2.3 Please describe the steps. I'll follow exactly and report the
> results.
> >
> > 3, case #2, A is working, but either B, or C is broken.
> >
> > 3.1 It looks that I don't need the daily backup of D to kick in, is that
> > right?
>
> No, D is unrelated.
>
> > 3.2 What are the correct steps on A; and B after it is re-imaged?
>
> On A:
> # ipa-replica-manage del B
> # ipactl restart
> # ipa-replica-prepare B
>
> On B
> # ipa-replica-install B
>
> You'll probably need/want to clean RUV,
> http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
> > 3.3 Please describe the steps. I'll follow exactly and report the
> results.
> >
> > 4, case #3, If some un-expected IPA changes happens on A -- like all
> > users are deleted by human mistakes --, and even worse, all the changes
> > are propagated to B and C in minutes.
> >
> > 4.1 How can I recover the IPA setup from daily backup from D?
>
> We have not yet documented how to recover from tombstones or an offline
> replica.
>
> > 4.2 which IPA master/replicas I should recover first? IPA master A, or
> > IPA replicas B/C? and then how to recover others left one by one?
>
> If the entries are re-added on any of the replicas it will be propogated
> out.
>
> > 4.3 Do I have to disconnect replication agreement of B,C,D from A first?
>
> Depends on how 4.1 gets answered which we are still investigating.
>
> > 4.4 Please describe the steps. I'll follow exactly and report the
> results.
> >
> > I've heard something about tombstone records too, Not sure whether the
> > problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
> > avoid it with correct recovery steps/interactions.
>
> It is RUV that is the problem. This 389-ds wiki page describes how to
> clean up: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
>
> The 389-ds team is working to make this less manual.
>
> rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ops at 100percentit.com  Tue May 22 09:18:33 2012
From: ops at 100percentit.com (Matt)
Date: Tue, 22 May 2012 10:18:33 +0100
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
Message-ID: <4FBB59E9.6060209@100percentit.com>

Hi,

I am attempting to run replication between Windows AD (2008R2) and a 
FreeIPA (2.2.0) server (fc-17) in a test setup.

I have bound FreeIPA to the AD server 'sucessfully'

[root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn 
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw  
--passsync  --cacert /etc/openldap/cacerts/AD.cer -v 
ipa.100it.net -p 
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate 
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - System 
error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipa2.100it.net] reports: Update failed! Status: [-11  - System error]
Failed to start replication



The server now shows in the replica list:

[root at ipa2 ~]# ipa-replica-manage list -p 
ipa.100it.net: winsync
ipa2.100it.net: master


But any attemps to re-initialise the connection result in the same 
"[-11  - System error]" message:

[root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net -p 

[ipa2.100it.net] reports: Update failed! Status: [-11  - System error]


There are no messages that relate to the connection in event viewer and 
nothing other then "[-11  - System error]" in any of the freeIPA log files.

Thanks
Matt



From dpal at redhat.com  Tue May 22 10:05:55 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 22 May 2012 06:05:55 -0400
Subject: [Freeipa-users] Request for community input: Support of RADIUS
 authentication via SSSD
Message-ID: <4FBB6503.1040002@redhat.com>

Hello,

As SSSD (the System Security Services Daemon) is gaining ground as a
bridge between applications running on a machine and central
authentication sources such as Active Directory and FreeIPA, questions
about support for other authentication protocols start to come up. One
such protocol is RADIUS (Remote Authentication Dial In User Service).
RADIUS is a popular authentication protocol for enterprise deployments,
notably for VPN (virtual private network) and WPA (WiFI Protected
Access) access.

Some enterprise deployments today also rely on RADIUS for the
authentication of system users. This is most often accomplished through
the use of the pam_radius_auth[1] module for PAM (Pluggable
Authentication Modules).

>From a design standpoint, a RADIUS authentication module would be a
simple fit. SSSD would acquire user identities from an LDAP directory
server, but would perform authentication against a RADIUS server, rather
than via LDAP simple-bind or Kerberos TGT acquisition. From a
completeness perspective, it seems sensible for SSSD to implement a
RADIUS authentication provider.

The question we need to ask is whether support of RADIUS in SSSD adds any
additional benefits. For this, we need to reach out to our community for
their experience and advice. Do you have (or know of) any specific
use-cases where the availability of a RADIUS authentication provider
would be beneficial? Similarly, do you feel that implementation of such
a provider would be best served by SSSD (and by extension, with offline
cached-credentials capability), or should we recommend continued use of
pam_radius_auth and simply ensure that SSSD gets out of its way?

Please provide as much justification and reasoning to back your
recommendations, so we can use this information to best identify our
path forward on this.

[1] http://freeradius.org/pam_radius_auth/

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Tue May 22 11:00:11 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 22 May 2012 07:00:11 -0400
Subject: [Freeipa-users] IPA dogtag as CA for puppet ?
In-Reply-To: <4FBAB0C6.2040305@gmail.com>
References: <20120521210059.GA2325@dibs.tanso.net> <4FBAB0C6.2040305@gmail.com>
Message-ID: <4FBB71BB.2030204@redhat.com>

On 05/21/2012 05:16 PM, Erinn Looney-Triggs wrote:
> On 05/21/2012 01:00 PM, Jan-Frode Myklebust wrote:
>> If joining a machine to IPA automatically gives it a SSL keyset, it 
>> seems silly to also join the puppetca for config management. 
>>
>> Has anybody looked into using IPA-dogtag as CA for puppet and func?
>>
>>
>>   -jf
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> This has been something of a project for me, but it has been on the back
> burner whilst I deal with other things (the usual story right).
>
> There shouldn't be any technical reason why this can't be done, it is
> just a matter of getting the certs in the right format, I expect a
> bridge between puppet, func, and certmonger is on order and then you
> would be good to go.
>
> In my mind there are too many CAs running around and I like one to rule
> them all. I, like you I suspect, run func and puppet as well as IPA
> giving me three CAs. Now func can rely on puppet as the CA if you
> configure it to, but I want just one :).
>
> Anyway just my thoughts, no real progress in that direction though yet,
>
> -Erinn
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Most likely we will be working with Foreman community [1] to try to
solve this and other problems.
It might make sense to consolidate the effort.

[1] http://theforeman.org/projects/foreman 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Tue May 22 11:11:56 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 22 May 2012 07:11:56 -0400
Subject: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica
	promotion?
In-Reply-To: <1337632230.67472.YahooMailNeo@web125701.mail.ne1.yahoo.com>
References: <1337632230.67472.YahooMailNeo@web125701.mail.ne1.yahoo.com>
Message-ID: <4FBB747C.2080606@redhat.com>

On 05/21/2012 04:30 PM, David Copperfield wrote:
> Hi all,
>
>  Any one has successfully do a IPA replica promotion when IPA
> master(Hub) failed, by following the IPA replica document for 2.1.3
> and 2.2.0? 
>
> I've tried at my side and see that all the steps involved are very
> confusing and may be out-of-dated. my IPA master is installed with
> Dogtag, and all replicas are installed with Dogtag too through
> '--setup-ca'.
>
> In case of ipamaster is not reachable, how can I promote ipareplica01? 
>
> the master.ca.agent.host/port are not setup on either ipareplica01 nor
> ipareplica02 to forward to IPA master at beginning. do that means all
> three IPA servers' Dogtag runs independently?
>
> And what is the value of 'IssuingPointId' in step 3.e and 3.f? 
>
> Is that possible for the document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
> or wiki/email, to give a SOLID use case instead of depicting
> statement? which is ambiguous and not easy to follow.


This procedure is in fact a bit confusing and we have a bug to clean it up.
https://bugzilla.redhat.com/show_bug.cgi?id=813880

The purpose of this procedure however is simple: to define which of the
CA instances has to be the authoritative source for the CRLs. Only one
CA can be an authoritative source at a time so if you lost a replica
that was responsible for this (and by default this is the first master
you install) you need to go to some other replica that has CA and follow
this procedure to make it be the source for the CRLs.
This is the goal of the "promotion". There is nothing else to it.

HTH.

>
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep
> 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'";
> done
> ipamaster
> ipareplica01
> ipareplica02
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep
> enableCRL"; doneipamaster
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica01
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica02
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> [root at ipamaster ~]# 
>
> Thanks.
>
> --David
>
>
>
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From grimme at atix.de  Tue May 22 12:08:07 2012
From: grimme at atix.de (Marc Grimme)
Date: Tue, 22 May 2012 14:08:07 +0200 (CEST)
Subject: [Freeipa-users] Howto solve database inconsistency
In-Reply-To: <32598853.378203.1337685501730.JavaMail.root@webmail2.atix.de>
Message-ID: <35691758.378598.1337688487440.JavaMail.root@webmail2.atix.de>

Hello,
during troubleshooting why the creation of a replica crashes I realized that there are database inconsistencies in my master server.
During ipa-replica-install the process terminated in step 21/29.
The master log showed the following error messages:
[18/May/2012:22:38:50 +0200] NSMMReplicationPlugin - agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389): Replication bind with SIMPLE auth resumed
[18/May/2012:22:38:52 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389)".
[18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsname=axref05-1 to RDN
[18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 299, string="rdn"
[18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
[18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 306, string="rdn"
[18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
[18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 307, string="rdn"

Then the ipa-repica-install process just terminates.

When I then do a reindex on the database I can see the following:
[root at axinfra01-1 scripts-CL-ATIX]# ./db2index
[18/May/2012:22:22:50 +0200] - /etc/dirsrv/slapd-CL-ATIX/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
[18/May/2012:22:22:50 +0200] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
[18/May/2012:22:22:50 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 513771, procpages: 53984
[18/May/2012:22:22:50 +0200] - Import allocates 822032KB import cache.
[18/May/2012:22:22:50 +0200] - Backing up file 0 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/cn.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 1 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/member.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 2 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/displayname.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 3 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/sn.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 4 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/id2entry.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 5 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ancestorid.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 6 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/krbPrincipalName.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 7 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uid.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 8 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/mail.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 9 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/aci.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 10 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberOf.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 11 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nsuniqueid.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 12 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberUser.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 13 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uidnumber.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 14 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/givenName.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 15 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/parentid.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 16 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nscpEntryDN.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 17 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/gidnumber.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 18 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryusn.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 19 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryrdn.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 20 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/DBVERSION)
[18/May/2012:22:22:50 +0200] - Backing up file 21 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/numsubordinates.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 22 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberHost.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 23 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ou.db4)
[18/May/2012:22:22:50 +0200] - Backing up file 24 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/objectclass.db4)
[18/May/2012:22:22:50 +0200] upgrade DB - userRoot: Start upgradedb.
[18/May/2012:22:22:50 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[18/May/2012:22:22:50 +0200] - reindex userRoot: Index buffering enabled with bucket size 100
[18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 297
[18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=fef36002-4da911e1-b813f830-2eedd06a,idnsname=axref05-1, ID: 299)
[18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
[18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=c1911a01-50aa11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 306)
[18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
[18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=927ba801-50ac11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 307)
[18/May/2012:22:22:51 +0200] - reindex userRoot: WARNING: Skipping entry "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff" which has no parent, ending at line 239 of file "id2entry.db4"
..

The question is now:
* Are those messages related to the terminating ipa-replica-install?
* How can I resolve those inconsistencies in the db?

Thanks for your help
Marc.


______________________________________________________________________________

Marc Grimme

E-Mail: grimme at atix.de



From rcritten at redhat.com  Tue May 22 13:40:26 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 09:40:26 -0400
Subject: Message removed by Red Hat, Inc. administrators
In-Reply-To: <201205211955.q4LJtWrB025483@mx1.redhat.com>
References: <201205211955.q4LJtWrB025483@mx1.redhat.com>
Message-ID: <4FBB974A.30604@redhat.com>

Message removed by Red Hat, Inc. administrators


From rcritten at redhat.com  Tue May 22 13:46:07 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 09:46:07 -0400
Subject: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica
	promotion?
In-Reply-To: <1337632230.67472.YahooMailNeo@web125701.mail.ne1.yahoo.com>
References: <1337632230.67472.YahooMailNeo@web125701.mail.ne1.yahoo.com>
Message-ID: <4FBB989F.90206@redhat.com>

David Copperfield wrote:
> Hi all,
>
> Any one has successfully do a IPA replica promotion when IPA master(Hub)
> failed, by following the IPA replica document for 2.1.3 and 2.2.0?
>
> I've tried at my side and see that all the steps involved are very
> confusing and may be out-of-dated. my IPA master is installed with
> Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'.
>
> In case of ipamaster is not reachable, how can I promote ipareplica01?
>
> the master.ca.agent.host/port are not setup on either ipareplica01 nor
> ipareplica02 to forward to IPA master at beginning. do that means all
> three IPA servers' Dogtag runs independently?
>
> And what is the value of 'IssuingPointId' in step 3.e and 3.f?
>
> Is that possible for the document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
> or wiki/email, to give a SOLID use case instead of depicting statement?
> which is ambiguous and not easy to follow.
>
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep
> 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'";
> done
> ipamaster
> ipareplica01
> ipareplica02
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep
> enableCRL"; doneipamaster
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica01
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica02
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> [root at ipamaster ~]#

I'll see if I can get one of the dogtag guys to take a look at this.

In general, this is not really a big problem. All we are doing here is 
deciding which of the CAs will generate the CRL. You want just one 
because other operations are happening at the same time, potentially on 
other CAs, and if they are all generating a CRL at more or less the same 
time then resulting CRLs could be different by a cert or two. For 
consistency sake it is better to do this one one machine and publish it.

Other than that there is no "master" promotion required. All of the 
servers, particularly those with a CA installed, are equals.

rob



From rmeggins at redhat.com  Tue May 22 15:29:21 2012
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 22 May 2012 09:29:21 -0600
Subject: [Freeipa-users] Howto solve database inconsistency
In-Reply-To: <35691758.378598.1337688487440.JavaMail.root@webmail2.atix.de>
References: <35691758.378598.1337688487440.JavaMail.root@webmail2.atix.de>
Message-ID: <4FBBB0D1.3020407@redhat.com>

On 05/22/2012 06:08 AM, Marc Grimme wrote:
> Hello,
> during troubleshooting why the creation of a replica crashes I realized that there are database inconsistencies in my master server.
> During ipa-replica-install the process terminated in step 21/29.
> The master log showed the following error messages:
> [18/May/2012:22:38:50 +0200] NSMMReplicationPlugin - agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389): Replication bind with SIMPLE auth resumed
> [18/May/2012:22:38:52 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389)".
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsname=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 299, string="rdn"
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 306, string="rdn"
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 307, string="rdn"
>
> Then the ipa-repica-install process just terminates.
>
> When I then do a reindex on the database I can see the following:
> [root at axinfra01-1 scripts-CL-ATIX]# ./db2index
> [18/May/2012:22:22:50 +0200] - /etc/dirsrv/slapd-CL-ATIX/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
> [18/May/2012:22:22:50 +0200] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
> [18/May/2012:22:22:50 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 513771, procpages: 53984
> [18/May/2012:22:22:50 +0200] - Import allocates 822032KB import cache.
> [18/May/2012:22:22:50 +0200] - Backing up file 0 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/cn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 1 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/member.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 2 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/displayname.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 3 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/sn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 4 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/id2entry.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 5 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ancestorid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 6 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/krbPrincipalName.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 7 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 8 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/mail.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 9 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/aci.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 10 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberOf.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 11 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nsuniqueid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 12 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberUser.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 13 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uidnumber.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 14 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/givenName.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 15 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/parentid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 16 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nscpEntryDN.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 17 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/gidnumber.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 18 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryusn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 19 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryrdn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 20 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/DBVERSION)
> [18/May/2012:22:22:50 +0200] - Backing up file 21 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/numsubordinates.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 22 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberHost.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 23 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ou.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 24 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/objectclass.db4)
> [18/May/2012:22:22:50 +0200] upgrade DB - userRoot: Start upgradedb.
> [18/May/2012:22:22:50 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
> [18/May/2012:22:22:50 +0200] - reindex userRoot: Index buffering enabled with bucket size 100
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 297
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=fef36002-4da911e1-b813f830-2eedd06a,idnsname=axref05-1, ID: 299)
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=c1911a01-50aa11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 306)
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=927ba801-50ac11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 307)
> [18/May/2012:22:22:51 +0200] - reindex userRoot: WARNING: Skipping entry "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff" which has no parent, ending at line 239 of file "id2entry.db4"
> ..
>
> The question is now:
> * Are those messages related to the terminating ipa-replica-install?
> * How can I resolve those inconsistencies in the db?

First - what is your platform and 389-ds-base version?  What this a 
fresh install or an upgrade from a previous version?  If an upgrade, 
what was the version you upgraded from?

>
> Thanks for your help
> Marc.
>
>
> ______________________________________________________________________________
>
> Marc Grimme
>
> E-Mail: grimme at atix.de
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From grimme at atix.de  Tue May 22 15:38:27 2012
From: grimme at atix.de (Marc Grimme)
Date: Tue, 22 May 2012 17:38:27 +0200 (CEST)
Subject: [Freeipa-users] Howto solve database inconsistency
In-Reply-To: <4FBBB0D1.3020407@redhat.com>
Message-ID: <196527244.379512.1337701107664.JavaMail.root@webmail2.atix.de>

I'm on RHEL6.1 plain my relevant package versions are as follows:
# rpm -qa ipa* 389*
ipa-server-2.1.3-9.el6.x86_64
389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-admintools-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
389-ds-base-1.2.9.14-1.el6_2.2.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 (Santiago)

Thanks Marc.

----- Original Message -----
From: "Rich Megginson" 
To: "Marc Grimme" 
Cc: freeipa-users at redhat.com
Sent: Tuesday, May 22, 2012 5:29:21 PM
Subject: Re: [Freeipa-users] Howto solve database inconsistency

On 05/22/2012 06:08 AM, Marc Grimme wrote:
> Hello,
> during troubleshooting why the creation of a replica crashes I realized that there are database inconsistencies in my master server.
> During ipa-replica-install the process terminated in step 21/29.
> The master log showed the following error messages:
> [18/May/2012:22:38:50 +0200] NSMMReplicationPlugin - agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389): Replication bind with SIMPLE auth resumed
> [18/May/2012:22:38:52 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomethusalix2.cl.atix" (methusalix2:389)".
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsname=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 299, string="rdn"
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 306, string="rdn"
> [18/May/2012:22:38:53 +0200] _entry_set_tombstone_rdn - Failed to convert DN idnsName=axref05-1 to RDN
> [18/May/2012:22:38:53 +0200] id2entry - str2entry returned NULL for id 307, string="rdn"
>
> Then the ipa-repica-install process just terminates.
>
> When I then do a reindex on the database I can see the following:
> [root at axinfra01-1 scripts-CL-ATIX]# ./db2index
> [18/May/2012:22:22:50 +0200] - /etc/dirsrv/slapd-CL-ATIX/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
> [18/May/2012:22:22:50 +0200] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).  Server will use a setting of 1024.
> [18/May/2012:22:22:50 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 513771, procpages: 53984
> [18/May/2012:22:22:50 +0200] - Import allocates 822032KB import cache.
> [18/May/2012:22:22:50 +0200] - Backing up file 0 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/cn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 1 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/member.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 2 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/displayname.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 3 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/sn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 4 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/id2entry.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 5 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ancestorid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 6 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/krbPrincipalName.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 7 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 8 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/mail.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 9 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/aci.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 10 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberOf.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 11 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nsuniqueid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 12 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberUser.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 13 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/uidnumber.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 14 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/givenName.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 15 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/parentid.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 16 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/nscpEntryDN.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 17 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/gidnumber.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 18 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryusn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 19 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/entryrdn.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 20 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/DBVERSION)
> [18/May/2012:22:22:50 +0200] - Backing up file 21 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/numsubordinates.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 22 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/memberHost.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 23 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/ou.db4)
> [18/May/2012:22:22:50 +0200] - Backing up file 24 (/var/lib/dirsrv/slapd-CL-ATIX/bak/reindex_2012_05_18_22_22_50/userRoot/objectclass.db4)
> [18/May/2012:22:22:50 +0200] upgrade DB - userRoot: Start upgradedb.
> [18/May/2012:22:22:50 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
> [18/May/2012:22:22:50 +0200] - reindex userRoot: Index buffering enabled with bucket size 100
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 297
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=fef36002-4da911e1-b813f830-2eedd06a,idnsname=axref05-1, ID: 299)
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=c1911a01-50aa11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 306)
> [18/May/2012:22:22:51 +0200] ldif2dbm - import_get_and_add_parent_rdns: Failed to position at ID 304
> [18/May/2012:22:22:51 +0200] - ldbm2index: Failed to compose dn for (rdn: nsuniqueid=927ba801-50ac11e1-b813f830-2eedd06a,idnsName=axref05-1, ID: 307)
> [18/May/2012:22:22:51 +0200] - reindex userRoot: WARNING: Skipping entry "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff" which has no parent, ending at line 239 of file "id2entry.db4"
> ..
>
> The question is now:
> * Are those messages related to the terminating ipa-replica-install?
> * How can I resolve those inconsistencies in the db?

First - what is your platform and 389-ds-base version?  What this a 
fresh install or an upgrade from a previous version?  If an upgrade, 
what was the version you upgraded from?

>
> Thanks for your help
> Marc.
>
>
> ______________________________________________________________________________
>
> Marc Grimme
>
> E-Mail: grimme at atix.de
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From dale at themacartneyclan.com  Tue May 22 16:06:43 2012
From: dale at themacartneyclan.com (Dale Macartney)
Date: Tue, 22 May 2012 17:06:43 +0100
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
 from daily IPA Replica setup???
In-Reply-To: <4FBBA4F2.2070001@redhat.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337621121.23884.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FBAC940.9060906@redhat.com>
	<4FBB4E25.3090409@themacartneyclan.com>
	<4FBB6C91.7010601@redhat.com> <4FBB9E66.7090602@redhat.com>
	<4FBBA454.9030603@redhat.com> <4FBBA4F2.2070001@redhat.com>
Message-ID: <4FBBB993.9020608@themacartneyclan.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

cc'ing group list back in for other opinions.

On 05/22/2012 03:38 PM, Rich Megginson wrote:
> On 05/22/2012 08:36 AM, Dmitri Pal wrote:
>> On 05/22/2012 10:10 AM, Rich Megginson wrote:
>>> On 05/22/2012 04:38 AM, Dmitri Pal wrote:
>>>> On 05/22/2012 04:28 AM, Dale Macartney wrote:
>>>>> Dmitri, Rob
>>>>>
>>>>> I thought I might reply to you both directly, just in case others on
>>>>> the list vent frustrations on the ongoing discussion of this topic.
>>>>>
>>>>> I've been reading through the archives of the list for hot backup
>>>>> solutions, and this email thread really stood out. I am seeing a
>>>>> general consensus of backing up everything, and in some cases, even
>>>>> backing up a virtualized guest disk image to maintain a backup. I
>>>>> personally feel this is the wrong message people should be getting
>>>>> into their heads about a DR solution for restoring IPA.
>>>>>
>>>>> I was wondering, and feel free to correct me here if you see fit, if
>>>>> it would be beneficial to have a similar method of backing up IPA (and
>>>>> replicas), in a similar fashion to how Microsoft recommend their
>>>>> Domain Controllers to be backed up. A "system state backup" of sorts.
>>>>> Where a backup is performed on all Domain Controllers (or in our case,
>>>>> IPA servers). Basically, resulting in an individual restore point for
>>>>> each replica. From here, you have an entire backup, which will only
>>>>> ever bee used for that ONE server it was intended for. Essentially a
>>>>> complete dump and load approach.
>>>>>
>>>>> It is best practice in a Windows environment to perform these backups
>>>>> several times a week in small non-changing environments. So my
>>>>> thinking is, if we have a "daily backup" solution which could be used
>>>>> to run on each replica or master, then this should suffice in an
>>>>> adequate procedure to give to customers.
>>>>>
>>>>> In short, I'm more than happy to put my hand up on this one to help
>>>>> free up your time. I can easily take this on with a few of the lads
>>>>> here in the UK and get some customer feed back from mates within my
>>>>> former employment who are quite well versed in the realms of IPA.
>>>>>
>>>>> Would this be of any help to you? Do you see this as the right
>>>>> direction to take on this matter? I'd love to hear your thoughts
>>>>>
>>>>> Rhys, Gav, cc'ing you in on this one. I'd like to throw this onto our
>>>>> running list of IPA integration projects.
>>>>>
>>>>> Regards
>>>>>
>>>>> Dale
>>>> First of all thank you for the offer!
>>>>
>>>> It seems that there are two main use cases:
>>>> 1) Catastrophic failure
>>>> 2) Data deletion
>>>>
>>>> In the case of the catastrophic failure you want to have all
>>>> data+configuration+keys backed up to be able to effectively start over
>>>> and re-install/recover from the backup.
could we not have the ability of restoring only specific data? Like most
backup solutions?

for example
having a utility where you can run "ipa backup all" could cover the
data+config+keys, however depending on a catastrophic failure or data
deletion, maybe have something along the lines of "ipa restore data" if
we simply wanted to restore the data element of the backup.

