From natxo.asenjo at gmail.com Sun Sep 2 14:37:33 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 2 Sep 2012 16:37:33 +0200 Subject: [Freeipa-users] openindiana ldap client Message-ID: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) # getent passwd admin admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Sep 2 16:58:01 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 02 Sep 2012 18:58:01 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: References: Message-ID: <50439019.8080804@nixtra.com> On 09/02/2012 04:37 PM, Natxo Asenjo wrote: > hi, > > Recently I have been playing with the zfs for its native nfs4 acl > capabilities. I have used openindiana for this. For those wondering > about openindiana, it is a distribution of the former opensolaris code. > > I got the ldap client to work for retrieveing user/group info from ipa > using the ldapclient command: > > # ldapclient manual \ > -a authenticationMethod=none \ > -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ > -a domainName=*ipa.asenjo.nx* \ > -a defaultServerList=kdc.ipa.asenjo.nx \ > -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ > -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] > > you need to enable the ldap/client service: > > # svcadm enable ldap/client:default [enter] > > After which, modify /etc/nsswitch.conf to add the ldap provider for > passwd and group: > > passwd: files ldap > group: files ldap > > That's it, test it: > > # id admin > uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) > > # getent passwd admin > admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash > > So it works. The kerberos stuff will be next ... > > One thing I have not yet gotten to work is that these changes are not > persistent accross reboots. The ldapclient config stays, but the > service ldap/client does not start (stays disabled) and nsswitch.conf > missess the ldap entries. So far I am fixing this from cfengine (gotta > love it). > > So apparently, for solaris 10 and newer versions, the procedure > outlined in http://freeipa.com/page/ConfiguringSolarisClients is no > longer necessary as far as the ldap client is concerned. > > > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. After a reboot, what does "svcs -xv ldap/client" output? Is the services is depend on in online state? "svcs -d ldap/client" What does /var/svc/log/network-ldap-client:default.log display after a reboot? What files do you have in /var/ldap? What is the content of the /var/ldap/ldap_client_file? Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sun Sep 2 18:21:01 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 2 Sep 2012 20:21:01 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: <50439019.8080804@nixtra.com> References: <50439019.8080804@nixtra.com> Message-ID: On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie wrote: > On 09/02/2012 04:37 PM, Natxo Asenjo wrote: > > One thing I have not yet gotten to work is that these changes are not > persistent accross reboots. The ldapclient config stays, but the service > ldap/client does not start (stays disabled) and nsswitch.conf missess the > ldap entries. So far I am fixing this from cfengine (gotta love it). > > So apparently, for solaris 10 and newer versions, the procedure outlined > in http://freeipa.com/page/ConfiguringSolarisClients is no longer > necessary as far as the ldap client is concerned. > > > I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I > use a DUAProfile with ldapclient. This stays configured and the ldap/client > service is enabled across reboots. > > > There is a DUAProfile included by default with IPA, but it requires some > tweaking to support more than just the basic features. See this bugzilla > for a more comprehensive example: > > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > ok, looks nice. I did not know about this automatic config tool. So If run ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should work. Yes it does, awesome. Unfortunately, it keeps stopping after a reboot: Sep 2 20:05:19 Enabled. ] [ Sep 2 20:05:31 Executing start method ("/lib/svc/method/ldap-client start"). ] [ Sep 2 20:05:38 Method "start" exited with status 0. ] [ Sep 2 20:05:38 Stopping because service disabled. ] [ Sep 2 20:05:38 Executing stop method ("/lib/svc/method/ldap-client stop"). ] [ Sep 2 20:05:38 Method "stop" exited with status 0. ] > > There is also some more info about configuring Solaris clients in this > bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > > > The ldap/client service is enabled when you run the ldapclient script. > There should be no need for doing this manually. When you run ldapclient, > run it with the -v flag and look for errors. > > I have rerun ldapclient after running ldapclient uninit and saw no errors. > After a reboot, what does "svcs -xv ldap/client" output? > # svcs -xv ldap/client svc:/network/ldap/client:default (LDAP client) State: disabled since September 2, 2012 08:05:38 PM CEST Reason: Temporarily disabled by an administrator. See: http://illumos.org/msg/SMF-8000-1S See: man -M /usr/share/man -s 1M ldap_cachemgr See: /var/svc/log/network-ldap-client:default.log Impact: This service is not running. But I have not temporarily disabled it (option -t to svcadm, I believe). Is the services is depend on in online state? "svcs -d ldap/client" > > # svcs -d ldap/client STATE STIME FMRI online 19:51:58 svc:/system/filesystem/minimal:default online 19:51:59 svc:/network/initial:default online 19:52:10 svc:/network/location:default What does /var/svc/log/network-ldap-client:default.log display after a > reboot? > > see above. What files do you have in /var/ldap? > ls -l /var/ldap/ total 7 -rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log -r-------- 1 root root 100 2012-09-02 11:16 ldap_client_cred -r-------- 1 root root 371 2012-09-02 11:16 ldap_client_file drwxr-xr-x 2 root root 4 2012-09-02 11:16 restore > What is the content of the /var/ldap/ldap_client_file? > # # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= kdc.ipa.asenjo.nx NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Sep 2 19:20:22 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 02 Sep 2012 21:20:22 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: References: <50439019.8080804@nixtra.com> Message-ID: <5043B176.7070808@nixtra.com> On 09/02/2012 08:21 PM, Natxo Asenjo wrote: > On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie > wrote: > > On 09/02/2012 04:37 PM, Natxo Asenjo wrote: >> One thing I have not yet gotten to work is that these changes are >> not persistent accross reboots. The ldapclient config stays, but >> the service ldap/client does not start (stays disabled) and >> nsswitch.conf missess the ldap entries. So far I am fixing this >> from cfengine (gotta love it). >> >> So apparently, for solaris 10 and newer versions, the procedure >> outlined in http://freeipa.com/page/ConfiguringSolarisClients is >> no longer necessary as far as the ldap client is concerned. >> > > I'm using Nexenta as an IPA client, another derivative of > OpenSolaris. I use a DUAProfile with ldapclient. This stays > configured and the ldap/client service is enabled across reboots. > > > There is a DUAProfile included by default with IPA, but it > requires some tweaking to support more than just the basic > features. See this bugzilla for a more comprehensive example: > > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > ok, looks nice. I did not know about this automatic config tool. So If > run ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should > work. Yes it does, awesome. > > Unfortunately, it keeps stopping after a reboot: > > Sep 2 20:05:19 Enabled. ] > [ Sep 2 20:05:31 Executing start method ("/lib/svc/method/ldap-client > start"). ] > [ Sep 2 20:05:38 Method "start" exited with status 0. ] > [ Sep 2 20:05:38 Stopping because service disabled. ] > [ Sep 2 20:05:38 Executing stop method ("/lib/svc/method/ldap-client > stop"). ] > [ Sep 2