Thoughts? IMO, i think we should look for a KISS method which is
specific to the application stack at hand.
>>>> In this case IMO having a VM approach like the one JR uses is a viable
>>>> solution. Rob, Simo, Rich do you agree?
>>> We would need to test this to make sure VM snapshots don't cause
>>> problems with replication and/or kerberos since those are sensitive to
>>> time. All of the testing we have ever done for RHDS/389 for
>>> backup/restore is based on simple database binary and ldif backups.
>>> We've never had to take into account restoring to a filesystem time in
>>> the past or a VM state that is in the past.
>> Why in the past?
>> If you take snapshots regularly say every other day when you restart a
>> VM it should act as if the connection to it was lost for couple days.
>
> Ok. Maybe it will work just fine. All I'm saying is that we better test
this well with a number of replication scenarios.
Should we really be considering snapshots as an "IPA" method of
recovery? That puts a prerequisite on the customer using either SAN
snapshotting or virtualization technologies.
If I use RHEV 2.2 as an example here, RHEV was not adopted by many
customers because there was a prerequisite of Windows. If we have a
reliance on other technologies for such key recovery principles this
will undoubtedly (possibly more in the short than long term) have a
knock on effect of adoption.

Yes it might work, but should we be sending this message across? In the
short term, if it works then great, however I think this should give us
insight into a more robust method in the future.

>
>> I do not see how the Kerberos and time are related here.
>>
>>>> In the case of data deletion we one needs to keep LDAP data around and
>>>> not necessarily all the configuration and keys. And not even all the
>>>> data needs to be backed up.
>>>>
>>>> So there should probably be two different procedures.
>>>>
>>>> I also think that creating a VM snapshot and recovering from such
>>>> snapshot can be automated. We should probably provide some kind of
>>>> script or command to do so.
>>>> We stayed a bit shy from either procedure because the set of the config
>>>> files IPA touches changes all the time and until we get it stable it
>>>> would be hard to commit to a flawless backup. We feel we will miss
>>>> something and will get bugs that we will have to address. Yeah in the
>>>> current state there is a bit of hand-waving... May be it is time to
>>>> identify the set of of all things we touch on the system and try to have
>>>> a more solid set of procedures and recommendations and bite the bullet
>>>> if we miss something.
>>>>
>>>> Now back to your offer, first of all which of the two use cases you
>>>> think you would be able to contribute to?
>>>> Do you think it makes sense to script something for either of the cases?
>>>> What? Would you be able to help?
>>>>
>>>> JR offered help too. He is waiting for the blessing to describe a VM
>>>> based approach. So first we should decide if it is the right way to go.
>>>> For the first case IMO it is but I want other opinions.
>>>>
>>>> And one more thing. May be we should continue this thread on the list so
>>>> please reply there.
>>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPu7mGAAoJEAJsWS61tB+q5MkP+wYr0nK5u0BzWV0Ar7dE7EXj
mC+oxwv3Q+H7fluDXgd7r+HeLhAQU0i+FmVLraQHWvoNN99l11s5RtChu6dPaICW
ThgPP/k85uNUyiBJysePgB/xv+VTaRJ9SZVMPxecLBE72U7RZHAWDRAvYS9yU1Dv
4qVB9KOQdvTrxjOITH7XEDx9LbZmNQ2ViWOxQTbHY23v6t1VRXmgIRcWtKcfBgJd
sq69fOA4pXV6YfHnk/gYoT5TIclZnv/qUzKPEGI/XvPuohzLjsdnfsoEQZpXzSxz
L+U7sVYDGSq5EoOKEmFT4MdHEG7niGUbYLzIx8RD+uzXbPtI11BECe/esGF7pYkJ
U4yxrnxPMxSmja9hccPephdNodmbBht4t4UKuFBVOfOC1N/yhOgys6MH4bbQmOMR
dN9/fLJAVVdIjMiytsCNvFXH4rM44nJ9wzW5xziUx+472qjFjUn7Jwudp3n1+fB5
w5JrY0R1315tLS4Bxhqhzx9wQFALytKgilxJhx2DW1RghQTk6YcFg7fF1ELXfJsH
YcnOEbzcv20vwEcFTb8ilejvJorZACGTbKg9U3oMoz5WQEoMg448m6SL2Rp7J8+0
dFUyA78HzklbqPBgAGgWdXQ9ZKR+oUVigYEynZ4pUxKH7KWDitOtZHKUlxx1BFKq
n/BzLu9/FUEsMvOcsp23
=ENst
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: 

From rcritten at redhat.com  Tue May 22 17:26:59 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 13:26:59 -0400
Subject: [Freeipa-users] Please help: How to restore IPA Master/Replicas
 from daily IPA Replica setup???
In-Reply-To: <4FBBB993.9020608@themacartneyclan.com>
References: <1337024908.7149.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FB28B0D.5080201@redhat.com>
	<1337497719.65988.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337621121.23884.YahooMailNeo@web160701.mail.bf1.yahoo.com>
	<4FBAC940.9060906@redhat.com>
	<4FBB4E25.3090409@themacartneyclan.com>
	<4FBB6C91.7010601@redhat.com> <4FBB9E66.7090602@redhat.com>
	<4FBBA454.9030603@redhat.com> <4FBBA4F2.2070001@redhat.com>
	<4FBBB993.9020608@themacartneyclan.com>
Message-ID: <4FBBCC63.8060008@redhat.com>

Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> cc'ing group list back in for other opinions.
>
> On 05/22/2012 03:38 PM, Rich Megginson wrote:
>> On 05/22/2012 08:36 AM, Dmitri Pal wrote:
>>> On 05/22/2012 10:10 AM, Rich Megginson wrote:
>>>> On 05/22/2012 04:38 AM, Dmitri Pal wrote:
>>>>> On 05/22/2012 04:28 AM, Dale Macartney wrote:
>>>>>> Dmitri, Rob
>>>>>>
>>>>>> I thought I might reply to you both directly, just in case others on
>>>>>> the list vent frustrations on the ongoing discussion of this topic.
>>>>>>
>>>>>> I've been reading through the archives of the list for hot backup
>>>>>> solutions, and this email thread really stood out. I am seeing a
>>>>>> general consensus of backing up everything, and in some cases, even
>>>>>> backing up a virtualized guest disk image to maintain a backup. I
>>>>>> personally feel this is the wrong message people should be getting
>>>>>> into their heads about a DR solution for restoring IPA.
>>>>>>
>>>>>> I was wondering, and feel free to correct me here if you see fit, if
>>>>>> it would be beneficial to have a similar method of backing up IPA (and
>>>>>> replicas), in a similar fashion to how Microsoft recommend their
>>>>>> Domain Controllers to be backed up. A "system state backup" of sorts.
>>>>>> Where a backup is performed on all Domain Controllers (or in our case,
>>>>>> IPA servers). Basically, resulting in an individual restore point for
>>>>>> each replica. From here, you have an entire backup, which will only
>>>>>> ever bee used for that ONE server it was intended for. Essentially a
>>>>>> complete dump and load approach.
>>>>>>
>>>>>> It is best practice in a Windows environment to perform these backups
>>>>>> several times a week in small non-changing environments. So my
>>>>>> thinking is, if we have a "daily backup" solution which could be used
>>>>>> to run on each replica or master, then this should suffice in an
>>>>>> adequate procedure to give to customers.
>>>>>>
>>>>>> In short, I'm more than happy to put my hand up on this one to help
>>>>>> free up your time. I can easily take this on with a few of the lads
>>>>>> here in the UK and get some customer feed back from mates within my
>>>>>> former employment who are quite well versed in the realms of IPA.
>>>>>>
>>>>>> Would this be of any help to you? Do you see this as the right
>>>>>> direction to take on this matter? I'd love to hear your thoughts
>>>>>>
>>>>>> Rhys, Gav, cc'ing you in on this one. I'd like to throw this onto our
>>>>>> running list of IPA integration projects.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Dale
>>>>> First of all thank you for the offer!
>>>>>
>>>>> It seems that there are two main use cases:
>>>>> 1) Catastrophic failure
>>>>> 2) Data deletion
>>>>>
>>>>> In the case of the catastrophic failure you want to have all
>>>>> data+configuration+keys backed up to be able to effectively start over
>>>>> and re-install/recover from the backup.
> could we not have the ability of restoring only specific data? Like most
> backup solutions?
>
> for example
> having a utility where you can run "ipa backup all" could cover the
> data+config+keys, however depending on a catastrophic failure or data
> deletion, maybe have something along the lines of "ipa restore data" if
> we simply wanted to restore the data element of the backup.
>
> Thoughts? IMO, i think we should look for a KISS method which is
> specific to the application stack at hand.

Yes, this is the approach we're taking, as they are really separate 
problems.

We aren't too keen on trying to back up individual files becuase IPA 
touches so many things, in so many different configurations, that the 
possibility that some important file is missed is rather high. The 
impact could mean a restored server that doesn't work.

At this point we're recommending full backups and restores for 
system-level backups.

As for data we're still working on it. Being able to identify and 
restore certain users/groups, etc is something we want but haven't yet 
worked out the details.

>>>>> In this case IMO having a VM approach like the one JR uses is a viable
>>>>> solution. Rob, Simo, Rich do you agree?
>>>> We would need to test this to make sure VM snapshots don't cause
>>>> problems with replication and/or kerberos since those are sensitive to
>>>> time. All of the testing we have ever done for RHDS/389 for
>>>> backup/restore is based on simple database binary and ldif backups.
>>>> We've never had to take into account restoring to a filesystem time in
>>>> the past or a VM state that is in the past.
>>> Why in the past?
>>> If you take snapshots regularly say every other day when you restart a
>>> VM it should act as if the connection to it was lost for couple days.
>>
>> Ok. Maybe it will work just fine. All I'm saying is that we better test
> this well with a number of replication scenarios.
> Should we really be considering snapshots as an "IPA" method of
> recovery? That puts a prerequisite on the customer using either SAN
> snapshotting or virtualization technologies.
> If I use RHEV 2.2 as an example here, RHEV was not adopted by many
> customers because there was a prerequisite of Windows. If we have a
> reliance on other technologies for such key recovery principles this
> will undoubtedly (possibly more in the short than long term) have a
> knock on effect of adoption.
>
> Yes it might work, but should we be sending this message across? In the
> short term, if it works then great, however I think this should give us
> insight into a more robust method in the future.
>
>>
>>> I do not see how the Kerberos and time are related here.
>>>
>>>>> In the case of data deletion we one needs to keep LDAP data around and
>>>>> not necessarily all the configuration and keys. And not even all the
>>>>> data needs to be backed up.
>>>>>
>>>>> So there should probably be two different procedures.
>>>>>
>>>>> I also think that creating a VM snapshot and recovering from such
>>>>> snapshot can be automated. We should probably provide some kind of
>>>>> script or command to do so.
>>>>> We stayed a bit shy from either procedure because the set of the config
>>>>> files IPA touches changes all the time and until we get it stable it
>>>>> would be hard to commit to a flawless backup. We feel we will miss
>>>>> something and will get bugs that we will have to address. Yeah in the
>>>>> current state there is a bit of hand-waving... May be it is time to
>>>>> identify the set of of all things we touch on the system and try to have
>>>>> a more solid set of procedures and recommendations and bite the bullet
>>>>> if we miss something.
>>>>>
>>>>> Now back to your offer, first of all which of the two use cases you
>>>>> think you would be able to contribute to?
>>>>> Do you think it makes sense to script something for either of the cases?
>>>>> What? Would you be able to help?
>>>>>
>>>>> JR offered help too. He is waiting for the blessing to describe a VM
>>>>> based approach. So first we should decide if it is the right way to go.
>>>>> For the first case IMO it is but I want other opinions.
>>>>>
>>>>> And one more thing. May be we should continue this thread on the list so
>>>>> please reply there.
>>>>>
>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPu7mGAAoJEAJsWS61tB+q5MkP+wYr0nK5u0BzWV0Ar7dE7EXj
> mC+oxwv3Q+H7fluDXgd7r+HeLhAQU0i+FmVLraQHWvoNN99l11s5RtChu6dPaICW
> ThgPP/k85uNUyiBJysePgB/xv+VTaRJ9SZVMPxecLBE72U7RZHAWDRAvYS9yU1Dv
> 4qVB9KOQdvTrxjOITH7XEDx9LbZmNQ2ViWOxQTbHY23v6t1VRXmgIRcWtKcfBgJd
> sq69fOA4pXV6YfHnk/gYoT5TIclZnv/qUzKPEGI/XvPuohzLjsdnfsoEQZpXzSxz
> L+U7sVYDGSq5EoOKEmFT4MdHEG7niGUbYLzIx8RD+uzXbPtI11BECe/esGF7pYkJ
> U4yxrnxPMxSmja9hccPephdNodmbBht4t4UKuFBVOfOC1N/yhOgys6MH4bbQmOMR
> dN9/fLJAVVdIjMiytsCNvFXH4rM44nJ9wzW5xziUx+472qjFjUn7Jwudp3n1+fB5
> w5JrY0R1315tLS4Bxhqhzx9wQFALytKgilxJhx2DW1RghQTk6YcFg7fF1ELXfJsH
> YcnOEbzcv20vwEcFTb8ilejvJorZACGTbKg9U3oMoz5WQEoMg448m6SL2Rp7J8+0
> dFUyA78HzklbqPBgAGgWdXQ9ZKR+oUVigYEynZ4pUxKH7KWDitOtZHKUlxx1BFKq
> n/BzLu9/FUEsMvOcsp23
> =ENst
> -----END PGP SIGNATURE-----
>



From sgallagh at redhat.com  Tue May 22 17:41:27 2012
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Tue, 22 May 2012 13:41:27 -0400
Subject: [Freeipa-users] New mailing list: sssd-users
Message-ID: <1337708487.4193.30.camel@sgallagh520.sgallagh.bos.redhat.com>

For quite some time, we have used the sssd-devel mailing list for
development and user configuration issue discussions. As the project has
grown, it becomes more and more clear that we need to separate these
topics into their own lists.

So as of today, we now have a new mailing list for user questions. You
can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-users

This list will be considerably less noisy for our users as they will not
be bombarded with patch review emails and other development-centric
issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: 

From Steven.Jones at vuw.ac.nz  Tue May 22 20:11:37 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 22 May 2012 20:11:37 +0000
Subject: [Freeipa-users] How to restore IPA Master/Replicas
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.

Do we have any good docs/procedures for the above?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



From Steven.Jones at vuw.ac.nz  Tue May 22 21:04:57 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 22 May 2012 21:04:57 +0000
Subject: [Freeipa-users] How to restore IPA Master/Replicas
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>

>From the 18.8.2 section point 2,

"[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
dirsrv/slapd-EXAMPLE-COM"

the -o option is the one below?  

[root at vuwunicoipam001 ~]# find /etc/ -name cacert*
/etc/httpd/alias/cacert.p12

?

I think an explanation of what Im meant to be looking for might help...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 23 May 2012 8:11 a.m.
Cc: 
Subject: [Freeipa-users] How to restore IPA Master/Replicas

Hi,

My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.

Do we have any good docs/procedures for the above?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 22 21:11:20 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 22 May 2012 21:11:20 +0000
Subject: [Freeipa-users] How to restore IPA Master/Replicas
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC97AA1@STAWINCOX10MBX1.staff.vuw.ac.nz>

[root at vuwunicoipam001 ~]# pk12util -o /etc/httpd/alias/cacert.p12 -n "ODS.VUW.AC.NZ IPA CA" -d /etc/dirsrv/slapd-ODS-VUW-AC-NZ/
Enter Password or Pin for "NSS Certificate DB":

I tried the directory manager password and the admin password and a blank.....

keeps asking...no idea what it is...

:/

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 23 May 2012 9:04 a.m.
Cc: 
Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas

>From the 18.8.2 section point 2,

"[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
dirsrv/slapd-EXAMPLE-COM"

the -o option is the one below?

[root at vuwunicoipam001 ~]# find /etc/ -name cacert*
/etc/httpd/alias/cacert.p12

?

I think an explanation of what Im meant to be looking for might help...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 23 May 2012 8:11 a.m.
Cc: 
Subject: [Freeipa-users] How to restore IPA Master/Replicas

Hi,

My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.

Do we have any good docs/procedures for the above?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From TChow at eexchange.com  Tue May 22 21:26:06 2012
From: TChow at eexchange.com (TChow at eexchange.com)
Date: Tue, 22 May 2012 14:26:06 -0700
Subject: Message removed by Red Hat, Inc. administrators
In-Reply-To: <4FBB974A.30604@redhat.com>
References: <201205211955.q4LJtWrB025483@mx1.redhat.com>
	<4FBB974A.30604@redhat.com>
Message-ID: <201205222125.q4MLPsxi021523@mx1.redhat.com>

Message removed by Red Hat, Inc. administrators


From rcritten at redhat.com  Tue May 22 21:43:58 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 17:43:58 -0400
Subject: [Freeipa-users] How to restore IPA Master/Replicas
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4FBC089E.3090103@redhat.com>

Steven Jones wrote:
>> From the 18.8.2 section point 2,
>
> "[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
> dirsrv/slapd-EXAMPLE-COM"
>
> the -o option is the one below?
>
> [root at vuwunicoipam001 ~]# find /etc/ -name cacert*
> /etc/httpd/alias/cacert.p12
>
> ?
>
> I think an explanation of what Im meant to be looking for might help...

You're using a self-signed CA?

The -o is what you defined as /path/to/cacert.p12. It is wherever you 
want to store the file.

This documentation is incorrect though, I thought I had filed a bug on 
this already. In a self-signed CA the root certificate is in 
/etc/httpd/alias and not in a 389-ds instance at all. So for step 2 
you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias.

What this is doing is creating a file to transport the self-signed CA 
private keys and certificate securely from one location to another.

This is assuming the original master is around. If it is then you can do 
this. If not then you saved /root/cacert.p12 from the initial install, 
right?

rob

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 23 May 2012 8:11 a.m.
> Cc:
> Subject: [Freeipa-users] How to restore IPA Master/Replicas
>
> Hi,
>
> My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.
>
> Do we have any good docs/procedures for the above?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 22 21:55:04 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 22 May 2012 21:55:04 +0000
Subject: [Freeipa-users] How to restore IPA Master/Replicas
In-Reply-To: <4FBC089E.3090103@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4FBC089E.3090103@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Yes I think they are what I put in subversion, basically between satellite and the files below in subversion I should be able to build a complete basic IPA server RHEL6.2 machine....the "interesting" bit is getting my master IPA instance back.


=========
[root at vuwunicoipam001 scripts]# pwd
/home/jonesst1/subversion/vuwunicoipam001-ods/scripts
[root at vuwunicoipam001 scripts]# ls -l
total 32
-rw-rw-r--. 1 jonesst1 jonesst1 1696 Mar 19 16:04 cacert.p12
drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 19 16:04 etc
-rw-rw-r--. 1 jonesst1 jonesst1  206 Mar 19 16:04 nat-fw-down
-rw-rw-r--. 1 jonesst1 jonesst1 7171 Mar 19 16:07 nat-fw-up
drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 20 13:39 packages
-rw-rw-r--. 1 jonesst1 jonesst1   40 Mar 19 16:04 pwdfile.txt
-rwxrwxr-x. 1 jonesst1 jonesst1 3524 Mar 19 16:04 zzbuild
[root at vuwunicoipam001 scripts]# 
=========

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 23 May 2012 9:43 a.m.
To: Steven Jones
Cc: ; Deon Lackey
Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas

Steven Jones wrote:
>> From the 18.8.2 section point 2,
>
> "[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
> dirsrv/slapd-EXAMPLE-COM"
>
> the -o option is the one below?
>
> [root at vuwunicoipam001 ~]# find /etc/ -name cacert*
> /etc/httpd/alias/cacert.p12
>
> ?
>
> I think an explanation of what Im meant to be looking for might help...

You're using a self-signed CA?

The -o is what you defined as /path/to/cacert.p12. It is wherever you
want to store the file.

This documentation is incorrect though, I thought I had filed a bug on
this already. In a self-signed CA the root certificate is in
/etc/httpd/alias and not in a 389-ds instance at all. So for step 2
you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias.

What this is doing is creating a file to transport the self-signed CA
private keys and certificate securely from one location to another.

This is assuming the original master is around. If it is then you can do
this. If not then you saved /root/cacert.p12 from the initial install,
right?

rob

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 23 May 2012 8:11 a.m.
> Cc:
> Subject: [Freeipa-users] How to restore IPA Master/Replicas
>
> Hi,
>
> My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.
>
> Do we have any good docs/procedures for the above?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From rcritten at redhat.com  Wed May 23 03:25:32 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 23:25:32 -0400
Subject: Message removed by Red Hat, Inc. administrators
In-Reply-To: <201205222125.q4MLPsxi021523@mx1.redhat.com>
References: <201205211955.q4LJtWrB025483@mx1.redhat.com>
	<4FBB974A.30604@redhat.com>
	<201205222125.q4MLPsxi021523@mx1.redhat.com>
Message-ID: <4FBC58AC.2040004@redhat.com>

Message removed by Red Hat, Inc. administrators


From rcritten at redhat.com  Wed May 23 03:38:38 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 22 May 2012 23:38:38 -0400
Subject: [Freeipa-users] How to restore IPA Master/Replicas
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC97859@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E404CC97A90@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4FBC089E.3090103@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E404CC97B1F@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4FBC5BBE.8090308@redhat.com>

Steven Jones wrote:
> Hi,
>
> Yes I think they are what I put in subversion, basically between satellite and the files below in subversion I should be able to build a complete basic IPA server RHEL6.2 machine....the "interesting" bit is getting my master IPA instance back.
>
>
> =========
> [root at vuwunicoipam001 scripts]# pwd
> /home/jonesst1/subversion/vuwunicoipam001-ods/scripts
> [root at vuwunicoipam001 scripts]# ls -l
> total 32
> -rw-rw-r--. 1 jonesst1 jonesst1 1696 Mar 19 16:04 cacert.p12
> drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 19 16:04 etc
> -rw-rw-r--. 1 jonesst1 jonesst1  206 Mar 19 16:04 nat-fw-down
> -rw-rw-r--. 1 jonesst1 jonesst1 7171 Mar 19 16:07 nat-fw-up
> drwxrwxr-x. 3 jonesst1 jonesst1 4096 Mar 20 13:39 packages
> -rw-rw-r--. 1 jonesst1 jonesst1   40 Mar 19 16:04 pwdfile.txt
> -rwxrwxr-x. 1 jonesst1 jonesst1 3524 Mar 19 16:04 zzbuild
> [root at vuwunicoipam001 scripts]#

That should be all you need then, that cacert.p12. The token password 
should be the same as the Apache db password.

You can import it using pk12util -i ... as documented.

Then you'll need to create a serial number file. If you don't have the 
old one you can create a new one, you just want to be sure to set the 
starting value at something that hasn't already been issued. Re-issuing 
certs with duplicate serial numbers is not very nice. We start at 1000, 
you can pick any number sufficiently higher. To get a ballpark figure 
you might try something like (this should work in 2.1.x, I tested it in 
2.2.0):

ipa service-find --sizelimit=10000 |grep -i serial
ipa host-find --sizelimit=10000 | grep -i serial

That should show the serial numbers in use assuming you have less than 
10k hosts and services. Should put in the ballpark in any case.

The format looks like:

[selfsign]
nextreplica = 500000
replicainterval = 500000
lastvalue = 1022

Only lastvalue is used, BTW.

For permissions, /var/lib/ipa/ca_serialno should be root:apache mode 
0664. You should probably run restorecon on it too.

To see if things are working you'll want to try to issue a cert.

rob

> =========
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 23 May 2012 9:43 a.m.
> To: Steven Jones
> Cc:; Deon Lackey
> Subject: Re: [Freeipa-users] How to restore IPA Master/Replicas
>
> Steven Jones wrote:
>>>  From the 18.8.2 section point 2,
>>
>> "[root at ipaserver ~]# pk12util -o /path/to/cacert.p12 -n "EXAMPLE.COM IPA CA" -d /etc/
>> dirsrv/slapd-EXAMPLE-COM"
>>
>> the -o option is the one below?
>>
>> [root at vuwunicoipam001 ~]# find /etc/ -name cacert*
>> /etc/httpd/alias/cacert.p12
>>
>> ?
>>
>> I think an explanation of what Im meant to be looking for might help...
>
> You're using a self-signed CA?
>
> The -o is what you defined as /path/to/cacert.p12. It is wherever you
> want to store the file.
>
> This documentation is incorrect though, I thought I had filed a bug on
> this already. In a self-signed CA the root certificate is in
> /etc/httpd/alias and not in a 389-ds instance at all. So for step 2
> you'd replace /etc/dirsrv/slapd-EXAMPLE-COM with /etc/httpd/alias.
>
> What this is doing is creating a file to transport the self-signed CA
> private keys and certificate securely from one location to another.
>
> This is assuming the original master is around. If it is then you can do
> this. If not then you saved /root/cacert.p12 from the initial install,
> right?
>
> rob
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 23 May 2012 8:11 a.m.
>> Cc:
>> Subject: [Freeipa-users] How to restore IPA Master/Replicas
>>
>> Hi,
>>
>> My master is it seems dead and has been for a week, RH supprt cannot recover it.....so I need to move on and rebuild it.....first it looks like I need to promote my replica to be the master.
>>
>> Do we have any good docs/procedures for the above?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From Greg.Lehmann at csiro.au  Tue May 22 21:47:57 2012
From: Greg.Lehmann at csiro.au (Greg.Lehmann at csiro.au)
Date: Wed, 23 May 2012 07:47:57 +1000
Subject: [Freeipa-users] [SSSD] New mailing list: sssd-users
In-Reply-To: <1337708487.4193.30.camel@sgallagh520.sgallagh.bos.redhat.com>
References: <1337708487.4193.30.camel@sgallagh520.sgallagh.bos.redhat.com>
Message-ID: <0A6C5E0FAF257A47BFC5303E9BCA4F3A9143935DFA@EXNSW-MBX03.nexus.csiro.au>

Hi All,
	Thanks for the new list. I hope the user list will still get to see some of the design decisions. It would be nice to have input as a user to what is going to be added feature wise to sssd. 

Cheers,

Greg

> -----Original Message-----
> From: sssd-devel-bounces at lists.fedorahosted.org [mailto:sssd-devel-
> bounces at lists.fedorahosted.org] On Behalf Of Stephen Gallagher
> Sent: Wednesday, 23 May 2012 3:41 AM
> To: Development of the System Security Services Daemon; freeipa-
> users at redhat.com; freeipa-interest at redhat.com
> Subject: [SSSD] New mailing list: sssd-users
> 
> For quite some time, we have used the sssd-devel mailing list for
> development and user configuration issue discussions. As the project
> has
> grown, it becomes more and more clear that we need to separate these
> topics into their own lists.
> 
> So as of today, we now have a new mailing list for user questions. You
> can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-users
> 
> This list will be considerably less noisy for our users as they will
> not
> be bombarded with patch review emails and other development-centric
> issues.



From ondrejv at s3group.com  Wed May 23 13:06:19 2012
From: ondrejv at s3group.com (Ondrej Valousek)
Date: Wed, 23 May 2012 15:06:19 +0200
Subject: [Freeipa-users] [SSSD] New mailing list: sssd-users
In-Reply-To: <0A6C5E0FAF257A47BFC5303E9BCA4F3A9143935DFA@EXNSW-MBX03.nexus.csiro.au>
References: <1337708487.4193.30.camel@sgallagh520.sgallagh.bos.redhat.com>
	<0A6C5E0FAF257A47BFC5303E9BCA4F3A9143935DFA@EXNSW-MBX03.nexus.csiro.au>
Message-ID: <4FBCE0CB.2040307@s3group.cz>

+1

On 05/22/2012 11:47 PM, Greg.Lehmann at csiro.au wrote:
> Hi All,
> 	Thanks for the new list. I hope the user list will still get to see some of the design decisions. It would be nice to have input as a user to what is going to be added feature wise to sssd.
>
> Cheers,
>
> Greg
>
>> -----Original Message-----
>> From: sssd-devel-bounces at lists.fedorahosted.org [mailto:sssd-devel-
>> bounces at lists.fedorahosted.org] On Behalf Of Stephen Gallagher
>> Sent: Wednesday, 23 May 2012 3:41 AM
>> To: Development of the System Security Services Daemon; freeipa-
>> users at redhat.com; freeipa-interest at redhat.com
>> Subject: [SSSD] New mailing list: sssd-users
>>
>> For quite some time, we have used the sssd-devel mailing list for
>> development and user configuration issue discussions. As the project
>> has
>> grown, it becomes more and more clear that we need to separate these
>> topics into their own lists.
>>
>> So as of today, we now have a new mailing list for user questions. You
>> can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-users
>>
>> This list will be considerably less noisy for our users as they will
>> not
>> be bombarded with patch review emails and other development-centric
>> issues.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From james.hogarth at gmail.com  Wed May 23 15:59:56 2012
From: james.hogarth at gmail.com (James Hogarth)
Date: Wed, 23 May 2012 16:59:56 +0100
Subject: [Freeipa-users] PKI Subsystem Type: CA Clone convert to Root
Message-ID: 

> I'll see if I can get one of the dogtag guys to take a look at this.
>
> In general, this is not really a big problem. All we are doing here is deciding which of the CAs will generate the CRL. You want just one because other operations are happening at the same time, potentially on other CAs, and if they are all generating a CRL at more or less the same time then resulting CRLs could be different by a cert or two. For consistency sake it is better to do this one one machine and publish it.
>
> Other than that there is no "master" promotion required. All of the servers, particularly those with a CA installed, are equals.

Just joined the list following looking in the archives - so apologies
for the random quote from a post yesterday....

This has left me quite confused compared to my infrastructure and
directly impacts me as I need to take the first IPA install offline
indefinitely....

On the first system a service pki-cad status shows:
PKI Instance Name:   pki-ca
PKI Subsystem Type:  Root CA (Security Domain)

On the three systems built subsequently (with dns and CA replica
install options) the following is shown:

PKI Instance Name:   pki-ca
PKI Subsystem Type:  CA Clone (Security Domain)

The section 18.8.1 of the Identity Guide on the docs.redhat.com site
refers to entries such as:
ca.listenToCloneModifications=true
master.ca.agent.host=hostname
master.ca.agent.port=port number

However on none of my four IPA instances do these lines appear in CS.cfg ....

So far as I can see from ipa-csmanage-replica list the initial system
has a replica agreement with each of the other three but no agreements
exist between those other three themselves (ie all replication has to
go through the initial system).

This is a fully updated CentOS 6 system... IPA/PKI packages in the rpmdb:
ipa-server-selinux-2.1.3-9.el6.x86_64
libipa_hbac-1.5.1-66.el6_2.3.x86_64
libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.1.3-9.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
pki-java-tools-9.0.3-21.el6_2.noarch
pki-common-9.0.3-21.el6_2.noarch
pki-symkey-9.0.3-21.el6_2.x86_64
pki-util-9.0.3-21.el6_2.noarch
pki-ca-9.0.3-21.el6_2.noarch
pki-setup-9.0.3-21.el6_2.noarch
pki-silent-9.0.3-21.el6_2.noarch
pki-native-tools-9.0.3-21.el6_2.x86_64
pki-selinux-9.0.3-21.el6_2.noarch
krb5-pkinit-openssl-1.9-22.el6_2.1.x86_64

I can't quite reconcile all the above with the discussions on the
mailing list of how no promoting is needed in a dogtag (as opposed to
self signed) IPA replication topology....

So far as I can see at a minimum when the first server gets switched
off the other three will no longer exchange certificate information
and there might be CRL issues too?

Is there any tested procedure to go from a 'Clone' to a 'Root'
instance for the CAs (and sort out the replication agreements in the
process) in IPA 2.1/2.2?

Kind regards,

James Hogarth



From awnuk at redhat.com  Wed May 23 17:23:10 2012
From: awnuk at redhat.com (Andrew Wnuk)
Date: Wed, 23 May 2012 10:23:10 -0700
Subject: [Freeipa-users] PKI Subsystem Type: CA Clone convert to Root
In-Reply-To: 
References: 
Message-ID: <4FBD1CFE.600@redhat.com>

On 05/23/2012 08:59 AM, James Hogarth wrote:
>> I'll see if I can get one of the dogtag guys to take a look at this.
>>
>> In general, this is not really a big problem. All we are doing here is deciding which of the CAs will generate the CRL. You want just one because other operations are happening at the same time, potentially on other CAs, and if they are all generating a CRL at more or less the same time then resulting CRLs could be different by a cert or two. For consistency sake it is better to do this one one machine and publish it.
>>
>> Other than that there is no "master" promotion required. All of the servers, particularly those with a CA installed, are equals.
>
> Just joined the list following looking in the archives - so apologies
> for the random quote from a post yesterday....
>
> This has left me quite confused compared to my infrastructure and
> directly impacts me as I need to take the first IPA install offline
> indefinitely....
>
> On the first system a service pki-cad status shows:
> PKI Instance Name:   pki-ca
> PKI Subsystem Type:  Root CA (Security Domain)
>
> On the three systems built subsequently (with dns and CA replica
> install options) the following is shown:
>
> PKI Instance Name:   pki-ca
> PKI Subsystem Type:  CA Clone (Security Domain)
>
> The section 18.8.1 of the Identity Guide on the docs.redhat.com site
> refers to entries such as:
> ca.listenToCloneModifications=true
> master.ca.agent.host=hostname
> master.ca.agent.port=port number
>
> However on none of my four IPA instances do these lines appear in CS.cfg ....
>
> So far as I can see from ipa-csmanage-replica list the initial system
> has a replica agreement with each of the other three but no agreements
> exist between those other three themselves (ie all replication has to
> go through the initial system).
>
> This is a fully updated CentOS 6 system... IPA/PKI packages in the rpmdb:
> ipa-server-selinux-2.1.3-9.el6.x86_64
> libipa_hbac-1.5.1-66.el6_2.3.x86_64
> libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-2.1.3-9.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-python-2.1.3-9.el6.x86_64
> ipa-client-2.1.3-9.el6.x86_64
> ipa-server-2.1.3-9.el6.x86_64
> pki-java-tools-9.0.3-21.el6_2.noarch
> pki-common-9.0.3-21.el6_2.noarch
> pki-symkey-9.0.3-21.el6_2.x86_64
> pki-util-9.0.3-21.el6_2.noarch
> pki-ca-9.0.3-21.el6_2.noarch
> pki-setup-9.0.3-21.el6_2.noarch
> pki-silent-9.0.3-21.el6_2.noarch
> pki-native-tools-9.0.3-21.el6_2.x86_64
> pki-selinux-9.0.3-21.el6_2.noarch
> krb5-pkinit-openssl-1.9-22.el6_2.1.x86_64
>
> I can't quite reconcile all the above with the discussions on the
> mailing list of how no promoting is needed in a dogtag (as opposed to
> self signed) IPA replication topology....
>
> So far as I can see at a minimum when the first server gets switched
> off the other three will no longer exchange certificate information
> and there might be CRL issues too?
>
> Is there any tested procedure to go from a 'Clone' to a 'Root'
> instance for the CAs (and sort out the replication agreements in the
> process) in IPA 2.1/2.2?
>
> Kind regards,
>
> James Hogarth
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

They are identical CAs so calling one of them 'Root' and others 'Clone' 
is quite misleading.

One of Dogtag CAs is selected to produce CRLs to have consistent source 
of revocation information.

CRL generation is one of many Dogtag CA options and enabling or 
disabling this option
does not make selected CA 'Root' or 'Clone'.


Here is an information on Dogtag CA configuration which should help to 
clear confusion.


General information about related Dogtag CA default configuration:

  * CRL generation is by default enabled.
    *ca.crl..enableCRLUpdates=true
    *Absence of the above line is a equivalent to **CRL generation being
    enabled.

  * CRL cache is by default enabled.
    *ca.crl..enableCRLCache=true
    *Absence of the above line is a equivalent to **CRL cache being enabled.

  * CA's database maintenance thread is controlled by setting its interval.
    Its default value is 10 minutes set by the following line:
    *    ca.certStatusUpdateInterval=600*
    Absence of the above line is a equivalent to setting database
    maintenance thread interval to 10 minutes.
    CA's database maintenance thread can be disabled by setting its
    interval to zero:
         ca.certStatusUpdateInterval=0

  * Monitoring of database replications for the purpose of updating CRL
    cache
    is by default disabled.
    *ca.listenToCloneModifications=false
    *Absence of the above line is a equivalent to **disabled monitoring
    of database replications.

  * Redirection of CRL generation requests is by default disabled.
    *master.ca.agent.host=/||/
    **master.ca.agent.port=/||/
    ***Absence of the above lines is a equivalent to**redirection of CRL
    generation
    requests being disabled.


1. Installation of first IPA should configure Dogtag CA generating CRLs:

    Default CA installation includes CRL issuing point generating CRLs.
    Monitoring of database replications for the purpose of updating CRL
    cache
    can be added assuming that CA will be cloned, by setting
    *ca.listenToCloneModifications=true*


2. Installation of IPA's clone shouldconfigure Dogtag CA with CRL 
generation disabled:

    CRL generation can be disabled by setting
    *ca.crl..enableCRLUpdates=false*

    Redirection of CRL generation requests can be enabled by setting
    *master.ca.agent.host=/||/
    **master.ca.agent.port=/|
    |/*This *step* can be *optional* if IPA will not issue "manual" CRL
    generation requests.
    *
    *CA's database maintenance thread can be disabled by setting
    *ca.certStatusUpdateInterval=0
    *This *step* can be *optional* if each clone can verify certificate
    expiration independently.


3. Transferring CRL generation to another clone:

    CRL generation can be transfer from one CA clone to another
    by disabling CRL generation in CA currently issuing CRLs
    using differences from default configuration provided in *(2)
    * and enabling CRL generation in new CA by applying
    differences from default configuration providedin *(1)*.


Thank you,
Andrew



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hahaha_30k at yahoo.com  Wed May 23 19:08:42 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Wed, 23 May 2012 12:08:42 -0700 (PDT)
Subject: [Freeipa-users] I've done it by myself and it works -- Re: Feature
	request: Web UI for IPA users to reset their own expired passwords
In-Reply-To: <1337505737.89279.YahooMailNeo@web160703.mail.bf1.yahoo.com>
References: <1337505737.89279.YahooMailNeo@web160703.mail.bf1.yahoo.com>
Message-ID: <1337800122.16282.YahooMailNeo@web160706.mail.bf1.yahoo.com>

I've coded it with python-kerberos and it works. Pretty rough though.

--Gelen.


________________________________
 From: Gelen James 
To: "freeipa-devel at redhat.com"  
Sent: Sunday, May 20, 2012 2:22 AM
Subject: Feature request:  Web UI for IPA users to reset their own expired passwords
 

The currently assumption is that all IPA users can login into Unix/Linux machines to change their IPA password, or reset their expired password.?

?But this is not available all the time, so a more general alternative -- web UI -- will be more appreciated. The basic requirements are:

?1, The web UI accept user's passwords, expired is also accepted.
?
?2, the authentication is based on IPA Kerberos.

?3, authenticated regular IPA user can only reset his/her password only.

?4, (bonus) authenticated admin users can alter other users' password as well.


Thanks.

--Gelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rcritten at redhat.com  Wed May 23 19:14:10 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 23 May 2012 15:14:10 -0400
Subject: [Freeipa-users] [Freeipa-devel] I've done it by myself and it
 works -- Re: Feature request: Web UI for IPA users to reset their own
 expired passwords
In-Reply-To: <1337800122.16282.YahooMailNeo@web160706.mail.bf1.yahoo.com>
References: <1337505737.89279.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337800122.16282.YahooMailNeo@web160706.mail.bf1.yahoo.com>
Message-ID: <4FBD3702.9000702@redhat.com>

Gelen James wrote:
> I've coded it with python-kerberos and it works. Pretty rough though.

Is this something you'd be interested in contributing?

rob

>
> --Gelen.
>
> ------------------------------------------------------------------------
> *From:* Gelen James 
> *To:* "freeipa-devel at redhat.com" 
> *Sent:* Sunday, May 20, 2012 2:22 AM
> *Subject:* Feature request: Web UI for IPA users to reset their own
> expired passwords
>
> The currently assumption is that all IPA users can login into Unix/Linux
> machines to change their IPA password, or reset their expired password.
>
> But this is not available all the time, so a more general alternative --
> web UI -- will be more appreciated. The basic requirements are:
>
> 1, The web UI accept user's passwords, expired is also accepted.
> 2, the authentication is based on IPA Kerberos.
>
> 3, authenticated regular IPA user can only reset his/her password only.
>
> 4, (bonus) authenticated admin users can alter other users' password as
> well.
>
>
> Thanks.
>
> --Gelen
>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel



From hahaha_30k at yahoo.com  Wed May 23 19:43:34 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Wed, 23 May 2012 12:43:34 -0700 (PDT)
Subject: [Freeipa-users] [Freeipa-devel] I've done it by myself and it
	works -- Re: Feature request: Web UI for IPA users to reset
	their own expired passwords
In-Reply-To: <4FBD3702.9000702@redhat.com>
References: <1337505737.89279.YahooMailNeo@web160703.mail.bf1.yahoo.com>
	<1337800122.16282.YahooMailNeo@web160706.mail.bf1.yahoo.com>
	<4FBD3702.9000702@redhat.com>
Message-ID: <1337802214.62693.YahooMailNeo@web160703.mail.bf1.yahoo.com>

No problem.

The code is attached. It is just one python script, with configuration items on the top.

?Please be reminded that this code is pretty rough and not well-tested as I can not find appropriate documents on how to use python kerberos module.

?Disclaim: This piece of code just works as a prototype, it is not well-tested, nor DOS attack prove at all, so it could potentially harm or totally destroy someone's authentication system. :(

Thanks.

--Gelen



________________________________
 From: Rob Crittenden 
To: Gelen James  
Cc: "freeipa-devel at redhat.com" ; "freeipa-users at redhat.com"  
Sent: Wednesday, May 23, 2012 12:14 PM
Subject: Re: [Freeipa-devel] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords
 
Gelen James wrote:
> I've coded it with python-kerberos and it works. Pretty rough though.

Is this something you'd be interested in contributing?

rob

>
> --Gelen.
>
> ------------------------------------------------------------------------
> *From:* Gelen James 
> *To:* "freeipa-devel at redhat.com" 
> *Sent:* Sunday, May 20, 2012 2:22 AM
> *Subject:* Feature request: Web UI for IPA users to reset their own
> expired passwords
>
> The currently assumption is that all IPA users can login into Unix/Linux
> machines to change their IPA password, or reset their expired password.
>
> But this is not available all the time, so a more general alternative --
> web UI -- will be more appreciated. The basic requirements are:
>
> 1, The web UI accept user's passwords, expired is also accepted.
> 2, the authentication is based on IPA Kerberos.
>
> 3, authenticated regular IPA user can only reset his/her password only.
>
> 4, (bonus) authenticated admin users can alter other users' password as
> well.
>
>
> Thanks.
>
> --Gelen
>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kchange.py
Type: application/octet-stream
Size: 8598 bytes
Desc: not available
URL: 

From janfrode at tanso.net  Wed May 23 21:40:30 2012
From: janfrode at tanso.net (Jan-Frode Myklebust)
Date: Wed, 23 May 2012 23:40:30 +0200
Subject: [Freeipa-users] ipa ports
Message-ID: <20120523214030.GA20501@dibs.tanso.net>

We have quite strict firewalls, so I need to specify the IPA network
ports accurately. So, we have now opening for:

	80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
	88/udp, 464/udp

in to our first IPA server. Now I'm in the process of configuring the
first replica. Is there any other ports that needs to be opened between
ipa master and replica?

We don't serve NTP or DNS from IPA, so I guess these shouldn't be
relevant, but I think we want dogtag replicated, so there's maybe some
ports for that that needs opening ?

Or, to put it another way, which of these ports:

	http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports

needs to be opened between ipa server, which for all clients, which for
replica and which for administrative clients ?

	HTTP/HTTPS	-- open for all
	LDAP/LDAPS	-- open for all
	Kerberos	-- open for all
	OCSP responder  -- open for all if we use certs

	dogtag 9443 (agents)	-- ?
	dogtag 9444 (users, SSL)	-- ?
	dogtag 9445 (administrators)	-- ?
	dogtag 9446 (users, client authentication)	-- ?
	dogtag 9701 (Tomcat)	-- ?
	dogtag 7389 (internal LDAP database) -- ?


  -jf



From TChow at eexchange.com  Wed May 23 21:57:27 2012
From: TChow at eexchange.com (TChow at eexchange.com)
Date: Wed, 23 May 2012 14:57:27 -0700
Subject: Message removed by Red Hat, Inc. administrators
In-Reply-To: <4FBC58AC.2040004@redhat.com>
References: <201205211955.q4LJtWrB025483@mx1.redhat.com>
	<4FBB974A.30604@redhat.com>
	<201205222125.q4MLPsxi021523@mx1.redhat.com>
	<4FBC58AC.2040004@redhat.com>
Message-ID: <201205232157.q4NLvHNl018576@mx1.redhat.com>

Message removed by Red Hat, Inc. adminstrators


From dpal at redhat.com  Wed May 23 23:27:11 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 23 May 2012 19:27:11 -0400
Subject: [Freeipa-users] ipa ports
In-Reply-To: <20120523214030.GA20501@dibs.tanso.net>
References: <20120523214030.GA20501@dibs.tanso.net>
Message-ID: <4FBD724F.4090608@redhat.com>

On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote:
> We have quite strict firewalls, so I need to specify the IPA network
> ports accurately. So, we have now opening for:
>
> 	80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> 	88/udp, 464/udp
>
> in to our first IPA server. Now I'm in the process of configuring the
> first replica. Is there any other ports that needs to be opened between
> ipa master and replica?
>
> We don't serve NTP or DNS from IPA, so I guess these shouldn't be
> relevant, but I think we want dogtag replicated, so there's maybe some
> ports for that that needs opening ?
>
> Or, to put it another way, which of these ports:
>
> 	http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports
>
> needs to be opened between ipa server, which for all clients, which for
> replica and which for administrative clients ?
>
> 	HTTP/HTTPS	-- open for all
> 	LDAP/LDAPS	-- open for all
> 	Kerberos	-- open for all
> 	OCSP responder  -- open for all if we use certs
>
> 	dogtag 9443 (agents)	-- ?
> 	dogtag 9444 (users, SSL)	-- ?
> 	dogtag 9445 (administrators)	-- ?
> 	dogtag 9446 (users, client authentication)	-- ?
> 	dogtag 9701 (Tomcat)	-- ?
> 	dogtag 7389 (internal LDAP database) -- ?
>
>

Dogtag ports are now proxied vial HTTP
https://fedorahosted.org/freeipa/ticket/1334
I guess we need a doc bug to correct the documentation.
Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824666

Replica can check its connectivity to master it is created from using
ipa-replica-conncheck utility on replica.
It seems that this is not documented.
Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824667

>   -jf
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From hahaha_30k at yahoo.com  Thu May 24 00:13:35 2012
From: hahaha_30k at yahoo.com (Gelen James)
Date: Wed, 23 May 2012 17:13:35 -0700 (PDT)
Subject: [Freeipa-users] freeIPA 2.2.0 on Fedora core 16?
Message-ID: <1337818415.47911.YahooMailNeo@web160702.mail.bf1.yahoo.com>

Hi all,

?Could FC16 installed FreeIPA 2.2.0? the freeIPA site said that FC16 has some underlying dependencies.

Thanks.

--Gelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Steven.Jones at vuw.ac.nz  Thu May 24 04:26:10 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 24 May 2012 04:26:10 +0000
Subject: [Freeipa-users] RHEL6.3 documentation error...
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC99D42@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Page 381 section 18.7.2 says,

ipa replica-manage connect srv2.example.com srv4.example.com

when n fact there needs to be a "-" in there, eg.,

vuwunicoipam001.ods.vuw.ac.nz: master
[root at vuwunicoipam001 ~]# ipa replica-manage

ipa: ERROR: unknown command 'replica-manage'
[root at vuwunicoipam001 ~]#
[root at vuwunicoipam001 ~]# ipa replica-manage help
ipa: ERROR: unknown command 'replica-manage'
[root at vuwunicoipam001 ~]# ipa-replica-manage help
Usage: ipa-replica-manage [options]

ipa-replica-manage: error: must provide a command [force-sync | disconnect | list | del | connect | re-initialize]
[root at vuwunicoipam001 ~]#

[root at vuwunicoipam001 ~]# ipa-replica-manage list
Directory Manager password:
vuwunicoipam001.ods.vuw.ac.nz: master
[root at vuwunicoipam001 ~]#


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Steven.Jones at vuw.ac.nz  Thu May 24 05:50:53 2012
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 24 May 2012 05:50:53 +0000
Subject: [Freeipa-users] two way changes
Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC99DEB@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Just windering but I thought that whether I did change son the original master, or on the replica that changes would flow to the other both ways?  or do changes only flow original master to replica?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From mkosek at redhat.com  Thu May 24 08:40:17 2012
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 24 May 2012 10:40:17 +0200
Subject: [Freeipa-users] RHEL6.3 documentation error...
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC99D42@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC99D42@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1337848817.12656.2.camel@balmora.brq.redhat.com>

Hi Steven,

thanks for reporting this, I created a Bugzilla for the doc:
https://bugzilla.redhat.com/show_bug.cgi?id=824768

Martin

On Thu, 2012-05-24 at 04:26 +0000, Steven Jones wrote:
> Hi,
> 
> Page 381 section 18.7.2 says,
> 
> ipa replica-manage connect srv2.example.com srv4.example.com
> 
> when n fact there needs to be a "-" in there, eg.,
> 
> vuwunicoipam001.ods.vuw.ac.nz: master
> [root at vuwunicoipam001 ~]# ipa replica-manage
> 
> ipa: ERROR: unknown command 'replica-manage'
> [root at vuwunicoipam001 ~]# 
> [root at vuwunicoipam001 ~]# ipa replica-manage help
> ipa: ERROR: unknown command 'replica-manage'
> [root at vuwunicoipam001 ~]# ipa-replica-manage help
> Usage: ipa-replica-manage [options]
> 
> ipa-replica-manage: error: must provide a command [force-sync |
> disconnect | list | del | connect | re-initialize]
> [root at vuwunicoipam001 ~]# 
> 
> [root at vuwunicoipam001 ~]# ipa-replica-manage list 
> Directory Manager password: 
> vuwunicoipam001.ods.vuw.ac.nz: master 
> [root at vuwunicoipam001 ~]# 
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From mkosek at redhat.com  Thu May 24 08:43:54 2012
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 24 May 2012 10:43:54 +0200
Subject: [Freeipa-users] two way changes
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC99DEB@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E404CC99DEB@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1337849034.12656.5.camel@balmora.brq.redhat.com>

On Thu, 2012-05-24 at 05:50 +0000, Steven Jones wrote:
> Hi,
> 
> Just windering but I thought that whether I did change son the
> original master, or on the replica that changes would flow to the
> other both ways?  or do changes only flow original master to replica?
> 
> 

Since we use multi-master replication, the LDAP changes should "flow"
both ways, i.e. when you change data either on master or replica - of
course, if the attribute or the tree itself is replicated.

If the replication is not working properly for you, I would check dirsrv
error log, it may contain some relevant error messages.

Martin




From mkosek at redhat.com  Thu May 24 08:50:23 2012
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 24 May 2012 10:50:23 +0200
Subject: [Freeipa-users] ipa ports
In-Reply-To: <4FBD724F.4090608@redhat.com>
References: <20120523214030.GA20501@dibs.tanso.net>
	<4FBD724F.4090608@redhat.com>
Message-ID: <1337849423.12656.9.camel@balmora.brq.redhat.com>

On Wed, 2012-05-23 at 19:27 -0400, Dmitri Pal wrote:
> On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote:
> > We have quite strict firewalls, so I need to specify the IPA network
> > ports accurately. So, we have now opening for:
> >
> > 	80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> > 	88/udp, 464/udp
> >
> > in to our first IPA server. Now I'm in the process of configuring the
> > first replica. Is there any other ports that needs to be opened between
> > ipa master and replica?
> >
> > We don't serve NTP or DNS from IPA, so I guess these shouldn't be
> > relevant, but I think we want dogtag replicated, so there's maybe some
> > ports for that that needs opening ?
> >
> > Or, to put it another way, which of these ports:
> >
> > 	http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports
> >
> > needs to be opened between ipa server, which for all clients, which for
> > replica and which for administrative clients ?
> >
> > 	HTTP/HTTPS	-- open for all
> > 	LDAP/LDAPS	-- open for all
> > 	Kerberos	-- open for all
> > 	OCSP responder  -- open for all if we use certs
> >
> > 	dogtag 9443 (agents)	-- ?
> > 	dogtag 9444 (users, SSL)	-- ?
> > 	dogtag 9445 (administrators)	-- ?
> > 	dogtag 9446 (users, client authentication)	-- ?
> > 	dogtag 9701 (Tomcat)	-- ?
> > 	dogtag 7389 (internal LDAP database) -- ?
> >
> >
> 
> Dogtag ports are now proxied vial HTTP

Exactly. So in your case, between replicas, you would need to open ports
you specified:

> 	80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> > 	88/udp, 464/udp

+ the proxy port: 7389/tcp

I suppose you don't need to open 7389/tcp for all clients unless you
want them to be able to run LDAP search against dogtag backend LDAP
database.

Martin



From james.hogarth at gmail.com  Thu May 24 09:23:29 2012
From: james.hogarth at gmail.com (James Hogarth)
Date: Thu, 24 May 2012 10:23:29 +0100
Subject: [Freeipa-users] PKI Subsystem Type: CA Clone convert to Root
In-Reply-To: <4FBD1CFE.600@redhat.com>
References: 
	<4FBD1CFE.600@redhat.com>
Message-ID: 

>
> They are identical CAs so calling one of them 'Root' and others 'Clone' is
> quite misleading.
>
> One of Dogtag CAs is selected to produce CRLs to have consistent source of
> revocation information.
>
> CRL generation is one of many Dogtag CA options and enabling or disabling
> this option
> does not make selected CA 'Root' or 'Clone'.
>
>

Andrew I understand what you are trying to say about what should be
the case... I'm describing what I'm actually seeing on my systems and
attempting to work out why there are discrepancies, how these can be
resolved and what the actual effect of switching off the server first
built will be (given that the replication agreements apparently all go
through that according to ipa-csmanage-replica and I get errors trying
to arrange other agreements... plus the service pki-cad status stating
quite clearly the first is 'Root' and the other three 'Clone'
regardless of what the documentation in place on the Redhat/Fedora
sites implies.

Here's the output of service pki-cad status on each system:
[root at first ~]# service pki-cad status
pki-ca (pid 6754) is running...                            [  OK  ]
    Unsecure Port       = http://first.ipa.system.built:9180/ca/ee/ca
    Secure Agent Port   = https://first.ipa.system.built:9443/ca/agent/ca
    Secure EE Port      = https://first.ipa.system.built:9444/ca/ee/ca
    Secure Admin Port   = https://first.ipa.system.built:9445/ca/services
    EE Client Auth Port = https://first.ipa.system.built:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://first.ipa.system.built:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://first.ipa.system.built:443
    ==========================================================================

[root at second ~]# service pki-cad status
pki-ca (pid 11580) is running...                           [  OK  ]
    Unsecure Port       = http://second.ipa.system.built:9180/ca/ee/ca
    Secure Agent Port   = https://second.ipa.system.built:9443/ca/agent/ca
    Secure EE Port      = https://second.ipa.system.built:9444/ca/ee/ca
    Secure Admin Port   = https://second.ipa.system.built:9445/ca/services
    EE Client Auth Port = https://second.ipa.system.built:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://second.ipa.system.built:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  CA Clone (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://second.ipa.system.built:443
    ==========================================================================

[root at third ~]# service pki-cad status
pki-ca (pid 24039) is running...                           [  OK  ]
    Unsecure Port       = http://third.ipa.system.built:9180/ca/ee/ca
    Secure Agent Port   = https://third.ipa.system.built:9443/ca/agent/ca
    Secure EE Port      = https://third.ipa.system.built:9444/ca/ee/ca
    Secure Admin Port   = https://third.ipa.system.built:9445/ca/services
    EE Client Auth Port = https://third.ipa.system.built:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://third.ipa.system.built:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  CA Clone (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://third.ipa.system.built:443
    ==========================================================================

[root at fourth ~]# service pki-cad status
pki-ca (pid 19349) is running...                           [  OK  ]
    Unsecure Port       = http://fourth.ipa.system.built:9180/ca/ee/ca
    Secure Agent Port   = https://fourth.ipa.system.built:9443/ca/agent/ca
    Secure EE Port      = https://fourth.ipa.system.built:9444/ca/ee/ca
    Secure Admin Port   = https://fourth.ipa.system.built:9445/ca/services
    EE Client Auth Port = https://fourth.ipa.system.built:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://fourth.ipa.system.built:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  CA Clone (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://fourth.ipa.system.built:443
    ==========================================================================

Next here's the csreplica list output:

[root at first ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:

second.ipa.system.built
third.ipa.system.built
fourth.ipa.system.built


[root at second ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:

first.ipa.system.built

[root at third ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:

first.ipa.system.built

[root at fourth ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:

first.ipa.system.built

An attempt to add a replication agreement between third and fourth results in:
[root at third ~]# ipa-csreplica-manage connect `uname -n` fourth.ipa.system.built
Directory Manager password:

This replication agreement already exists.

Attached are the sanitized (so far as I can see) CS.cfg files for
first and third - second and fourth are the same as the third -
barring hostnames of course.

These are full IPA systems with DNS and Dogtag integration enabled
across the board....

There is a clear discrepancy between the expected and the actual -
some something must be going weird here.....

Kind regards,

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: first-CS.cfg
Type: application/octet-stream
Size: 65293 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: third-CS.cfg
Type: application/octet-stream
Size: 65797 bytes
Desc: not available
URL: 

From janfrode at tanso.net  Thu May 24 09:34:10 2012
From: janfrode at tanso.net (Jan-Frode Myklebust)
Date: Thu, 24 May 2012 11:34:10 +0200
Subject: [Freeipa-users] ipa ports
In-Reply-To: <1337849423.12656.9.camel@balmora.brq.redhat.com>
References: <20120523214030.GA20501@dibs.tanso.net>
	<4FBD724F.4090608@redhat.com>
	<1337849423.12656.9.camel@balmora.brq.redhat.com>
Message-ID: <20120524093409.GA4554@dibs.tanso.net>

On Thu, May 24, 2012 at 10:50:23AM +0200, Martin Kosek wrote:
> 
> I suppose you don't need to open 7389/tcp for all clients unless you
> want them to be able to run LDAP search against dogtag backend LDAP
> database.

I don't see why I would want that, so I'll just open it between the
ipa-servers for now. The ipa-replica-conncheck utility looks great,
thanks!


  -jf



From rcritten at redhat.com  Thu May 24 13:05:15 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 24 May 2012 09:05:15 -0400
Subject: [Freeipa-users] freeIPA 2.2.0 on Fedora core 16?
In-Reply-To: <1337818415.47911.YahooMailNeo@web160702.mail.bf1.yahoo.com>
References: <1337818415.47911.YahooMailNeo@web160702.mail.bf1.yahoo.com>
Message-ID: <4FBE320B.2000207@redhat.com>

Gelen James wrote:
> Hi all,
>
> Could FC16 installed FreeIPA 2.2.0? the freeIPA site said that FC16 has
> some underlying dependencies.

It is possible to build it and install in F-16 but you'll have SELinux 
problems.

rob



From dpal at redhat.com  Thu May 24 17:03:24 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 24 May 2012 13:03:24 -0400
Subject: [Freeipa-users] Custom ACI entries
In-Reply-To: <4FB50F7E.9060301@sesda2.com>
References: <4FB43344.4020501@sesda2.com> <4FB4FE67.9020204@redhat.com>
	<4FB50F7E.9060301@sesda2.com>
Message-ID: <4FBE69DC.9000501@redhat.com>

On 05/17/2012 10:47 AM, Lucas Yamanishi wrote:
> On 05/17/2012 09:34 AM, Rob Crittenden wrote:
>> Lucas Yamanishi wrote:
>>> Hi everybody,
>>>
>>> I've added some custom schema to my directory, but it's useless to me if
>>> if I can't control read permissions on it.  This is obviously a little
>>> tricky since (Free)IPA allows everybody to ready everything by default.
>>>   With that, what's the best way to restrict access to user attributes?
>>> Is there anything like this in the roadmap?
>> Right now there is are no plans to support deny ACIs natively in the
>> permission plugin. That isn't set into stone, we just need some convincing.
> Then let me make the case:
>
> I know IPA is aimed mainly at authentication and authorization, but it
> provides enough base schema and tree structure to do basic asset and
> personnel management.  More importantly, it's easier to setup than a
> pure 389 Directory.  This makes it ideal for small to medium sized
> organizations that don't need the extra utility a separate directory
> provides.  Additionaly, the well-designed webui makes it easy to
> delegate tasks to non-technical personnel.  The requirements to achieve
> this end are two: add native support for a restricted set of schema
> extensions and fine-grained access controls to those attributes.
>
> For schema extensions, support could (and should) be limited only to
> additional attributes on a restricted set of existing objects.  For
> example, additions to users and hosts.  This would satisfy requirements
> for a majority of small to medium sized organizations, I'd think.


Building a generic mechanism is really a lot of work.
It might be simpler to do it differently, i.e. incrementally add support
for additional attributes.
Do you have the schema that you added handy?
What is the application that uses it? Is it popular? Is it open source?
If it is it might make sense to just support these attributes our of box
if the schema is loaded.
 

>> The best way to do this is what you've done, manually creating ACIs. The
>> problem with deny ACIs is they can get very hard to unwind when trying
>> to figure out why things aren't working.
> How do you mean?
>
>>> For the interim I've crafted some custom aci entries.  Where should I
>>> put them?  Will they work?  Here they are:
>>>
>>>> aci: (targetattr =
>>>>    "attribute1 ||
>>>>    attribute2 ||
>>>>    attribute3")
>>>>   (version 3.0; acl "custom attributes base"; deny (all)
>>>>    (userdn = "ldap:///anyone" and
>>>>    userdn != "ldap:///self" and
>>>>    groupdn != "ldap:///cn=Read custom
>>>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>>>>
>>>> aci: (targetattr =
>>>>    "attribute1 ||
>>>>    attribute2 ||
>>>>    attribute3")
>>>>   (version 3.0; acl "custom attributes update"; allow (add, read,
>>>> write, search, delete)
>>>>    (userdn = "ldap:///self" or
>>>>    groupdn = "ldap:///cn=Manage custom
>>>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>>>
>> We put all ACIs into the basedn, so for you dc=sesda2,dc=com.
>>
>> This is going to be tricky since you want to delegate these but you
>> can't create them natively. This means you need to create both the aci
>> and the permission entry.
>>
>> A sample permission would look like:
>>
>> dn: cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermission
>> cn: Read custom attributes
> Can't I add these via "ipa permission-add" or the webui?
>
>> The ACIs need a little bit of work. The name of the aci needs to match
>> the name of the ACI that permission is being granted to, with a prefix
>> of permission:. So it should look more like:
>>
>> aci: (targetattr =  "attribute1 ||  attribute2 ||  attribute3")
>>  (version 3.0; acl "permission:Read custom attributes"; deny (all)
>>   (userdn = "ldap:///anyone" and
>>   userdn != "ldap:///self" and
>>   groupdn != "ldap:///cn=Read custom
>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>>
>> For the second ACI you don't need add and delete, those are entry-level
>> permissions. You might want to add compare though.
>>
>> We also tend to separate things you can do to your own entry from things
>> you can do to others. So we would break this out into some selfservice
>> ACIs and permission ACIs. Not saying what you're doing won't work.
>>
>> rob
>
> Thanks!
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Thu May 24 17:21:54 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 24 May 2012 13:21:54 -0400
Subject: [Freeipa-users] Please help: What the purposes of '--usercat'
 and '--hostcat' options to IPA net groups?
In-Reply-To: <20120516102046.GH2338@localhost.localdomain>
References: <1337050626.69719.YahooMailNeo@web125704.mail.ne1.yahoo.com>	<20120515084850.GE2338@localhost.localdomain>	<1337097943.10734.YahooMailNeo@web160704.mail.bf1.yahoo.com>
	<20120516102046.GH2338@localhost.localdomain>
Message-ID: <4FBE6E32.1010707@redhat.com>

On 05/16/2012 06:20 AM, Sumit Bose wrote:
> On Tue, May 15, 2012 at 09:05:43AM -0700, Gelen James wrote:
>> Hi Sumit, 
>>
>>
>>  Thanks for your quick reply.
>>  
>>  In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command.
>>
>> More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :)
> yes, this is my understanding, too.
>
>> BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here.
> yes, HBAC rules use hosts/hostgroups and not netgroups. In general
> netgroups were added to support application which still needs them or to
> make migrations from environments where netgroups were used easier. But
> we recommend to use hostgroups with IPA if possible.
>
> HTH
>
> bye,
> Sumit
>
>> Thanks.
>>
>> --Gelen
>>
>>
>>
>>
>>
>>
>>
>> ________________________________
>>  From: Sumit Bose 
>> To: freeipa-users at redhat.com 
>> Sent: Tuesday, May 15, 2012 1:48 AM
>> Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?
>>  
>> On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote:
>>> Hi all,
>>>
>>>  The online manual says that the '--usercat' means 'User category the rule applies to';  '--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options.
>>>
>>>  Could anyone please shed a light on this? Thanks a lot.
>> iirc these options where introduced with the host based access control
>> (HBAC) and are used to identify categories/classes of users and hosts
>> in a more general way than using groups or ip-address ranges. I think
>> currently only the keyword 'all' can be used here, which e.g means that
>> an HBAC rule will match for all users or all hosts. In future it is
>> planned to support other categories, e.g. something like 'local' and
>> 'remote' which would catch all users/hosts of the local IPA domain or
>> all users/groups which are coming from remote domains ,respectively.
>>
>> HTH
>>
>> bye,
>> Sumit
>>


Finally got time to read and reply.
The IPA introduced and object class called Association. It allows
many-to-many relationship between users and hosts.
Uses can be expressed as list of users, list of groups, or category of
users. We currently  support only one category "all".
Same is with hosts.
Several different objects in IPA derive from the association object.
HBAC and netgroups are among those.
This is why the notion of the category is in both cases. But it also
makes sense. There was no other way for HBAC and netgroups to express
"all". We made an architectural decision that absence of something
should not be treated as "all" but rather denote "none". So if nothing
is defined in the HBAC rule to express users such rule should be treated
as not applying to any user and effectively be ignored as
incomplete/broken rule. If it is not the case it is probably a bug.

 

>>> --David
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From mareynol at redhat.com  Fri May 25 20:54:42 2012
From: mareynol at redhat.com (Mark Reynolds)
Date: Fri, 25 May 2012 16:54:42 -0400
Subject: [Freeipa-users] regarding: backup/restore IPA servers with
	db2ldap.pl, ldap2db.pl
Message-ID: <4FBFF192.5090902@redhat.com>

David,

I can not reproduce this issue.  This is what I've done using just 389 DS:

[1] Create two instances:  master and dedicated consumer
[2] Setup replication and initialize consumer
[3] Create 4 users on the master: a, b, c, d
[4] do a "db2ldif -r" on the consumer
[5] On master: delete 'c'
[6] On consumer: delete 'd'
[7] do a ldif2db on consumer -> now the consumer has entries: a,b,c,d
[8] Either wait a few minutes, or update entry 'a' on master.
[9] Both master and consumer have entries: a, b

This was in a test environment, and there was no replication load.  I've 
tried both (db2ldif/db2ldif.pl & ldif2db/ldif2db.pl)

Am I missing any steps?  What version of DS were you using?

Thanks,
Mark


-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From tomasz at napierala.org  Sat May 26 20:04:47 2012
From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=)
Date: Sat, 26 May 2012 22:04:47 +0200
Subject: [Freeipa-users] Cannot create replica after previous broken replica
	install
Message-ID: 

Hi,

I'm trying to install replica server that prevously failed to initialize.
Host ldap-s1 - first server
Host ldap-s2 - reinstalled server

After ipa-replica-install on ldap-s2, I got:
Connection check OK
The host ldap-s2.xxx already exists on the master server. Depending on your configuration, you may perform the following:

Remove the replication agreement, if any:
    % ipa-replica-manage del ldap-s2.xxx
Remove the host entry:
    % ipa host-del ldap-s2.xxx

So I tried to do that, but:
ipa-replica-manage del ldap-s2.xxx
Unable to delete replica ldap-s2.xxx: {'desc': "Can't contact LDAP server"}

ldap-s1 tried to connect to ldap-s2 but obviously failed. 
Then I did:
ipa host-del ldap-s2.xxx
---------------------------------
Deleted host "ldap-s2.xxx"
---------------------------------

I prepared replica faile again, scped it to ldap-s2 and ran ipa-replica-install again:
[?]
  [16/29]: configuring ssl for ds instance
  [17/29]: configuring certmap.conf
  [18/29]: configure autobind for root
  [19/29]: configure new location for managed entries
  [20/29]: restarting directory server
  [21/29]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap-s1.xxx] reports: Update failed! Status: [-2  - System error]
creation of replica failed: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

During the attempt I got this on ldap-s1
[26/May/2012:19:24:04 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[26/May/2012:19:24:07 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)) errno 2 (No such file or directory)

and 
[root at ldap-s1 ~]# ipa-replica-manage del ldap-s2.xxx
Unable to delete replica ldap-s2.xxx: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)', 'desc': 'Local error'}

Anyone has any ideas how to fix that??

Regards,
-- 
Tomasz 'Zen' Napiera?a
tomasz at napierala.org







From tomasz at napierala.org  Sat May 26 20:08:49 2012
From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=)
Date: Sat, 26 May 2012 22:08:49 +0200
Subject: [Freeipa-users] Cannot create replica after previous broken
	replica install
In-Reply-To: 
References: 
Message-ID: 


On May 26, 2012, at 10:04 PM, Tomasz 'Zen' Napiera?a wrote:

> Hi,
> 
> I'm trying to install replica server that prevously failed to initialize.
> Host ldap-s1 - first server
> Host ldap-s2 - reinstalled server
> 
> After ipa-replica-install on ldap-s2, I got:
> Connection check OK
> The host ldap-s2.xxx already exists on the master server. Depending on your configuration, you may perform the following:
> 
> Remove the replication agreement, if any:
>    % ipa-replica-manage del ldap-s2.xxx
> Remove the host entry:
>    % ipa host-del ldap-s2.xxx
> 
> So I tried to do that, but:
> ipa-replica-manage del ldap-s2.xxx
> Unable to delete replica ldap-s2.xxx: {'desc': "Can't contact LDAP server"}


Ok, fixed that myself ;)
I just --force replica deletion, restarted dirsrv on master, recreated replica file, and did replica install again. All went fine.

Regards,
-- 
Tomasz 'Zen' Napiera?a
tomasz at napierala.org







From rcritten at redhat.com  Sat May 26 23:27:50 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Sat, 26 May 2012 19:27:50 -0400
Subject: [Freeipa-users] Cannot create replica after previous broken
 replica install
In-Reply-To: 
References: 
Message-ID: <4FC166F6.3010704@redhat.com>

Tomasz 'Zen' Napiera?a wrote:
> Hi,
>
> I'm trying to install replica server that prevously failed to initialize.
> Host ldap-s1 - first server
> Host ldap-s2 - reinstalled server
>
> After ipa-replica-install on ldap-s2, I got:
> Connection check OK
> The host ldap-s2.xxx already exists on the master server. Depending on your configuration, you may perform the following:
>
> Remove the replication agreement, if any:
>      % ipa-replica-manage del ldap-s2.xxx
> Remove the host entry:
>      % ipa host-del ldap-s2.xxx
>
> So I tried to do that, but:
> ipa-replica-manage del ldap-s2.xxx
> Unable to delete replica ldap-s2.xxx: {'desc': "Can't contact LDAP server"}
>
> ldap-s1 tried to connect to ldap-s2 but obviously failed.
> Then I did:
> ipa host-del ldap-s2.xxx
> ---------------------------------
> Deleted host "ldap-s2.xxx"
> ---------------------------------
>
> I prepared replica faile again, scped it to ldap-s2 and ran ipa-replica-install again:
> [?]
>    [16/29]: configuring ssl for ds instance
>    [17/29]: configuring certmap.conf
>    [18/29]: configure autobind for root
>    [19/29]: configure new location for managed entries
>    [20/29]: restarting directory server
>    [21/29]: setting up initial replication
> Starting replication, please wait until this has completed.
> [ldap-s1.xxx] reports: Update failed! Status: [-2  - System error]
> creation of replica failed: Failed to start replication
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> During the attempt I got this on ldap-s1
> [26/May/2012:19:24:04 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/May/2012:19:24:07 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)) errno 2 (No such file or directory)
>
> and
> [root at ldap-s1 ~]# ipa-replica-manage del ldap-s2.xxx
> Unable to delete replica ldap-s2.xxx: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)', 'desc': 'Local error'}
>
> Anyone has any ideas how to fix that??
>
> Regards,

ipa-replica-manage del --force ldap-s2.xxx

You'll want to restart the dirsrv service on ldap-s1 before attemping to 
re-install ldap-s2.

rob



From tomasz at napierala.org  Sat May 26 23:54:02 2012
From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=)
Date: Sun, 27 May 2012 01:54:02 +0200
Subject: [Freeipa-users] Cannot create replica after previous broken
	replica install
In-Reply-To: <4FC166F6.3010704@redhat.com>
References: 
	<4FC166F6.3010704@redhat.com>
Message-ID: <3190B4F8-C05B-45A3-B7C9-997DA313B870@napierala.org>


On May 27, 2012, at 1:27 AM, Rob Crittenden wrote:

> Tomasz 'Zen' Napiera?a wrote:
>> Hi,
>> 
>> I'm trying to install replica server that prevously failed to initialize.
>> Host ldap-s1 - first server
>> Host ldap-s2 - reinstalled server
>> 
>> After ipa-replica-install on ldap-s2, I got:
>> Connection check OK
>> The host ldap-s2.xxx already exists on the master server. Depending on your configuration, you may perform the following:
>> 
>> Remove the replication agreement, if any:
>>     % ipa-replica-manage del ldap-s2.xxx
>> Remove the host entry:
>>     % ipa host-del ldap-s2.xxx
>> 
>> So I tried to do that, but:
>> ipa-replica-manage del ldap-s2.xxx
>> Unable to delete replica ldap-s2.xxx: {'desc': "Can't contact LDAP server"}
>> 
>> ldap-s1 tried to connect to ldap-s2 but obviously failed.
>> Then I did:
>> ipa host-del ldap-s2.xxx
>> ---------------------------------
>> Deleted host "ldap-s2.xxx"
>> ---------------------------------
>> 
>> I prepared replica faile again, scped it to ldap-s2 and ran ipa-replica-install again:
>> [?]
>>   [16/29]: configuring ssl for ds instance
>>   [17/29]: configuring certmap.conf
>>   [18/29]: configure autobind for root
>>   [19/29]: configure new location for managed entries
>>   [20/29]: restarting directory server
>>   [21/29]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [ldap-s1.xxx] reports: Update failed! Status: [-2  - System error]
>> creation of replica failed: Failed to start replication
>> 
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> 
>> During the attempt I got this on ldap-s1
>> [26/May/2012:19:24:04 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [26/May/2012:19:24:07 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)) errno 2 (No such file or directory)
>> 
>> and
>> [root at ldap-s1 ~]# ipa-replica-manage del ldap-s2.xxx
>> Unable to delete replica ldap-s2.xxx: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ldap-s2.xxx at XXX not found in Kerberos database)', 'desc': 'Local error'}
>> 
>> Anyone has any ideas how to fix that??
>> 
>> Regards,
> 
> ipa-replica-manage del --force ldap-s2.xxx
> 
> You'll want to restart the dirsrv service on ldap-s1 before attemping to re-install ldap-s2.


Thanks, I think you didn't notice my next email. I just did that exactly after reading ipa-replica-manage manage ;)

Regards,
-- 
Tomasz 'Zen' Napiera?a
tomasz at napierala.org







From freeipa at noboost.org  Mon May 28 06:21:20 2012
From: freeipa at noboost.org (freeipa at noboost.org)
Date: Mon, 28 May 2012 10:21:20 +0400
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab
Message-ID: <20120528062120.GA21730@noboost.org>

Hi All,

This one has me stumped!
For some reason my Centos 5.8 x64 Linux server hangs during
"ipa-client-install"

Server:
* ipa-admintools-2.1.3-9.el6.x86_64
* ipa-client-2.1.3-9.el6.x86_64
* ipa-pki-ca-theme-9.0.3-7.el6.noarch
* ipa-pki-common-theme-9.0.3-7.el6.noarch
* ipa-python-2.1.3-9.el6.x86_64
* ipa-server-2.1.3-9.el6.x86_64
* ipa-server-selinux-2.1.3-9.el6.x86_64

Client:
CentOS release 5.8 (Final) (x86_64)
* ipa-client-2.1.3-2.el5_8
* sssd-client-1.5.1-49.el5_8.1

Questions:
* Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
  can run a native kerberos command? 
* Any tips welcome, I've tried straces and tcpdump to work this one out,
  hmm..


Error:
"ipa-client-install" runs fine and then hangs (without reason):
[below is the chopped version]

-------------------------------------------------------------------
[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM


Password for admin at EXAMPLE.COM: 
root        : DEBUG    args=kinit admin at EXAMPLE.COM
root        : DEBUG    stdout=Password for admin at EXAMPLE.COM: 

root        : DEBUG    stderr=
-------------------------------------------------------------------

`ps -ef` on the client side, shows that the install is getting stuck on
"ipa-getkeytab" for some reasons.

root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
/usr/sbin/ipa-client-install -d

root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
ipa-server.example.com -b dc=example,dc=com -d

root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
-s ipa-server.example.com -p
host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab


cya

Craig



From ops at 100percentit.com  Mon May 28 14:04:00 2012
From: ops at 100percentit.com (Matt)
Date: Mon, 28 May 2012 15:04:00 +0100
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FBB59E9.6060209@100percentit.com>
References: <4FBB59E9.6060209@100percentit.com>
Message-ID: <4FC385D0.2000404@100percentit.com>

Hi,

Any ideas on where to look for more information? I have been unable to 
make any progress on this.

Thanks

On 22/05/2012 10:18, Matt wrote:
> Hi,
>
> I am attempting to run replication between Windows AD (2008R2) and a 
> FreeIPA (2.2.0) server (fc-17) in a test setup.
>
> I have bound FreeIPA to the AD server 'sucessfully'
>
> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn 
> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw  
> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v 
> ipa.100it.net -p 
> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate 
> database for ipa2.100it.net
> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
> The user for the Windows PassSync service is 
> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: -11  - 
> System error: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> [ipa2.100it.net] reports: Update failed! Status: [-11  - System error]
> Failed to start replication
>
>
>
> The server now shows in the replica list:
>
> [root at ipa2 ~]# ipa-replica-manage list -p 
> ipa.100it.net: winsync
> ipa2.100it.net: master
>
>
> But any attemps to re-initialise the connection result in the same 
> "[-11  - System error]" message:
>
> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net 
> -p 
> [ipa2.100it.net] reports: Update failed! Status: [-11  - System error]
>
>
> There are no messages that relate to the connection in event viewer 
> and nothing other then "[-11  - System error]" in any of the freeIPA 
> log files.
>
> Thanks
> Matt



From mkosek at redhat.com  Tue May 29 07:00:43 2012
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 29 May 2012 09:00:43 +0200
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab
In-Reply-To: <20120528062120.GA21730@noboost.org>
References: <20120528062120.GA21730@noboost.org>
Message-ID: <1338274843.30643.6.camel@balmora.brq.redhat.com>

On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> Hi All,
> 
> This one has me stumped!
> For some reason my Centos 5.8 x64 Linux server hangs during
> "ipa-client-install"
> 
> Server:
> * ipa-admintools-2.1.3-9.el6.x86_64
> * ipa-client-2.1.3-9.el6.x86_64
> * ipa-pki-ca-theme-9.0.3-7.el6.noarch
> * ipa-pki-common-theme-9.0.3-7.el6.noarch
> * ipa-python-2.1.3-9.el6.x86_64
> * ipa-server-2.1.3-9.el6.x86_64
> * ipa-server-selinux-2.1.3-9.el6.x86_64
> 
> Client:
> CentOS release 5.8 (Final) (x86_64)
> * ipa-client-2.1.3-2.el5_8
> * sssd-client-1.5.1-49.el5_8.1
> 
> Questions:
> * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
>   can run a native kerberos command? 
> * Any tips welcome, I've tried straces and tcpdump to work this one out,
>   hmm..
> 
> 
> Error:
> "ipa-client-install" runs fine and then hangs (without reason):
> [below is the chopped version]
> 
> -------------------------------------------------------------------
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
> 
> 
> Password for admin at EXAMPLE.COM: 
> root        : DEBUG    args=kinit admin at EXAMPLE.COM
> root        : DEBUG    stdout=Password for admin at EXAMPLE.COM: 
> 
> root        : DEBUG    stderr=
> -------------------------------------------------------------------
> 
> `ps -ef` on the client side, shows that the install is getting stuck on
> "ipa-getkeytab" for some reasons.
> 
> root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
> /usr/sbin/ipa-client-install -d
> 
> root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
> ipa-server.example.com -b dc=example,dc=com -d
> 
> root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
> -s ipa-server.example.com -p
> host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> 
> 
> cya
> 
> Craig
> 

Hello Craig,

I think that in this case, strace may be a good choice to find out where
it hangs. I assume you already have the IPA server installed and you are
trying to install IPA client on different machine.

If you run ipa-getkeytab with strace separately from ipa-client-install
you can test where it hangs. You can use any principal existing in IPA
server, including host/client.example.com at EXAMPLE.COM if the host entry
exists.

To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
was unsuccessful you can either manually configure /etc/krb5.conf to use
IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
options to authenticate via LDAP bind.

Martin



From rcritten at redhat.com  Tue May 29 17:37:02 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 29 May 2012 13:37:02 -0400
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FC385D0.2000404@100percentit.com>
References: <4FBB59E9.6060209@100percentit.com>
	<4FC385D0.2000404@100percentit.com>
Message-ID: <4FC5093E.3000108@redhat.com>

Matt wrote:
> Hi,
>
> Any ideas on where to look for more information? I have been unable to
> make any progress on this.
>
> Thanks
>
> On 22/05/2012 10:18, Matt wrote:
>> Hi,
>>
>> I am attempting to run replication between Windows AD (2008R2) and a
>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>
>> I have bound FreeIPA to the AD server 'sucessfully'
>>
>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
>> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
>> ipa.100it.net -p 
>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>> database for ipa2.100it.net
>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>> Windows PassSync entry exists, not resetting password
>> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>> error: start: 0: end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>> Failed to start replication
>>
>>
>>
>> The server now shows in the replica list:
>>
>> [root at ipa2 ~]# ipa-replica-manage list -p 
>> ipa.100it.net: winsync
>> ipa2.100it.net: master
>>
>>
>> But any attemps to re-initialise the connection result in the same
>> "[-11 - System error]" message:
>>
>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>> -p 
>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>
>>
>> There are no messages that relate to the connection in event viewer
>> and nothing other then "[-11 - System error]" in any of the freeIPA
>> log files.
>>
>> Thanks
>> Matt

This is a new one to me. I think we need to try to gather more 
information on it. Can you enable replication debugging then try to 
re-initialize it again?

$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192

Then to turn it off do basically the same thing:

$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 0

The log output should go to the 389-ds error log.

rob



From rcritten at redhat.com  Tue May 29 22:15:03 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 29 May 2012 18:15:03 -0400
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FC5093E.3000108@redhat.com>
References: <4FBB59E9.6060209@100percentit.com>
	<4FC385D0.2000404@100percentit.com> <4FC5093E.3000108@redhat.com>
Message-ID: <4FC54A67.4070906@redhat.com>

Rob Crittenden wrote:
> Matt wrote:
>> Hi,
>>
>> Any ideas on where to look for more information? I have been unable to
>> make any progress on this.
>>
>> Thanks
>>
>> On 22/05/2012 10:18, Matt wrote:
>>> Hi,
>>>
>>> I am attempting to run replication between Windows AD (2008R2) and a
>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>
>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>
>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
>>> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
>>> ipa.100it.net -p 
>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>> database for ipa2.100it.net
>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>> The user for the Windows PassSync service is
>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>> Windows PassSync entry exists, not resetting password
>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>> . .
>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>> error: start: 0: end: 0
>>> ipa: INFO: Agreement is ready, starting replication . . .
>>> Starting replication, please wait until this has completed.
>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>> Failed to start replication
>>>
>>>
>>>
>>> The server now shows in the replica list:
>>>
>>> [root at ipa2 ~]# ipa-replica-manage list -p 
>>> ipa.100it.net: winsync
>>> ipa2.100it.net: master
>>>
>>>
>>> But any attemps to re-initialise the connection result in the same
>>> "[-11 - System error]" message:
>>>
>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>> -p 
>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>
>>>
>>> There are no messages that relate to the connection in event viewer
>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>> log files.
>>>
>>> Thanks
>>> Matt
>
> This is a new one to me. I think we need to try to gather more
> information on it. Can you enable replication debugging then try to
> re-initialize it again?
>
> $ ldapmodify -x -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 8192
>
> Then to turn it off do basically the same thing:
>
> $ ldapmodify -x -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 0
>
> The log output should go to the 389-ds error log.
>
> rob

Turns out the code is an LDAP return code which in this case means 
connection error. Still not a lot to go on but it's something.

Can you see if there is a firewall in between? You might also want to to 
try ldapsearch to see if you can connect to the AD server.

We test the connection early on. I'm not sure why it would fail in the 
middle like this.

rob



From cao2dan at yahoo.com  Wed May 30 01:02:41 2012
From: cao2dan at yahoo.com (David Copperfield)
Date: Tue, 29 May 2012 18:02:41 -0700 (PDT)
Subject: [Freeipa-users] Fixed: time drift issue-- Re: Bug or feature? IPA
	replicas at the beginning can not see other replicas installed later
In-Reply-To: <1337473756.35952.YahooMailNeo@web125705.mail.ne1.yahoo.com>
References: <1337466392.94089.YahooMailNeo@web125701.mail.ne1.yahoo.com>
	<1337473756.35952.YahooMailNeo@web125705.mail.ne1.yahoo.com>
Message-ID: <1338339761.67944.YahooMailNeo@web125706.mail.ne1.yahoo.com>

Hi all,

Sorry, this is a false IPA alarm. I've duplicated the same steps in the initial email and this time it works as expected.?

It is not a bug inside IPA; but most probably a issue on time drift/management of VMware Linux guests. After installation of VMware's patching tar ball to deal with time issues, the IPA installation works without a glitch.

This is definitely a lesson on IPA installation: date/time control is the mandatory task.

Thanks.

--David






________________________________
 From: David Copperfield 
To: David Copperfield ; Rich Megginson ; "dpal at redhat.com" ; Rob Crittenden ; "freeipa-users at redhat.com"  
Sent: Saturday, May 19, 2012 5:29 PM
Subject: Re: [Freeipa-users] Bug or feature? IPA replicas at the beginning can not see other replicas installed later
 

Hi all,

I tried another way below to install replicas one by one, and this time it works as expected -- all replicas, installed at the beginning and later, all see everyone.

1, install Master A, restart IPA service.

2, prepare replication file and install Replica B, restart IPA service on B, then A.?

3, prepare replication file and install Replica C, restart IPA services on C, then B, then A.

4, prepare replication file and install Replica D, restart IPA services on D, then C, then B, then A.

Now all IPA servers can see all.

The major differences from the steps included in the former emails:

1, create replication info files at different times. this time the file(s) are created after at every step, against all at the same time before the first replica is installed.

2, restart IPA services after each replica installation. the intention is trying to sync replication information at IPA services startup.

3, Misc. before installation of IPA master and all replicas, I synced time difference to inside one second across. and then reboot all servers A, B, C and D. Double check that the time difference is still inside one second.

Not sure this is related to the IPA's replication info file preparation timing, or the IPA services restarts, or other preparation work, But it will do no harm if some other can duplicate the steps and see whether we end up the same results.

BTW, any one knows how the replication servers info is propagated from one replica to another replica via IPA master hub? How long it takes, etc.

Thanks.

--David

________________________________
 From: David Copperfield 
To: Rich Megginson ; "dpal at redhat.com" ; Rob Crittenden  
Cc: "freeipa-users at redhat.com"  
Sent: Saturday, May 19, 2012 3:26 PM
Subject: [Freeipa-users] Bug or feature? IPA replicas at the beginning can not see other replicas installed later
 

Hi Rich, Rob and all,

?I'm trying to test the IPA replica restoration solutions, with a daily IPA replica backup, following your steps in another email. ?But I got interrupted by another problem popped up. The problem is here: (all IPA masters are replicas are 2.1.3 on redhat 6.2).

?The same setup is tested: A is the master, B, C, D are replicas. ?A works as a HUB, and B,C,D are replicated with A directly and only.

? ?A
/ ? | ?\
B C D

The setup procedure is as the following:

1, Install A and restart IPA services (ipactl restart)
2, create replicas information files for B, C, D.
3, install replica B.
4, install replica C.
5, Install replica D.

At here run 'ipa-replica-manage list' on A, B, C, D separately and we found the following odd results:

1, on Master A:
see all A, B, C, D

?2, on replica B: (the first installed replica)
see only A, B

3, on replica C: (the second installed replica)
see only A, B, C

4, on the replica D: (the last installed replica)
see all A, B, C, D
?
?wait for 10 minutes and check again still no change; ?restart IPA services on A, B, C, D still see no changes; reboot all A, B, C, D still see no changes. Though the 'ipa-csreplica-mange list' command shows ALL A,B,C,D servers on all A,B,C,D servers.

?And so the command 'ipa-manage-list D' on replicas C reports that 'D is not in the public server list.'

The setup and testing environment takes no more than one hour to duplicate. ?

Thanks.

--Gelen





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From freeipa at noboost.org  Wed May 30 04:02:11 2012
From: freeipa at noboost.org (freeipa at noboost.org)
Date: Wed, 30 May 2012 08:02:11 +0400
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab -
 Fixed!!
In-Reply-To: <1338274843.30643.6.camel@balmora.brq.redhat.com>
References: <20120528062120.GA21730@noboost.org>
	<1338274843.30643.6.camel@balmora.brq.redhat.com>
Message-ID: <20120530040211.GA20108@noboost.org>

On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote:
> On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> > Hi All,
> > 
> > This one has me stumped!
> > For some reason my Centos 5.8 x64 Linux server hangs during
> > "ipa-client-install"
> > 
> > Server:
> > * ipa-admintools-2.1.3-9.el6.x86_64
> > * ipa-client-2.1.3-9.el6.x86_64
> > * ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > * ipa-pki-common-theme-9.0.3-7.el6.noarch
> > * ipa-python-2.1.3-9.el6.x86_64
> > * ipa-server-2.1.3-9.el6.x86_64
> > * ipa-server-selinux-2.1.3-9.el6.x86_64
> > 
> > Client:
> > CentOS release 5.8 (Final) (x86_64)
> > * ipa-client-2.1.3-2.el5_8
> > * sssd-client-1.5.1-49.el5_8.1
> > 
> > Questions:
> > * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
> >   can run a native kerberos command? 
> > * Any tips welcome, I've tried straces and tcpdump to work this one out,
> >   hmm..
> > 
> > 
> > Error:
> > "ipa-client-install" runs fine and then hangs (without reason):
> > [below is the chopped version]
> > 
> > -------------------------------------------------------------------
> > [libdefaults]
> >   default_realm = EXAMPLE.COM
> >   dns_lookup_realm = true
> >   dns_lookup_kdc = true
> >   rdns = false
> >   ticket_lifetime = 24h
> >   forwardable = yes
> > 
> > [realms]
> >   EXAMPLE.COM = {
> >     pkinit_anchors = FILE:/etc/ipa/ca.crt
> >   }
> > 
> > [domain_realm]
> >   .example.com = EXAMPLE.COM
> >   example.com = EXAMPLE.COM
> > 
> > 
> > Password for admin at EXAMPLE.COM: 
> > root        : DEBUG    args=kinit admin at EXAMPLE.COM
> > root        : DEBUG    stdout=Password for admin at EXAMPLE.COM: 
> > 
> > root        : DEBUG    stderr=
> > -------------------------------------------------------------------
> > 
> > `ps -ef` on the client side, shows that the install is getting stuck on
> > "ipa-getkeytab" for some reasons.
> > 
> > root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
> > /usr/sbin/ipa-client-install -d
> > 
> > root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
> > ipa-server.example.com -b dc=example,dc=com -d
> > 
> > root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
> > -s ipa-server.example.com -p
> > host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> > 
> > 
> > cya
> > 
> > Craig
> > 
> 
> Hello Craig,
> 
> I think that in this case, strace may be a good choice to find out where
> it hangs. I assume you already have the IPA server installed and you are
> trying to install IPA client on different machine.
yes that is correct
> 
> If you run ipa-getkeytab with strace separately from ipa-client-install
> you can test where it hangs. You can use any principal existing in IPA
> server, including host/client.example.com at EXAMPLE.COM if the host entry
> exists.
> 
> To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
> was unsuccessful you can either manually configure /etc/krb5.conf to use
> IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
> options to authenticate via LDAP bind.
Heres what I did, I'm not sure which part fixed it. But everything works
fine now!

Steps followed:

1) Found an old policy referring to this client in the kerberos
database, Naturally I deleted this.

2) Fixed up the /etc/krb5.conf on the client & ran the ipa-getkeytab
command (using an existing host principal). To my surprise this worked.

# /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \
# host/craigpc.example.com at EXAMPLE.COM -k /etc/krb5.keytab
# Keytab successfully retrieved and stored in: /etc/krb5.keytab

3) re-run the ipa-client-install
It worked first time and problem solved. 

Any thoughts on the actual issue? could it have been the old policy
entry?

4) local keytab file
The local keytab file looks fine now, I assume that there is an easy way
to delete the craigpc principal entry? 

$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/craigpc.example.com at EXAMPLE.COM
   2 host/craigpc.example.com at EXAMPLE.COM
   2 host/craigpc.example.com at EXAMPLE.COM
   2 host/craigpc.example.com at EXAMPLE.COM
   2 host/craigpc.example.com at EXAMPLE.COM
   1 host/client.example.com at EXAMPLE.COM
   1 host/client.example.com at EXAMPLE.COM
   1 host/client.example.com at EXAMPLE.COM
   1 host/client.example.com at EXAMPLE.COM
   1 host/client.example.com at EXAMPLE.COM

> 
> Martin
> 

cya

Craig



From mkosek at redhat.com  Wed May 30 05:55:16 2012
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 30 May 2012 07:55:16 +0200
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab -
 Fixed!!
In-Reply-To: <20120530040211.GA20108@noboost.org>
References: <20120528062120.GA21730@noboost.org>
	<1338274843.30643.6.camel@balmora.brq.redhat.com>
	<20120530040211.GA20108@noboost.org>
Message-ID: <1338357316.3112.8.camel@priserak>

On Wed, 2012-05-30 at 08:02 +0400, freeipa at noboost.org wrote:
> On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote:
> > On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> > > Hi All,
> > > 
> > > This one has me stumped!
> > > For some reason my Centos 5.8 x64 Linux server hangs during
> > > "ipa-client-install"
> > > 
> > > Server:
> > > * ipa-admintools-2.1.3-9.el6.x86_64
> > > * ipa-client-2.1.3-9.el6.x86_64
> > > * ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > > * ipa-pki-common-theme-9.0.3-7.el6.noarch
> > > * ipa-python-2.1.3-9.el6.x86_64
> > > * ipa-server-2.1.3-9.el6.x86_64
> > > * ipa-server-selinux-2.1.3-9.el6.x86_64
> > > 
> > > Client:
> > > CentOS release 5.8 (Final) (x86_64)
> > > * ipa-client-2.1.3-2.el5_8
> > > * sssd-client-1.5.1-49.el5_8.1
> > > 
> > > Questions:
> > > * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
> > >   can run a native kerberos command? 
> > > * Any tips welcome, I've tried straces and tcpdump to work this one out,
> > >   hmm..
> > > 
> > > 
> > > Error:
> > > "ipa-client-install" runs fine and then hangs (without reason):
> > > [below is the chopped version]
> > > 
> > > -------------------------------------------------------------------
> > > [libdefaults]
> > >   default_realm = EXAMPLE.COM
> > >   dns_lookup_realm = true
> > >   dns_lookup_kdc = true
> > >   rdns = false
> > >   ticket_lifetime = 24h
> > >   forwardable = yes
> > > 
> > > [realms]
> > >   EXAMPLE.COM = {
> > >     pkinit_anchors = FILE:/etc/ipa/ca.crt
> > >   }
> > > 
> > > [domain_realm]
> > >   .example.com = EXAMPLE.COM
> > >   example.com = EXAMPLE.COM
> > > 
> > > 
> > > Password for admin at EXAMPLE.COM: 
> > > root        : DEBUG    args=kinit admin at EXAMPLE.COM
> > > root        : DEBUG    stdout=Password for admin at EXAMPLE.COM: 
> > > 
> > > root        : DEBUG    stderr=
> > > -------------------------------------------------------------------
> > > 
> > > `ps -ef` on the client side, shows that the install is getting stuck on
> > > "ipa-getkeytab" for some reasons.
> > > 
> > > root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
> > > /usr/sbin/ipa-client-install -d
> > > 
> > > root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
> > > ipa-server.example.com -b dc=example,dc=com -d
> > > 
> > > root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
> > > -s ipa-server.example.com -p
> > > host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> > > 
> > > 
> > > cya
> > > 
> > > Craig
> > > 
> > 
> > Hello Craig,
> > 
> > I think that in this case, strace may be a good choice to find out where
> > it hangs. I assume you already have the IPA server installed and you are
> > trying to install IPA client on different machine.
> yes that is correct
> > 
> > If you run ipa-getkeytab with strace separately from ipa-client-install
> > you can test where it hangs. You can use any principal existing in IPA
> > server, including host/client.example.com at EXAMPLE.COM if the host entry
> > exists.
> > 
> > To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
> > was unsuccessful you can either manually configure /etc/krb5.conf to use
> > IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
> > options to authenticate via LDAP bind.
> Heres what I did, I'm not sure which part fixed it. But everything works
> fine now!

Its great to hear that.

> 
> Steps followed:
> 
> 1) Found an old policy referring to this client in the kerberos
> database, Naturally I deleted this.
> 
> 2) Fixed up the /etc/krb5.conf on the client & ran the ipa-getkeytab
> command (using an existing host principal). To my surprise this worked.
> 
> # /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \
> # host/craigpc.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> # Keytab successfully retrieved and stored in: /etc/krb5.keytab
> 
> 3) re-run the ipa-client-install
> It worked first time and problem solved. 
> 
> Any thoughts on the actual issue? could it have been the old policy
> entry?

I am not a Kerberos guru, but I think it could have been possible. But
we would not know for sure until we have some reproducer for this issue
in our hands.

> 
> 4) local keytab file
> The local keytab file looks fine now, I assume that there is an easy way
> to delete the craigpc principal entry? 

You can use ipa-rmkeytab program to remove the unneeded principal
entries.

> 
> $ sudo klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 host/craigpc.example.com at EXAMPLE.COM
>    2 host/craigpc.example.com at EXAMPLE.COM
>    2 host/craigpc.example.com at EXAMPLE.COM
>    2 host/craigpc.example.com at EXAMPLE.COM
>    2 host/craigpc.example.com at EXAMPLE.COM
>    1 host/client.example.com at EXAMPLE.COM
>    1 host/client.example.com at EXAMPLE.COM
>    1 host/client.example.com at EXAMPLE.COM
>    1 host/client.example.com at EXAMPLE.COM
>    1 host/client.example.com at EXAMPLE.COM
> 
> > 
> > Martin
> > 
> 
> cya
> 
> Craig

HTH,
Martin



From ops at 100percentit.com  Wed May 30 09:22:48 2012
From: ops at 100percentit.com (Matt)
Date: Wed, 30 May 2012 10:22:48 +0100
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FC54A67.4070906@redhat.com>
References: <4FBB59E9.6060209@100percentit.com>
	<4FC385D0.2000404@100percentit.com>
	<4FC5093E.3000108@redhat.com> <4FC54A67.4070906@redhat.com>
Message-ID: <4FC5E6E8.10104@100percentit.com>

On 29/05/2012 23:15, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Matt wrote:
>>> Hi,
>>>
>>> Any ideas on where to look for more information? I have been unable to
>>> make any progress on this.
>>>
>>> Thanks
>>>
>>> On 22/05/2012 10:18, Matt wrote:
>>>> Hi,
>>>>
>>>> I am attempting to run replication between Windows AD (2008R2) and a
>>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>>
>>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>>
>>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
>>>> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
>>>> ipa.100it.net -p 
>>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>>> database for ipa2.100it.net
>>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>>> Windows PassSync entry exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> . .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>>> error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>> Failed to start replication
>>>>
>>>>
>>>>
>>>> The server now shows in the replica list:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage list -p 
>>>> ipa.100it.net: winsync
>>>> ipa2.100it.net: master
>>>>
>>>>
>>>> But any attemps to re-initialise the connection result in the same
>>>> "[-11 - System error]" message:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>>> -p 
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>
>>>>
>>>> There are no messages that relate to the connection in event viewer
>>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>>> log files.
>>>>
>>>> Thanks
>>>> Matt
>>
>> This is a new one to me. I think we need to try to gather more
>> information on it. Can you enable replication debugging then try to
>> re-initialize it again?
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 8192
>>
>> Then to turn it off do basically the same thing:
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 0
>>
>> The log output should go to the 389-ds error log.
>>
>> rob
>
> Turns out the code is an LDAP return code which in this case means 
> connection error. Still not a lot to go on but it's something.
>
> Can you see if there is a firewall in between? You might also want to 
> to try ldapsearch to see if you can connect to the AD server.
>
> We test the connection early on. I'm not sure why it would fail in the 
> middle like this.
>
> rob

Hi Rob,

Thanks for the info. Once debugging was turned on it was obvious to me.

[30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - 
agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth 
failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN 
in peer certificate)

Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net

Reconnecting to the correct hostname completed sucessfully.

[root at ipa2 ~]# ipa-replica-manage connect --winsync --binddn 
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw  
--passsync  --cacert /etc/openldap/cacerts/AD.cer -v 
WIN-LKC2MQ44IMG.IPA.100it.net -p 
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate 
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update started: start: 
20120530090434Z: end: 20120530090434Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'

Thats what I get for trying to be quick.

Thanks
Matt



From ops at 100percentit.com  Wed May 30 09:22:34 2012
From: ops at 100percentit.com (Matt)
Date: Wed, 30 May 2012 10:22:34 +0100
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FC54A67.4070906@redhat.com>
References: <4FBB59E9.6060209@100percentit.com>
	<4FC385D0.2000404@100percentit.com>
	<4FC5093E.3000108@redhat.com> <4FC54A67.4070906@redhat.com>
Message-ID: <4FC5E6DA.5060308@100percentit.com>

On 29/05/2012 23:15, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Matt wrote:
>>> Hi,
>>>
>>> Any ideas on where to look for more information? I have been unable to
>>> make any progress on this.
>>>
>>> Thanks
>>>
>>> On 22/05/2012 10:18, Matt wrote:
>>>> Hi,
>>>>
>>>> I am attempting to run replication between Windows AD (2008R2) and a
>>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>>
>>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>>
>>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
>>>> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
>>>> ipa.100it.net -p 
>>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>>> database for ipa2.100it.net
>>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>>> Windows PassSync entry exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> . .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>>> error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>> Failed to start replication
>>>>
>>>>
>>>>
>>>> The server now shows in the replica list:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage list -p 
>>>> ipa.100it.net: winsync
>>>> ipa2.100it.net: master
>>>>
>>>>
>>>> But any attemps to re-initialise the connection result in the same
>>>> "[-11 - System error]" message:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>>> -p 
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>
>>>>
>>>> There are no messages that relate to the connection in event viewer
>>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>>> log files.
>>>>
>>>> Thanks
>>>> Matt
>>
>> This is a new one to me. I think we need to try to gather more
>> information on it. Can you enable replication debugging then try to
>> re-initialize it again?
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 8192
>>
>> Then to turn it off do basically the same thing:
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 0
>>
>> The log output should go to the 389-ds error log.
>>
>> rob
>
> Turns out the code is an LDAP return code which in this case means 
> connection error. Still not a lot to go on but it's something.
>
> Can you see if there is a firewall in between? You might also want to 
> to try ldapsearch to see if you can connect to the AD server.
>
> We test the connection early on. I'm not sure why it would fail in the 
> middle like this.
>
> rob

Hi Rob,

Thanks for the info. Once debugging was turned on it was obvious to me.

[30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - 
agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth 
failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN 
in peer certificate)

Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net

Reconnecting to the correct hostname completed sucessfully.

[root at ipa2 ~]# ipa-replica-manage connect --winsync --binddn 
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw  
--passsync  --cacert /etc/openldap/cacerts/AD.cer -v 
WIN-LKC2MQ44IMG.IPA.100it.net -p 
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate 
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update started: start: 
20120530090434Z: end: 20120530090434Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'

Thats what I get for trying to be quick.

Thanks
Matt
-------------- next part --------------
[30/May/2012:08:54:36 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:36 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:36 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger to cancel on the connection
[30/May/2012:08:54:36 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): windows_inc_stop: protocol stopped after 1 seconds
[30/May/2012:08:54:37 +0100] - acquire_replica, supplier RUV:
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4fba4415000000030000
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa2.100it.net:389} 4fba4415000100030000 4fc5d225000d00030000 4fc5d225
[30/May/2012:08:54:37 +0100] - acquire_replica, consumer RUV:
[30/May/2012:08:54:37 +0100] - acquire_replica, consumer RUV = null
[30/May/2012:08:54:37 +0100] - acquire_replica, supplier RUV is newer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Trying secure startTLS slapi_ldap_init_ext
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): binddn = CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net,  passwd = {DES}LxIFEAu4i3c=
[30/May/2012:08:54:37 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN in peer certificate)
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Beginning linger on the connection
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger on the closed conn
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger to cancel on the connection
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: start -> ready_to_acquire_replica
[30/May/2012:08:54:37 +0100] - acquire_replica, supplier RUV:
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4fba4415000000030000
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa2.100it.net:389} 4fba4415000100030000 4fc5d225000d00030000 4fc5d225
[30/May/2012:08:54:37 +0100] - acquire_replica, consumer RUV:
[30/May/2012:08:54:37 +0100] - acquire_replica, consumer RUV = null
[30/May/2012:08:54:37 +0100] - acquire_replica, supplier RUV is newer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Trying secure startTLS slapi_ldap_init_ext
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): binddn = CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net,  passwd = {DES}LxIFEAu4i3c=
[30/May/2012:08:54:37 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN in peer certificate)
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Beginning linger on the connection
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger on the closed conn
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - windows_acquire_replica returned transient_error (105)
[30/May/2012:08:54:37 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: ready_to_acquire_replica -> start_backoff
[30/May/2012:08:54:38 +0100] - _csngen_adjust_local_time: gen state before 4fc5d225000f:1338364453:0:0
[30/May/2012:08:54:38 +0100] - _csngen_adjust_local_time: gen state after 4fc5d23e0000:1338364478:0:0
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000000030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000000030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000100030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000100030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000200030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000200030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000300030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000300030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000400030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=services,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000400030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000500030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=computers,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000500030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000600030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=hostgroups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000600030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000700030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=alt,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000700030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000800030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ng,cn=alt,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000800030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000900030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=automount,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000900030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: start_backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000a00030000 into pending list
[30/May/2012:08:54:38 +0100] - acquire_replica, supplier RUV:
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4fba4415000000030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa2.100it.net:389} 4fba4415000100030000 4fc5d225000d00030000 4fc5d225
[30/May/2012:08:54:38 +0100] - acquire_replica, consumer RUV:
[30/May/2012:08:54:38 +0100] - acquire_replica, consumer RUV = null
[30/May/2012:08:54:38 +0100] - acquire_replica, supplier RUV is newer
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Trying secure startTLS slapi_ldap_init_ext
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): binddn = CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net,  passwd = {DES}LxIFEAu4i3c=
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=default,cn=automount,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000a00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000b00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry automountmapname=auto.master,cn=default,cn=automount,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000b00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000c00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry automountmapname=auto.direct,cn=default,cn=automount,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000c00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000d00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000d00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000e00030000 into pending list
[30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN in peer certificate)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Beginning linger on the connection
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger on the closed conn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication session backing off for 8 seconds
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=hbac,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000e00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e000f00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e000f00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001000030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=hbacservicegroups,cn=hbac,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001000030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001100030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudo,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001100030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001200030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudocmds,cn=sudo,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001200030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001300030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudocmdgroups,cn=sudo,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001300030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001400030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudorules,cn=sudo,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001400030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001500030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001500030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001600030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sysaccounts,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001600030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001700030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=entitlements,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001700030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001800030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001800030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001900030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001900030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001a00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=replicas,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001a00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001b00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=dna,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001b00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001c00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001c00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001d00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=s4u2proxy,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001d00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001e00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001e00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e001f00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e001f00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002000030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry uid=admin,cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97a5000d00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23e002000030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002100030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=admins,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002000030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23e002100030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002200030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipausers,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002100030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002200030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002300030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=editors,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002100030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002300030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002400030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sshd,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002100030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002400030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002500030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ftp,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002100030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23e002500030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002600030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=su,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002500030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002600030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002700030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=login,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002500030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002700030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002800030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=su-l,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002500030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002800030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002900030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudo,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002500030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23e002900030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002a00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=sudo-i,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002900030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23e002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002b00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=gdm,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002b00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002c00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=gdm-password,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002c00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002d00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=kdm,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002d00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002e00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002e00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e002f00030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipaConfig,cn=etc,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e002f00030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e003000030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=cosTemplates,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e003000030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e003100030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=selinux,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e003100030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e003200030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=usermap,cn=selinux,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e003200030000 process postop: canceling operation csn
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23e003300030000 into pending list
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - Purged state information from entry cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -  csn=4fc5d23e003300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] - _csngen_adjust_local_time: gen state before 4fc5d23e0034:1338364478:0:0
[30/May/2012:08:54:39 +0100] - _csngen_adjust_local_time: gen state after 4fc5d23f0000:1338364479:0:0
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=pbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f000000030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f000100030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f000200030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=helpdesk,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97be002a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000300030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Entitlement Management,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97bf000300030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000400030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Entitlement Compliance,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97bf000400030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000500030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=User Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000500030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000600030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Group Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000600030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000700030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000800030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Host Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000700030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000800030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000900030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Host Group Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000800030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000900030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000a00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delegation Administrator,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000900030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000b00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Service Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000a00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000b00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000c00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Automount Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000b00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000c00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000d00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000c00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000d00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000e00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Certificate Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000d00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000e00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f000f00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Replication Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000e00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f000f00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Host Enrollment,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf000f00030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f001000030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Register and Write Entitlements,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001000030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f001100030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Read Entitlements,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001100030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d23f001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Users,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Change a user password,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001400030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add user to default group,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001500030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Unlock user accounts,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001600030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Users,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001700030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001800030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Users,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001800030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001900030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001900030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001a00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Groups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001a00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001b00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Groups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001b00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001c00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Groups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001c00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001d00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Group membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001d00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001e00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Hosts,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001e00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f001f00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Hosts,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f001f00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Hosts,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002000030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002100030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Hostgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002200030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002400030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002500030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Services,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002600030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Services,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002700030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002800030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Services,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002800030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002900030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Roles,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002900030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002a00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Roles,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002a00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002b00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Roles,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002b00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002c00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Role membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002c00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002d00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify privilege membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002d00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002e00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Automount maps,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002e00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f002f00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Automount maps,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f002f00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Automount keys,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003000030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Automount keys,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003100030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add netgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003200030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove netgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify netgroups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003400030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003500030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage host keytab,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003600030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage service keytab,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003700030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003800030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Enroll a host,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003800030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003900030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003900030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003a00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003a00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003b00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003b00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003c00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Register Entitlements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003c00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003d00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Read Entitlements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003d00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003e00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Write Entitlements,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003e00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f003f00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f003f00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=retrieve certificate,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004000030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004100030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=request certificate,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004200030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Request Certificate,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=request certificate different host,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004400030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004500030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=certificate status,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004600030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004700030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004800030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=revoke certificate,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004800030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004900030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Revoke Certificate,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004900030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004a00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=certificate remove hold,cn=virtual operations,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004a00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004b00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004b00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004c00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004c00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004d00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Templates,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004d00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004e00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Definitions,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004e00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f004f00030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f004f00030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005000030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005000030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005100030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005100030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005200030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005200030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005300030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry uid=sudo,cn=sysaccounts,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005300030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005400030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=automember,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005400030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005500030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Hostgroup,cn=automember,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005500030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005600030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Group,cn=automember,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005600030000 process postop: canceling operation csn
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d23f005700030000 into pending list
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:39 +0100] NSMMReplicationPlugin -  csn=4fc5d23f005700030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] - _csngen_adjust_local_time: gen state before 4fc5d23f0058:1338364479:0:0
[30/May/2012:08:54:40 +0100] - _csngen_adjust_local_time: gen state after 4fc5d2400000:1338364480:0:0
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000000030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=CA,cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000000030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000100030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbprincipalname=dogtagldap/ipa2.100it.net at 100IT.NET,cn=services,cn=accounts,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000100030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000200030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000200030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000300030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000300030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000400030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=global_policy,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000400030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000500030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbPrincipalName=K/M at 100IT.NET,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000500030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000600030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbPrincipalName=krbtgt/100IT.NET at 100IT.NET,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000600030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000700030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbPrincipalName=kadmin/ipa2.100it.net at 100IT.NET,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000700030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000800030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbPrincipalName=kadmin/admin at 100IT.NET,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000800030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000900030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbPrincipalName=kadmin/changepw at 100IT.NET,cn=100IT.NET,cn=kerberos,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000900030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000a00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbprincipalname=ldap/ipa2.100it.net at 100IT.NET,cn=services,cn=accounts,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000a00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000b00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry fqdn=ipa2.100it.net,cn=computers,cn=accounts,dc=100it,dc=net up to CSN 4fbc97bf001200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000c00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=KDC,cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000c00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000d00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=KPASSWD,cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000d00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000e00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=MEMCACHE,cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000e00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240000f00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry krbprincipalname=HTTP/ipa2.100it.net at 100IT.NET,cn=services,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240000f00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001000030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=HTTP,cn=ipa2.100it.net,cn=masters,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001000030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001100030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry ou=profile,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001100030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001200030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=anonymous-limits,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001200030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001300030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=default,ou=profile,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001300030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001400030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=replication,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001400030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001500030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0000b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240001500030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001600030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001500030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001600030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001700030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=HBAC Administrator,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001500030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001800030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add HBAC rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001800030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001900030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001900030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001a00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001a00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001b00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001b00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001c00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add HBAC services,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001c00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001d00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete HBAC services,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001d00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001e00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001e00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240001f00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240001f00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002000030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002000030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002100030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Sudo Administrator,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0001700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002200030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Sudo rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002200030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002300030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002300030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002400030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002400030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002500030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Sudo command,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002500030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002600030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete Sudo command,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002600030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002700030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Sudo command,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002700030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002800030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Sudo command group,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002800030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002900030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002900030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002a00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002a00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002b00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002100030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002c00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002c00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002d00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002d00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002e00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002e00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240002f00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240002f00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003000030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003000030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003100030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] - acquire_replica, supplier RUV:
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4fba4415000000030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa2.100it.net:389} 4fba4415000100030000 4fc5d240002b00030000 4fc5d240
[30/May/2012:08:54:40 +0100] - acquire_replica, consumer RUV:
[30/May/2012:08:54:40 +0100] - acquire_replica, consumer RUV = null
[30/May/2012:08:54:40 +0100] - acquire_replica, supplier RUV is newer
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Trying secure startTLS slapi_ldap_init_ext
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): binddn = CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net,  passwd = {DES}LxIFEAu4i3c=
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003100030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003200030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003200030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003300030000 into pending list
[30/May/2012:08:54:40 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN in peer certificate)
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Beginning linger on the connection
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger on the closed conn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication session backing off for 17 seconds
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0002b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003300030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003400030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0003300030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003400030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003500030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0003300030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003500030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003600030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0003300030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240003600030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003700030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0003300030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003800030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Modify Group membership,cn=privileges,cn=pbac,dc=100it,dc=net up to CSN 4fbc97c0003700030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003800030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003900030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=User Administrator,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0003800030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003a00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=IT Specialist,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0003900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003a00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003b00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=IT Security Specialist,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0003a00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003c00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=Security Architect,cn=roles,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0003b00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003d00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=vsftpd,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0003c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003d00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003e00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=proftpd,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0003d00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003e00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240003f00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0003e00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240003f00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004000030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=gssftp,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0003f00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004000030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004100030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ftp,cn=hbacservicegroups,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0004000030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004100030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004200030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry fqdn=tacproxy.100it.net,cn=computers,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004000030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004300030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0004200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004300030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004400030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry uid=test,cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004200030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004400030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004500030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=test,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004400030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004500030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004600030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=ipa.100it.net,cn=replicas,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0004400030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004600030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004700030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry dnaHostname=ipa2.100it.net+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=100it,dc=net up to CSN 4fbc97c0004400030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004700030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004800030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=tac_users,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004400030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004800030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004900030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=tacacs_servers,cn=hostgroups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004800030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004a00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=tacacs_servers,cn=ng,cn=alt,dc=100it,dc=net up to CSN 4fbc97c0004900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004a00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004b00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry ipaUniqueID=41f67d16-a5b0-11e1-beb8-005056987b65,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0004900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004b00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004c00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry uid=test2,cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004900030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004d00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry cn=test2,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004d00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004e00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry ipaUniqueID=bcfee3a8-a5b1-11e1-888f-005056987b65,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c0004c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin -  csn=4fc5d240004e00030000 process postop: canceling operation csn
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d240004f00030000 into pending list
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - Purged state information from entry uid=test3,cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004c00030000
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:40 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d240004f00030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:41 +0100] - _csngen_adjust_local_time: gen state before 4fc5d2400050:1338364480:0:0
[30/May/2012:08:54:41 +0100] - _csngen_adjust_local_time: gen state after 4fc5d2410000:1338364481:0:0
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d241000000030000 into pending list
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - Purged state information from entry cn=test3,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004f00030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin -  csn=4fc5d241000000030000 process postop: canceling operation csn
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d241000100030000 into pending list
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - Purged state information from entry uid=test4,cn=users,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c0004f00030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d241000100030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d241000200030000 into pending list
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - Purged state information from entry cn=test4,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c1000100030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin -  csn=4fc5d241000200030000 process postop: canceling operation csn
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d241000300030000 into pending list
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - Purged state information from entry cn=test_group,cn=groups,cn=accounts,dc=100it,dc=net up to CSN 4fbc97c1000100030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 2485d80 for database /var/lib/dirsrv/slapd-100IT-NET/cldb/80ff9902-a34911e1-a3c8c2cb-49335149_4fba4415000000030000.db4
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 4fc5d241000300030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 4fc5d241000400030000 into pending list
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin - Purged state information from entry cn=tac_plus,cn=hbacservices,cn=hbac,dc=100it,dc=net up to CSN 4fbc97c1000300030000
[30/May/2012:08:54:41 +0100] NSMMReplicationPlugin -  csn=4fc5d241000400030000 process postop: canceling operation csn
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): State: backoff -> backoff
[30/May/2012:08:54:46 +0100] - acquire_replica, supplier RUV:
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4fba4415000000030000
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa2.100it.net:389} 4fba4415000100030000 4fc5d241000300030000 4fc5d241
[30/May/2012:08:54:46 +0100] - acquire_replica, consumer RUV:
[30/May/2012:08:54:46 +0100] - acquire_replica, consumer RUV = null
[30/May/2012:08:54:46 +0100] - acquire_replica, supplier RUV is newer
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Trying secure startTLS slapi_ldap_init_ext
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): binddn = CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net,  passwd = {DES}LxIFEAu4i3c=
[30/May/2012:08:54:46 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN in peer certificate)
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Disconnected from the consumer
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Beginning linger on the connection
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): No linger on the closed conn
[30/May/2012:08:54:46 +0100] NSMMReplicationPlugin - agmt="cn=meToipa.100it.net" (ipa:389): Replication session backing off for 36 seconds

From rcritten at redhat.com  Wed May 30 13:11:14 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 30 May 2012 09:11:14 -0400
Subject: [Freeipa-users] FreeIPA & Windows AD Replication
In-Reply-To: <4FC5E6E8.10104@100percentit.com>
References: <4FBB59E9.6060209@100percentit.com>
	<4FC385D0.2000404@100percentit.com>
	<4FC5093E.3000108@redhat.com> <4FC54A67.4070906@redhat.com>
	<4FC5E6E8.10104@100percentit.com>
Message-ID: <4FC61C72.9030702@redhat.com>

Matt wrote:
> On 29/05/2012 23:15, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Matt wrote:
>>>> Hi,
>>>>
>>>> Any ideas on where to look for more information? I have been unable to
>>>> make any progress on this.
>>>>
>>>> Thanks
>>>>
>>>> On 22/05/2012 10:18, Matt wrote:
>>>>> Hi,
>>>>>
>>>>> I am attempting to run replication between Windows AD (2008R2) and a
>>>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>>>
>>>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>>>
>>>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
>>>>> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
>>>>> ipa.100it.net -p 
>>>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>>>> database for ipa2.100it.net
>>>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>>>> The user for the Windows PassSync service is
>>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>>>> Windows PassSync entry exists, not resetting password
>>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>>> . .
>>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>>>> error: start: 0: end: 0
>>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>>> Starting replication, please wait until this has completed.
>>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>> Failed to start replication
>>>>>
>>>>>
>>>>>
>>>>> The server now shows in the replica list:
>>>>>
>>>>> [root at ipa2 ~]# ipa-replica-manage list -p 
>>>>> ipa.100it.net: winsync
>>>>> ipa2.100it.net: master
>>>>>
>>>>>
>>>>> But any attemps to re-initialise the connection result in the same
>>>>> "[-11 - System error]" message:
>>>>>
>>>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>>>> -p 
>>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>>
>>>>>
>>>>> There are no messages that relate to the connection in event viewer
>>>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>>>> log files.
>>>>>
>>>>> Thanks
>>>>> Matt
>>>
>>> This is a new one to me. I think we need to try to gather more
>>> information on it. Can you enable replication debugging then try to
>>> re-initialize it again?
>>>
>>> $ ldapmodify -x -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 8192
>>>
>>> Then to turn it off do basically the same thing:
>>>
>>> $ ldapmodify -x -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 0
>>>
>>> The log output should go to the 389-ds error log.
>>>
>>> rob
>>
>> Turns out the code is an LDAP return code which in this case means
>> connection error. Still not a lot to go on but it's something.
>>
>> Can you see if there is a firewall in between? You might also want to
>> to try ldapsearch to see if you can connect to the AD server.
>>
>> We test the connection early on. I'm not sure why it would fail in the
>> middle like this.
>>
>> rob
>
> Hi Rob,
>
> Thanks for the info. Once debugging was turned on it was obvious to me.
>
> [30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -
> agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth
> failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN
> in peer certificate)
>
> Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net
>
> Reconnecting to the correct hostname completed sucessfully.
>
> [root at ipa2 ~]# ipa-replica-manage connect --winsync --binddn
> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw 
> --passsync  --cacert /etc/openldap/cacerts/AD.cer -v
> WIN-LKC2MQ44IMG.IPA.100it.net -p 
> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
> database for ipa2.100it.net
> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
> acquired successfully: Incremental update started: start:
> 20120530090434Z: end: 20120530090434Z
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update succeeded
> Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'
>
> Thats what I get for trying to be quick.
>
> Thanks
> Matt

Glad you got it working.

I asked the 389-ds team about these System errors and they determined 
that they could actually translate these into proper error messages. 
They filed ticket https://fedorahosted.org/389/ticket/388 to track this.

regards

rob



From rcritten at redhat.com  Wed May 30 15:58:04 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 30 May 2012 11:58:04 -0400
Subject: [Freeipa-users] Fixed: time drift issue-- Re: Bug or feature?
 IPA replicas at the beginning can not see other replicas installed later
In-Reply-To: <1338339761.67944.YahooMailNeo@web125706.mail.ne1.yahoo.com>
References: <1337466392.94089.YahooMailNeo@web125701.mail.ne1.yahoo.com>
	<1337473756.35952.YahooMailNeo@web125705.mail.ne1.yahoo.com>
	<1338339761.67944.YahooMailNeo@web125706.mail.ne1.yahoo.com>
Message-ID: <4FC6438C.9080708@redhat.com>

David Copperfield wrote:
> Hi all,
>
> Sorry, this is a false IPA alarm. I've duplicated the same steps in the
> initial email and this time it works as expected.
>
> It is not a bug inside IPA; but most probably a issue on time
> drift/management of VMware Linux guests. After installation of VMware's
> patching tar ball to deal with time issues, the IPA installation works
> without a glitch.
>
> This is definitely a lesson on IPA installation: date/time control is
> the mandatory task.

Yes, time is very important for both replication and Kerberos.

Glad to hear you are back in business. Thanks for following up.

regards

rob

>
> Thanks.
>
> --David
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* David Copperfield 
> *To:* David Copperfield ; Rich Megginson
> ; "dpal at redhat.com" ; Rob
> Crittenden ; "freeipa-users at redhat.com"
> 
> *Sent:* Saturday, May 19, 2012 5:29 PM
> *Subject:* Re: [Freeipa-users] Bug or feature? IPA replicas at the
> beginning can not see other replicas installed later
>
> Hi all,
>
> I tried another way below to install replicas one by one, and this time
> it works as expected -- all replicas, installed at the beginning and
> later, all see everyone.
>
> 1, install Master A, restart IPA service.
>
> 2, prepare replication file and install Replica B, restart IPA service
> on B, then A.
>
> 3, prepare replication file and install Replica C, restart IPA services
> on C, then B, then A.
>
> 4, prepare replication file and install Replica D, restart IPA services
> on D, then C, then B, then A.
>
> Now all IPA servers can see all.
>
> The major differences from the steps included in the former emails:
>
> 1, create replication info files at different times. this time the
> file(s) are created after at every step, against all at the same time
> before the first replica is installed.
>
> 2, restart IPA services after each replica installation. the intention
> is trying to sync replication information at IPA services startup.
>
> 3, Misc. before installation of IPA master and all replicas, I synced
> time difference to inside one second across. and then reboot all servers
> A, B, C and D. Double check that the time difference is still inside one
> second.
>
> Not sure this is related to the IPA's replication info file preparation
> timing, or the IPA services restarts, or other preparation work, But it
> will do no harm if some other can duplicate the steps and see whether we
> end up the same results.
>
> BTW, any one knows how the replication servers info is propagated from
> one replica to another replica via IPA master hub? How long it takes, etc.
>
> Thanks.
>
> --David
> ------------------------------------------------------------------------
> *From:* David Copperfield 
> *To:* Rich Megginson ; "dpal at redhat.com"
> ; Rob Crittenden 
> *Cc:* "freeipa-users at redhat.com" 
> *Sent:* Saturday, May 19, 2012 3:26 PM
> *Subject:* [Freeipa-users] Bug or feature? IPA replicas at the beginning
> can not see other replicas installed later
>
> Hi Rich, Rob and all,
>
> I'm trying to test the IPA replica restoration solutions, with a daily
> IPA replica backup, following your steps in another email. But I got
> interrupted by another problem popped up. The problem is here: (all IPA
> masters are replicas are 2.1.3 on redhat 6.2).
>
> The same setup is tested: A is the master, B, C, D are replicas. A works
> as a HUB, and B,C,D are replicated with A directly and only.
>
> A
> / | \
> B C D
>
> The setup procedure is as the following:
>
> 1, Install A and restart IPA services (ipactl restart)
> 2, create replicas information files for B, C, D.
> 3, install replica B.
> 4, install replica C.
> 5, Install replica D.
>
> At here run 'ipa-replica-manage list' on A, B, C, D separately and we
> found the following odd results:
>
> 1, on Master A:
> see all A, B, C, D
>
> 2, on replica B: (the first installed replica)
> see only A, B
>
> 3, on replica C: (the second installed replica)
> see only A, B, C
>
> 4, on the replica D: (the last installed replica)
> see all A, B, C, D
> wait for 10 minutes and check again still no change; restart IPA
> services on A, B, C, D still see no changes; reboot all A, B, C, D still
> see no changes. Though the 'ipa-csreplica-mange list' command shows ALL
> A,B,C,D servers on all A,B,C,D servers.
>
> And so the command 'ipa-manage-list D' on replicas C reports that 'D is
> not in the public server list.'
>
> The setup and testing environment takes no more than one hour to duplicate.
>
> Thanks.
>
> --Gelen
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>



From rcritten at redhat.com  Wed May 30 16:01:21 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 30 May 2012 12:01:21 -0400
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab -
	Fixed!!
In-Reply-To: <20120530040211.GA20108@noboost.org>
References: <20120528062120.GA21730@noboost.org>
	<1338274843.30643.6.camel@balmora.brq.redhat.com>
	<20120530040211.GA20108@noboost.org>
Message-ID: <4FC64451.5070201@redhat.com>

freeipa at noboost.org wrote:
> On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote:
>> On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
>>> Hi All,
>>>
>>> This one has me stumped!
>>> For some reason my Centos 5.8 x64 Linux server hangs during
>>> "ipa-client-install"
>>>
>>> Server:
>>> * ipa-admintools-2.1.3-9.el6.x86_64
>>> * ipa-client-2.1.3-9.el6.x86_64
>>> * ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>> * ipa-pki-common-theme-9.0.3-7.el6.noarch
>>> * ipa-python-2.1.3-9.el6.x86_64
>>> * ipa-server-2.1.3-9.el6.x86_64
>>> * ipa-server-selinux-2.1.3-9.el6.x86_64
>>>
>>> Client:
>>> CentOS release 5.8 (Final) (x86_64)
>>> * ipa-client-2.1.3-2.el5_8
>>> * sssd-client-1.5.1-49.el5_8.1
>>>
>>> Questions:
>>> * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
>>>    can run a native kerberos command?
>>> * Any tips welcome, I've tried straces and tcpdump to work this one out,
>>>    hmm..
>>>
>>>
>>> Error:
>>> "ipa-client-install" runs fine and then hangs (without reason):
>>> [below is the chopped version]
>>>
>>> -------------------------------------------------------------------
>>> [libdefaults]
>>>    default_realm = EXAMPLE.COM
>>>    dns_lookup_realm = true
>>>    dns_lookup_kdc = true
>>>    rdns = false
>>>    ticket_lifetime = 24h
>>>    forwardable = yes
>>>
>>> [realms]
>>>    EXAMPLE.COM = {
>>>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>    }
>>>
>>> [domain_realm]
>>>    .example.com = EXAMPLE.COM
>>>    example.com = EXAMPLE.COM
>>>
>>>
>>> Password for admin at EXAMPLE.COM:
>>> root        : DEBUG    args=kinit admin at EXAMPLE.COM
>>> root        : DEBUG    stdout=Password for admin at EXAMPLE.COM:
>>>
>>> root        : DEBUG    stderr=
>>> -------------------------------------------------------------------
>>>
>>> `ps -ef` on the client side, shows that the install is getting stuck on
>>> "ipa-getkeytab" for some reasons.
>>>
>>> root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
>>> /usr/sbin/ipa-client-install -d
>>>
>>> root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
>>> ipa-server.example.com -b dc=example,dc=com -d
>>>
>>> root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
>>> -s ipa-server.example.com -p
>>> host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
>>>
>>>
>>> cya
>>>
>>> Craig
>>>
>>
>> Hello Craig,
>>
>> I think that in this case, strace may be a good choice to find out where
>> it hangs. I assume you already have the IPA server installed and you are
>> trying to install IPA client on different machine.
> yes that is correct
>>
>> If you run ipa-getkeytab with strace separately from ipa-client-install
>> you can test where it hangs. You can use any principal existing in IPA
>> server, including host/client.example.com at EXAMPLE.COM if the host entry
>> exists.
>>
>> To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
>> was unsuccessful you can either manually configure /etc/krb5.conf to use
>> IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
>> options to authenticate via LDAP bind.
> Heres what I did, I'm not sure which part fixed it. But everything works
> fine now!
>
> Steps followed:
>
> 1) Found an old policy referring to this client in the kerberos
> database, Naturally I deleted this.
>
> 2) Fixed up the /etc/krb5.conf on the client&  ran the ipa-getkeytab
> command (using an existing host principal). To my surprise this worked.
>
> # /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \
> # host/craigpc.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> # Keytab successfully retrieved and stored in: /etc/krb5.keytab
>
> 3) re-run the ipa-client-install
> It worked first time and problem solved.
>
> Any thoughts on the actual issue? could it have been the old policy
> entry?

Can you provide any more information on what this policy was and where 
it was stored?

rob

>
> 4) local keytab file
> The local keytab file looks fine now, I assume that there is an easy way
> to delete the craigpc principal entry?
>
> $ sudo klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     2 host/craigpc.example.com at EXAMPLE.COM
>     2 host/craigpc.example.com at EXAMPLE.COM
>     2 host/craigpc.example.com at EXAMPLE.COM
>     2 host/craigpc.example.com at EXAMPLE.COM
>     2 host/craigpc.example.com at EXAMPLE.COM
>     1 host/client.example.com at EXAMPLE.COM
>     1 host/client.example.com at EXAMPLE.COM
>     1 host/client.example.com at EXAMPLE.COM
>     1 host/client.example.com at EXAMPLE.COM
>     1 host/client.example.com at EXAMPLE.COM
>
>>
>> Martin
>>
>
> cya
>
> Craig
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From ben13ho at hotmail.com  Wed May 30 18:33:24 2012
From: ben13ho at hotmail.com (Ben Ho)
Date: Wed, 30 May 2012 14:33:24 -0400
Subject: [Freeipa-users] ipa user-add range error
Message-ID: 


Hello,
  I am trying to add a user to IPA and have been getting into some issues.  Basically, I run this command:  ipa user-add username --email=example at example.com
  I put in the first and last name (works fine), however, I then get this error message displayed:  ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.

Looking into my error logs, I see this:[30/May/2012:13:27:52 -0400] dna-plugin - dna_get_next_value: no more values available!![30/May/2012:13:52:07 -0400] dna-plugin - dna_get_next_value: no more values available!!

This is also my LDAP structure and settings:cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup))
dnamagicregen: 999
dnamaxvalue: 1100
dnanextvalue: 1101
dnascope: dc=ecg,dc=mit,dc=edu
dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu
dnathreshold: 500
dnatype: gidNumber
dnatype: uidNumber


Do I need to increase the dnamaxvalue in order to add in a user?  Or is there another solution to this?
Thanks - any help would be appreciated!
-Ben 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From simo at redhat.com  Wed May 30 18:39:32 2012
From: simo at redhat.com (Simo Sorce)
Date: Wed, 30 May 2012 14:39:32 -0400
Subject: [Freeipa-users] ipa user-add range error
In-Reply-To: 
References: 
Message-ID: <1338403172.8230.42.camel@willson.li.ssimo.org>

On Wed, 2012-05-30 at 14:33 -0400, Ben Ho wrote:
> Hello,
> 
>   I am trying to add a user to IPA and have been getting into some
> issues.  Basically, I run this command:
>   ipa user-add username --email=example at example.com
> 
> 
>   I put in the first and last name (works fine), however, I then get
> this error message displayed:
>   ipa: ERROR: Operations error: Allocation of a new value for range
> cn=posix ids,cn=distributed numeric assignment
> plugin,cn=plugins,cn=config failed! Unable to proceed.
> 
> 
> 
> 
> Looking into my error logs, I see this:
> [30/May/2012:13:27:52 -0400] dna-plugin - dna_get_next_value: no more
> values available!!
> [30/May/2012:13:52:07 -0400] dna-plugin - dna_get_next_value: no more
> values available!!
> 
> 
> 
> 
> This is also my LDAP structure and settings:
> cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> 
> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup))
> dnamagicregen: 999
> dnamaxvalue: 1100
> dnanextvalue: 1101
> dnascope: dc=ecg,dc=mit,dc=edu
> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu
> dnathreshold: 500
> dnatype: gidNumber
> dnatype: uidNumber
> 
> 
> 
Did you manually set a very small range at install time ? 
> 
> 
> 
> Do I need to increase the dnamaxvalue in order to add in a user?  Or
> is there another solution to this?


You will need to add a new range.

See 5.4.2. Adding New Ranges here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> 
> Thanks - any help would be appreciated!
> 


-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Wed May 30 19:14:28 2012
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 30 May 2012 15:14:28 -0400
Subject: [Freeipa-users] IPA 2.2 on Fedora 17
Message-ID: <4FC67194.5080508@redhat.com>

The current 389-ds-base package in Fedora 17 is known to not work with 
IPA. This is any of the 1.2.11.x builds through 1.2.11.4.

The only solution we have right now is to downgrade to 1.2.10.4. This is 
unfortunately not in any yum repositories. To install it you can either 
download the packages manually from 
http://koji.fedoraproject.org/koji/buildinfo?buildID=308732 or use the 
koji tool to retrieve them:

# koji download-build 389-ds-base-1.2.10.4-2.fc17

Then install the right bits for your architecture. You'll want to remove 
any existing 389-ds-base bits:

# rpm -e 389-ds-base 389-ds-base-libs

We're working with the 389-ds team to fix this. We do not currently have 
an ETA.

rob



From dale at themacartneyclan.com  Wed May 30 22:12:28 2012
From: dale at themacartneyclan.com (Dale Macartney)
Date: Wed, 30 May 2012 23:12:28 +0100
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
Message-ID: <4FC69B4C.6000702@themacartneyclan.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Evening all

Has anyone dabbled with Zimbra integration with IPA as yet? I just had a
brief brainstorm moment of thinking "Now that would be useful".

I'm curious to see if anyone else has tried it? Otherwise I'll give a go
and see what docs I can produce from my endeavours. Pointers, requests
and opinions welcomed.

Night all

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxptCAAoJEAJsWS61tB+qw5kQAJEe/NwZVgvZBgwYLRUsKmLQ
Rgtr04LaGC9jDv5yvdsdzGqFZxFN/4ohNrxxyybJXKonkYhCjo3rccIzGPRvzH0f
gsjEdHTpKM/0WqrLdlaIAwStYUyGuQ5TpoIFgOPl71/dSBphR6duHluzT3gsS+vP
EJDlt2kMqEXlIeRHlmKV9aFl9pTKiJ962f7flRtl14Ldhy75NzMe7714JOo8KXE9
k60hDESzOXUCN7+DuNEb038iM5osDl0XYKnJvhFUP+dOVw4t+Q5eeLYagvrsWiJZ
6Ar+HMXUn5DA5e5QEiQPhmDwl6PCpr117V0WBdmNUsHRRReUaAcw50JMvZSSnT0F
N29Qfy9Pe0QO+G3J5xmPvJnSREgMYAxr08K4+rKxmedcN/q3r7L6UDvtNfG7usnC
xT8QwYb50cAmBmv2XWlYpvxqWQS37MyyaJDid6EndlDV3dXPZGZ8KnF9653UN3t7
13C85APOKgvMFYlXnsfFcgWiWOZO/rX9tbDe2SaJSlYX9QFEjzOAOTscWHvpe5mJ
+57T337Rn8JEYlLStNxY8Q3JW0mpCWfRte0KdYbJmSY+bLQPwc/dDUH3cPQA6nj9
Ao8mqgP826k1nVHEBmIpFKXvBugqDrEIVQzpXm59Q+gH80kJHavnxBNMWTF9Fg+Y
qkE9vuiWnAIYV/aYzYqB
=ewn2
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: 

From dpal at redhat.com  Wed May 30 23:13:45 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 30 May 2012 19:13:45 -0400
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
In-Reply-To: <4FC69B4C.6000702@themacartneyclan.com>
References: <4FC69B4C.6000702@themacartneyclan.com>
Message-ID: <4FC6A9A9.2050300@redhat.com>

On 05/30/2012 06:12 PM, Dale Macartney wrote:
>
> Evening all
>
> Has anyone dabbled with Zimbra integration with IPA as yet? I just had a
> brief brainstorm moment of thinking "Now that would be useful".
>
> I'm curious to see if anyone else has tried it? Otherwise I'll give a go
> and see what docs I can produce from my endeavours. Pointers, requests
> and opinions welcomed.
>
> Night all
>
> Dale
>

Are you talking about SSO or just using IPA as a back end identity store.
I do not think it was tried but I do not see a lot of issues.
If there are I would like to see tickets.
As for kerberos SSO it might be quite a different situation which needs
to be investigated.

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From freeipa at noboost.org  Thu May 31 05:28:53 2012
From: freeipa at noboost.org (freeipa at noboost.org)
Date: Thu, 31 May 2012 09:28:53 +0400
Subject: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab -
 Fixed!!
In-Reply-To: <4FC64451.5070201@redhat.com>
References: <20120528062120.GA21730@noboost.org>
	<1338274843.30643.6.camel@balmora.brq.redhat.com>
	<20120530040211.GA20108@noboost.org> <4FC64451.5070201@redhat.com>
Message-ID: <20120531052853.GA3854@noboost.org>

On Wed, May 30, 2012 at 12:01:21PM -0400, Rob Crittenden wrote:
> freeipa at noboost.org wrote:
> >On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote:
> >>On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> >>>Hi All,
> >>>
> >>>This one has me stumped!
> >>>For some reason my Centos 5.8 x64 Linux server hangs during
> >>>"ipa-client-install"
> >>>
> >>>Server:
> >>>* ipa-admintools-2.1.3-9.el6.x86_64
> >>>* ipa-client-2.1.3-9.el6.x86_64
> >>>* ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >>>* ipa-pki-common-theme-9.0.3-7.el6.noarch
> >>>* ipa-python-2.1.3-9.el6.x86_64
> >>>* ipa-server-2.1.3-9.el6.x86_64
> >>>* ipa-server-selinux-2.1.3-9.el6.x86_64
> >>>
> >>>Client:
> >>>CentOS release 5.8 (Final) (x86_64)
> >>>* ipa-client-2.1.3-2.el5_8
> >>>* sssd-client-1.5.1-49.el5_8.1
> >>>
> >>>Questions:
> >>>* Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
> >>>   can run a native kerberos command?
> >>>* Any tips welcome, I've tried straces and tcpdump to work this one out,
> >>>   hmm..
> >>>
> >>>
> >>>Error:
> >>>"ipa-client-install" runs fine and then hangs (without reason):
> >>>[below is the chopped version]
> >>>
> >>>-------------------------------------------------------------------
> >>>[libdefaults]
> >>>   default_realm = EXAMPLE.COM
> >>>   dns_lookup_realm = true
> >>>   dns_lookup_kdc = true
> >>>   rdns = false
> >>>   ticket_lifetime = 24h
> >>>   forwardable = yes
> >>>
> >>>[realms]
> >>>   EXAMPLE.COM = {
> >>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>>   }
> >>>
> >>>[domain_realm]
> >>>   .example.com = EXAMPLE.COM
> >>>   example.com = EXAMPLE.COM
> >>>
> >>>
> >>>Password for admin at EXAMPLE.COM:
> >>>root        : DEBUG    args=kinit admin at EXAMPLE.COM
> >>>root        : DEBUG    stdout=Password for admin at EXAMPLE.COM:
> >>>
> >>>root        : DEBUG    stderr=
> >>>-------------------------------------------------------------------
> >>>
> >>>`ps -ef` on the client side, shows that the install is getting stuck on
> >>>"ipa-getkeytab" for some reasons.
> >>>
> >>>root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
> >>>/usr/sbin/ipa-client-install -d
> >>>
> >>>root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
> >>>ipa-server.example.com -b dc=example,dc=com -d
> >>>
> >>>root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
> >>>-s ipa-server.example.com -p
> >>>host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> >>>
> >>>
> >>>cya
> >>>
> >>>Craig
> >>>
> >>
> >>Hello Craig,
> >>
> >>I think that in this case, strace may be a good choice to find out where
> >>it hangs. I assume you already have the IPA server installed and you are
> >>trying to install IPA client on different machine.
> >yes that is correct
> >>
> >>If you run ipa-getkeytab with strace separately from ipa-client-install
> >>you can test where it hangs. You can use any principal existing in IPA
> >>server, including host/client.example.com at EXAMPLE.COM if the host entry
> >>exists.
> >>
> >>To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
> >>was unsuccessful you can either manually configure /etc/krb5.conf to use
> >>IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
> >>options to authenticate via LDAP bind.
> >Heres what I did, I'm not sure which part fixed it. But everything works
> >fine now!
> >
> >Steps followed:
> >
> >1) Found an old policy referring to this client in the kerberos
> >database, Naturally I deleted this.
> >
> >2) Fixed up the /etc/krb5.conf on the client&  ran the ipa-getkeytab
> >command (using an existing host principal). To my surprise this worked.
> >
> ># /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \
> ># host/craigpc.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> ># Keytab successfully retrieved and stored in: /etc/krb5.keytab
> >
> >3) re-run the ipa-client-install
> >It worked first time and problem solved.
> >
> >Any thoughts on the actual issue? could it have been the old policy
> >entry?
> 
> Can you provide any more information on what this policy was and
> where it was stored?
It was just a simple HBAC policy which allowed a couple of users to that
host, on all services and from any client. At this stage I don't have an ldap 
dump to send you. But if I get time, I'll restore it from backup and send it over.

cya

Craig

> 
> rob
> 
> >
> >4) local keytab file
> >The local keytab file looks fine now, I assume that there is an easy way
> >to delete the craigpc principal entry?
> >
> >$ sudo klist -k /etc/krb5.keytab
> >Keytab name: FILE:/etc/krb5.keytab
> >KVNO Principal
> >----
> >--------------------------------------------------------------------------
> >    2 host/craigpc.example.com at EXAMPLE.COM
> >    2 host/craigpc.example.com at EXAMPLE.COM
> >    2 host/craigpc.example.com at EXAMPLE.COM
> >    2 host/craigpc.example.com at EXAMPLE.COM
> >    2 host/craigpc.example.com at EXAMPLE.COM
> >    1 host/client.example.com at EXAMPLE.COM
> >    1 host/client.example.com at EXAMPLE.COM
> >    1 host/client.example.com at EXAMPLE.COM
> >    1 host/client.example.com at EXAMPLE.COM
> >    1 host/client.example.com at EXAMPLE.COM
> >
> >>
> >>Martin
> >>
> >
> >cya
> >
> >Craig
> >
> >_______________________________________________
> >Freeipa-users mailing list
> >Freeipa-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> 



From dale at themacartneyclan.com  Thu May 31 06:55:23 2012
From: dale at themacartneyclan.com (Dale Macartney)
Date: Thu, 31 May 2012 07:55:23 +0100
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
In-Reply-To: <4FC6A9A9.2050300@redhat.com>
References: <4FC69B4C.6000702@themacartneyclan.com>
	<4FC6A9A9.2050300@redhat.com>
Message-ID: <4FC715DB.8000503@themacartneyclan.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 31/05/12 00:13, Dmitri Pal wrote:
> On 05/30/2012 06:12 PM, Dale Macartney wrote:
> >
>> Evening all
>>
>> Has anyone dabbled with Zimbra integration with IPA as yet? I just had a
>> brief brainstorm moment of thinking "Now that would be useful".
>>
>> I'm curious to see if anyone else has tried it? Otherwise I'll give a go
>> and see what docs I can produce from my endeavours. Pointers, requests
>> and opinions welcomed.
>>
>> Night all
>>
>> Dale
>>
>
> Are you talking about SSO or just using IPA as a back end identity store.
> I do not think it was tried but I do not see a lot of issues.
> If there are I would like to see tickets.
> As for kerberos SSO it might be quite a different situation which needs
to be investigated.
>
I was thinking as a solution in general to be honest. I'll fire it up
with IPA as a backend store initially just to see it working. The
endgame goal though would be SSO. Like all my projects SSO is what I am
aiming for, but in some cases its not possible.

I've requested an eval key for the enterprise supported release. I'll
try to get them involved in the process as well if push comes to shove.
They will benefit from this as well in the end.

I'll feed back to the list with progress.

Dale

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxxXZAAoJEAJsWS61tB+q/PUP/3VxZJ0pXgvaUZN0C3RjGLli
+ka27kZpOMtdo1AJPHv7CQFk5lJGCBT9gijO3XBtoyH9Zkm4O7Wmvnv8x1ySgh3U
2yJisWPjPIWy3GpVPrqKgxMVc6U7DlNX66ygjSq9NkvZkb8DNWXuUSRBeqAkPbqG
RohL3zueP7KTCLqYyRG41G9qkNqE++MOsm9lSVbCBpZbYtVF+cEeh1mUPQ85aiNA
tdgY6uB1xr8EVfKlNpYCgfij5j5UYz0VMQPlGJFAAve+PnbhCqTsCFV2N5YghjJF
2NtHDkzjdzxZib+cS6P7DFqWUn/AT49YLckR5cLshWaPnqKd5O9MAZbKOrf9s8xc
/vLNiTusk26VunCDP04MOYDecwzdhZBQJmvPCOsyLNRJ348Jv0Pbgb1b5+l6W2EV
RxkX/MBzOjh6wL4GQnTI/4favFsp1WyeEMLa9bMG1lmwT9R0sS0zRq6usAK3Ne8A
KxbBeamqmqgEjllpLLXjSO88D18hSYsJi17TonIXJehNARbia1WWIzq4RssCYIhn
bGDxEyVRUQCKL7dd8yselvfDQmD5ZxeABUSbfFaITYfKltCSywmi3Xf/guR+DIku
FdR5t5EtV5jwwkBk0MkFnM/99grYGwuMUAGnf5EmnolUXrHa+BaETMYjDILUJgRl
nSd+1DK6yAOLAM52GBGi
=67ib
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: 

From darran.lofthouse at jboss.com  Thu May 31 09:28:52 2012
From: darran.lofthouse at jboss.com (Darran Lofthouse)
Date: Thu, 31 May 2012 10:28:52 +0100
Subject: [Freeipa-users] Authentication Failure from Java - LoginException
	PREAUTH_FAILED
Message-ID: <4FC739D4.4000907@jboss.com>

My apologies if this has already been discussed somewhere, I have tried 
a number of searches to see if this is either a known issue or common 
error on the client side but so far only found references to Java issues 
that should have been resolved a long time ago.

I have a Red Hat server running in Amazon EC2 with IPA 
ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a 
test_user defined.

 From my local machine using kinit works without error.

I have developed a test Java client to make use of the Krb5LoginModule, 
I am currently debugging further but thought I would mail this in 
parallel in case I am missing something obvious but I keep getting the 
failure that is at the bottom of this message.

This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 - 
however I have also tried using various Oracle JDKs, both 6 and 7.

I know the password is correct as verified using kinit, also if I use 
jdk1.6.0_30 AND set the system property for Kerberos debugging to true 
on the client it works.

The only difference I currently see between the failure scenario and 
success scenario is that for success rc4-hmac is selected for the 
PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96 
is selected instead.

For the work I am currently using IPA for I could just force the use of 
rc4-hmac but would really like to get to the bottom of the cause of this.

Looking forward to any ideas.

Regards,
Darran Lofthouse.


Exception in thread "main" javax.security.auth.login.LoginException: 
Integrity check on decrypted field failed (31) - PREAUTH_FAILED
	at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
	at 
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
	at java.security.AccessController.doPrivileged(Native Method)
	at 
javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
	at 
com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50)
	at 
com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136)
Caused by: KrbException: Integrity check on decrypted field failed (31) 
- PREAUTH_FAILED
	at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
	at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
	... 14 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
	at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
	at sun.security.krb5.internal.ASRep.(ASRep.java:60)
	at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60)
	... 17 more



From cevich at redhat.com  Thu May 31 13:33:46 2012
From: cevich at redhat.com (Chris Evich)
Date: Thu, 31 May 2012 09:33:46 -0400
Subject: [Freeipa-users] IPA 2.2 on Fedora 17
In-Reply-To: <4FC67194.5080508@redhat.com>
References: <4FC67194.5080508@redhat.com>
Message-ID: <4FC7733A.5060604@redhat.com>

On 05/30/2012 03:14 PM, Rob Crittenden wrote:
> The current 389-ds-base package in Fedora 17 is known to not work with
> IPA. This is any of the 1.2.11.x builds through 1.2.11.4.
>
> The only solution we have right now is to downgrade to 1.2.10.4. This is
> unfortunately not in any yum repositories. To install it you can either
> download the packages manually from
> http://koji.fedoraproject.org/koji/buildinfo?buildID=308732 or use the
> koji tool to retrieve them:
>
> # koji download-build 389-ds-base-1.2.10.4-2.fc17
>
> Then install the right bits for your architecture. You'll want to remove
> any existing 389-ds-base bits:
>
> # rpm -e 389-ds-base 389-ds-base-libs
>
> We're working with the 389-ds team to fix this. We do not currently have
> an ETA.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

And! remember to add 389-ds-base and 389-ds-base-libs to /etc/yum.conf 
exclude list (temporarily).  Otherwise it's easy to accidentally wreck 
your setup with a casual yum update (not that I would ever casually 
update my systems, nope, never).



From simo at redhat.com  Thu May 31 14:10:07 2012
From: simo at redhat.com (Simo Sorce)
Date: Thu, 31 May 2012 10:10:07 -0400
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
In-Reply-To: <4FC715DB.8000503@themacartneyclan.com>
References: <4FC69B4C.6000702@themacartneyclan.com>
	<4FC6A9A9.2050300@redhat.com> <4FC715DB.8000503@themacartneyclan.com>
Message-ID: <1338473407.8230.68.camel@willson.li.ssimo.org>

On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On 31/05/12 00:13, Dmitri Pal wrote:
> > On 05/30/2012 06:12 PM, Dale Macartney wrote:
> > >
> >> Evening all
> >>
> >> Has anyone dabbled with Zimbra integration with IPA as yet? I just
> had a
> >> brief brainstorm moment of thinking "Now that would be useful".
> >>
> >> I'm curious to see if anyone else has tried it? Otherwise I'll give
> a go
> >> and see what docs I can produce from my endeavours. Pointers,
> requests
> >> and opinions welcomed.
> >>
> >> Night all
> >>
> >> Dale
> >>
> >
> > Are you talking about SSO or just using IPA as a back end identity
> store.
> > I do not think it was tried but I do not see a lot of issues.
> > If there are I would like to see tickets.
> > As for kerberos SSO it might be quite a different situation which
> needs to be investigated.
> >
> I was thinking as a solution in general to be honest. I'll fire it up
> with IPA as a backend store initially just to see it working. The
> endgame goal though would be SSO. Like all my projects SSO is what I
> am aiming for, but in some cases its not possible.
> 
> I've requested an eval key for the enterprise supported release. I'll
> try to get them involved in the process as well if push comes to
> shove. They will benefit from this as well in the end.
> 
> I'll feed back to the list with progress.

As far as I know Zimbra supports retrieving users from LDAP and using
Kerberos for authentication.
In the very latest code they also fixed using Negotiate auth to login
using Kerberos against the Web interface even when their proxy is being
used, so now all components of Zimbra should be usable with krb auth.
This means a properly configured Browser/MUA should be able to do full
SSO auth against Zimbra.

If you can test their latest release and report any gotchas in
configuration that would be awesome!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From dale at themacartneyclan.com  Thu May 31 14:13:25 2012
From: dale at themacartneyclan.com (Dale Macartney)
Date: Thu, 31 May 2012 15:13:25 +0100
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
In-Reply-To: <1338473407.8230.68.camel@willson.li.ssimo.org>
References: <4FC69B4C.6000702@themacartneyclan.com>
	<4FC6A9A9.2050300@redhat.com>
	<4FC715DB.8000503@themacartneyclan.com>
	<1338473407.8230.68.camel@willson.li.ssimo.org>
Message-ID: <4FC77C85.50501@themacartneyclan.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 31/05/12 15:10, Simo Sorce wrote:
> On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> On 31/05/12 00:13, Dmitri Pal wrote:
>>> On 05/30/2012 06:12 PM, Dale Macartney wrote:
>>>>
>>>> Evening all
>>>>
>>>> Has anyone dabbled with Zimbra integration with IPA as yet? I just
>> had a
>>>> brief brainstorm moment of thinking "Now that would be useful".
>>>>
>>>> I'm curious to see if anyone else has tried it? Otherwise I'll give
>> a go
>>>> and see what docs I can produce from my endeavours. Pointers,
>> requests
>>>> and opinions welcomed.
>>>>
>>>> Night all
>>>>
>>>> Dale
>>>>
>>>
>>> Are you talking about SSO or just using IPA as a back end identity
>> store.
>>> I do not think it was tried but I do not see a lot of issues.
>>> If there are I would like to see tickets.
>>> As for kerberos SSO it might be quite a different situation which
>> needs to be investigated.
>>>
>> I was thinking as a solution in general to be honest. I'll fire it up
>> with IPA as a backend store initially just to see it working. The
>> endgame goal though would be SSO. Like all my projects SSO is what I
>> am aiming for, but in some cases its not possible.
>>
>> I've requested an eval key for the enterprise supported release. I'll
>> try to get them involved in the process as well if push comes to
>> shove. They will benefit from this as well in the end.
>>
>> I'll feed back to the list with progress.
>
> As far as I know Zimbra supports retrieving users from LDAP and using
> Kerberos for authentication.
> In the very latest code they also fixed using Negotiate auth to login
> using Kerberos against the Web interface even when their proxy is being
> used, so now all components of Zimbra should be usable with krb auth.
> This means a properly configured Browser/MUA should be able to do full
> SSO auth against Zimbra.
>
> If you can test their latest release and report any gotchas in
> configuration that would be awesome!
>
> Simo.
>
I'm definitely up for it. I had a day off today actually, so most of the
day has been spent on my test lab. Will follow up soon. I haven't used
Zimbra before so I'll do it a few times to get things consistent, then I
might ask for some community QA on my steps to be honest.

keep you all posted. I have received a license key and was playing
earlier today with 7.2 (downloaded last night). Hopefully they don't
change that too frequently.

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPx3yDAAoJEAJsWS61tB+q8XUP/2r2qTvJA+JGaPrUr1V7cLbv
Z+zGwQDt1uqbtfyYSBDCQ9OeKb4NjXK0HEj7fQc/RjkWM1xRxJVpngd1ypRhYUKZ
u8Go6JNxYSgOTTE8QCozWBKDzgYbVg8RGAtIjHFZDtfW/hODuz01q9RUdWsPGAvJ
PS1RRxTWPB3zkNO8OYDIcPRslHKbilGJAGQzcq5evQhgIsHTNNHwKsRFoXzXM4FV
qxbSRJsu5NFg7Gs0/qundVb8c6v6Rv9abd3nlpxkKa272fAFYm5eOneNWfV1qMQt
/0KZMbeUQxRnL6P6mJrTzuLxvN8Hr338E0nIyVGMxKaJu9F9nvU+99DHyalK/Qdi
zhmZrxUyQjxYUqZjSruaxmScMUvPBYq8grzni5wu2KrBKKLSwU/fV3F5V5xpYZHw
vcdKw7X96YKqEHNER3SAKJZaJpOo+6/w4areeWw8XJ3cey0ClG9qpiFZNhNevZ29
0osr5gEU+N4Mf6M9mMj8oVWE05W0TT1z2E55IFT9EuT3n3pJ9hf2A2TSWOqVkmzh
W7ACTDvrFvPJzcoQf2Pc46Qx5TMrURhtvwAxCDplO3cVPKiiBEf0BPBrFbh7WjRa
Ydc42mJUlfZohYCApnhr5vfNn7lVVV4DKC61BaafU41L+oRcCsCuS8rY4bWI4Uit
lHUDueD8aL9ZzEZiFTjm
=ai51
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: 

From simo at redhat.com  Thu May 31 14:17:10 2012
From: simo at redhat.com (Simo Sorce)
Date: Thu, 31 May 2012 10:17:10 -0400
Subject: [Freeipa-users] Authentication Failure from Java -
 LoginException PREAUTH_FAILED
In-Reply-To: <4FC739D4.4000907@jboss.com>
References: <4FC739D4.4000907@jboss.com>
Message-ID: <1338473830.8230.72.camel@willson.li.ssimo.org>

On Thu, 2012-05-31 at 10:28 +0100, Darran Lofthouse wrote:
> My apologies if this has already been discussed somewhere, I have tried 
> a number of searches to see if this is either a known issue or common 
> error on the client side but so far only found references to Java issues 
> that should have been resolved a long time ago.
> 
> I have a Red Hat server running in Amazon EC2 with IPA 
> ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a 
> test_user defined.
> 
>  From my local machine using kinit works without error.
> 
> I have developed a test Java client to make use of the Krb5LoginModule, 
> I am currently debugging further but thought I would mail this in 
> parallel in case I am missing something obvious but I keep getting the 
> failure that is at the bottom of this message.
> 
> This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 - 
> however I have also tried using various Oracle JDKs, both 6 and 7.
> 
> I know the password is correct as verified using kinit, also if I use 
> jdk1.6.0_30 AND set the system property for Kerberos debugging to true 
> on the client it works.
> 
> The only difference I currently see between the failure scenario and 
> success scenario is that for success rc4-hmac is selected for the 
> PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96 
> is selected instead.
> 
> For the work I am currently using IPA for I could just force the use of 
> rc4-hmac but would really like to get to the bottom of the cause of this.
> 
> Looking forward to any ideas.
> 
> Regards,
> Darran Lofthouse.
> 
> 
> Exception in thread "main" javax.security.auth.login.LoginException: 
> Integrity check on decrypted field failed (31) - PREAUTH_FAILED
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:601)
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at 
> javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
> 	at 
> com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50)
> 	at 
> com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136)
> Caused by: KrbException: Integrity check on decrypted field failed (31) 
> - PREAUTH_FAILED
> 	at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
> 	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> 	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
> 	... 14 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
> 	at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
> 	at sun.security.krb5.internal.ASRep.(ASRep.java:60)
> 	at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60)
> 	... 17 more

Darran,
I think you may need to download "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7"
See here:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Apparently AES is not fully supported unless you have the JCE which is
not distributed by default due to restrictions on export as far as I can
understand.

If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
man page on how to explicitly request a set of enctypes on a new keytab.
Please remember that running ipa-getkeytab will invalidate your previous
keys.


HTH.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From darran.lofthouse at jboss.com  Thu May 31 14:37:01 2012
From: darran.lofthouse at jboss.com (Darran Lofthouse)
Date: Thu, 31 May 2012 15:37:01 +0100
Subject: [Freeipa-users] Authentication Failure from Java -
 LoginException PREAUTH_FAILED
In-Reply-To: <1338473830.8230.72.camel@willson.li.ssimo.org>
References: <4FC739D4.4000907@jboss.com>
	<1338473830.8230.72.camel@willson.li.ssimo.org>
Message-ID: <4FC7820D.8050805@jboss.com>

On 05/31/2012 03:17 PM, Simo Sorce wrote:
> Darran,
> I think you may need to download "Java Cryptography Extension (JCE)
> Unlimited Strength Jurisdiction Policy Files 7"
> See here:
> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
>
> Apparently AES is not fully supported unless you have the JCE which is
> not distributed by default due to restrictions on export as far as I can
> understand.

Thank you for your reply Simo, I have actually been testing this both 
with and without the unlimited strength policy - the error message is 
the same in both cases, the only difference is that without the policy 
in place aes128 is selected instead of aes256.

> If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
> man page on how to explicitly request a set of enctypes on a new keytab.
> Please remember that running ipa-getkeytab will invalidate your previous
> keys.

Also to clarify at this stage I am supplying a username and password in 
the client - I wanted to get that working first before switching it to a 
keytab.

>
>
> HTH.
>
> Simo.
>



From simo at redhat.com  Thu May 31 14:53:24 2012
From: simo at redhat.com (Simo Sorce)
Date: Thu, 31 May 2012 10:53:24 -0400
Subject: [Freeipa-users] RHEL + IPA + Zimbra = ?
In-Reply-To: <4FC77C85.50501@themacartneyclan.com>
References: <4FC69B4C.6000702@themacartneyclan.com>
	<4FC6A9A9.2050300@redhat.com> <4FC715DB.8000503@themacartneyclan.com>
	<1338473407.8230.68.camel@willson.li.ssimo.org>
	<4FC77C85.50501@themacartneyclan.com>
Message-ID: <1338476004.8230.73.camel@willson.li.ssimo.org>

On Thu, 2012-05-31 at 15:13 +0100, Dale Macartney wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On 31/05/12 15:10, Simo Sorce wrote:
> > On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> On 31/05/12 00:13, Dmitri Pal wrote:
> >>> On 05/30/2012 06:12 PM, Dale Macartney wrote:
> >>>>
> >>>> Evening all
> >>>>
> >>>> Has anyone dabbled with Zimbra integration with IPA as yet? I just
> >> had a
> >>>> brief brainstorm moment of thinking "Now that would be useful".
> >>>>
> >>>> I'm curious to see if anyone else has tried it? Otherwise I'll give
> >> a go
> >>>> and see what docs I can produce from my endeavours. Pointers,
> >> requests
> >>>> and opinions welcomed.
> >>>>
> >>>> Night all
> >>>>
> >>>> Dale
> >>>>
> >>>
> >>> Are you talking about SSO or just using IPA as a back end identity
> >> store.
> >>> I do not think it was tried but I do not see a lot of issues.
> >>> If there are I would like to see tickets.
> >>> As for kerberos SSO it might be quite a different situation which
> >> needs to be investigated.
> >>>
> >> I was thinking as a solution in general to be honest. I'll fire it up
> >> with IPA as a backend store initially just to see it working. The
> >> endgame goal though would be SSO. Like all my projects SSO is what I
> >> am aiming for, but in some cases its not possible.
> >>
> >> I've requested an eval key for the enterprise supported release. I'll
> >> try to get them involved in the process as well if push comes to
> >> shove. They will benefit from this as well in the end.
> >>
> >> I'll feed back to the list with progress.
> >
> > As far as I know Zimbra supports retrieving users from LDAP and using
> > Kerberos for authentication.
> > In the very latest code they also fixed using Negotiate auth to login
> > using Kerberos against the Web interface even when their proxy is being
> > used, so now all components of Zimbra should be usable with krb auth.
> > This means a properly configured Browser/MUA should be able to do full
> > SSO auth against Zimbra.
> >
> > If you can test their latest release and report any gotchas in
> > configuration that would be awesome!
> >
> > Simo.
> >
> I'm definitely up for it. I had a day off today actually, so most of the
> day has been spent on my test lab. Will follow up soon. I haven't used
> Zimbra before so I'll do it a few times to get things consistent, then I
> might ask for some community QA on my steps to be honest.
> 
> keep you all posted. I have received a license key and was playing
> earlier today with 7.2 (downloaded last night). Hopefully they don't
> change that too frequently.

That version should work if you do not use a proxy, the proxy fix should
be in version 8, but you should have no issues with the eval as the
proxy is used only in advanced configurations for load balancing AFAIK.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From g17jimmy at gmail.com  Thu May 31 17:24:56 2012
From: g17jimmy at gmail.com (Jimmy)
Date: Thu, 31 May 2012 13:24:56 -0400
Subject: [Freeipa-users] DNS logs - named.run
Message-ID: 

This message repeats numerous times per minute:

zone myzone.info/IN: zone serial (2012150501) unchanged. zone may fail
to transfer to slaves.

I even went into the admin page and changed the serial manually to see
if I could get past the message but it just changed the message to
this:

zone myzone.info/IN: zone serial (2012150502) unchanged. zone may fail
to transfer to slaves.

Why does IPA report this?

Thanks.



From dale at themacartneyclan.com  Thu May 31 19:03:00 2012
From: dale at themacartneyclan.com (Dale Macartney)
Date: Thu, 31 May 2012 20:03:00 +0100
Subject: [Freeipa-users] token/swipe pass deployments with IPA
Message-ID: <4FC7C064.6010401@themacartneyclan.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Evening all

http://www.youtube.com/watch?v=uvfkj8V6ylM

This video was floating around Google plus a few days ago which is
brilliant to show off RHEV's VDI technologies. I was wondering if anyone
has some a similar business case of vdi deployments with swipe passes or
token, but using IPA as the backing authentication store?

Has anyone done something similar themselves?

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPx8BiAAoJEAJsWS61tB+qPhUP/i6XCrl0d0N5p/801C+IOEHr
EDlw3hNOmGrmP6oum5uQoglqVT4QD1Um/bcVvCwD0mnWXX2BKzFbmLIsfQ5sy/XI
2/e808RXME+dyn2plMfed3z31cRgtafBVIkyN1UJmsgXXgUzISlLHwcpLK4EgNlJ
m0jHu2+wKhsDz3aw0AG5LWwtigU2r3k8+UhhfLiA8ew3WH9VNY+IbtVwVGbubmlz
WYbATDI9OOozo/k9l2Ardw9aKMEPSzAlwKz2HXL0fKnw8+y4ceZA1c9Li5Zvc+1k
1gqxMOC3G7T5cB4v/dHiGaFc+p8mP1+BZ3Ugrmok4ozrvAy1MZj/stn5APn30XJP
/oeLyMLk14/aFQ3vTqJc89S8SyT/J5RtXSMdfDvN8RGKkJHCpVX73re9BPq2G42s
TZuCk6c0zlpFQd2FxUQs95Hd1LSMEVTyaQYqi6KwehEi3DYH/kfUgYL9HkpTuBFk
NcgCUrlFseL5vagFCm27iaHemAoEwEVsJOO61NVyqjINkDa5vdY+RPggNF/i0Tha
0V+l7YkB+scKZmE76+CF9czTFOd9mBmVrdMSE/8aH6jw0Dd38zmj7eeDSOCmBCT0
oW5R9W9JSDACAztEYGDtrY/jR6VoXShu3Wy2p1DRLiCDaVHfJ2Oy7eTknAB3KzXC
xXjWpJA+KpBTijGyx8mJ
=6ZvW
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: 

From dpal at redhat.com  Thu May 31 22:54:11 2012
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 31 May 2012 18:54:11 -0400
Subject: [Freeipa-users] token/swipe pass deployments with IPA
In-Reply-To: <4FC7C064.6010401@themacartneyclan.com>
References: <4FC7C064.6010401@themacartneyclan.com>
Message-ID: <4FC7F693.9000909@redhat.com>

On 05/31/2012 03:03 PM, Dale Macartney wrote:
>
> Evening all
>
> http://www.youtube.com/watch?v=uvfkj8V6ylM
>
> This video was floating around Google plus a few days ago which is
> brilliant to show off RHEV's VDI technologies. I was wondering if anyone
> has some a similar business case of vdi deployments with swipe passes or
> token, but using IPA as the backing authentication store?

I am not quite sure what is used as an authentication source in this case.
I can ask.

>
> Has anyone done something similar themselves?
>
> Dale
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: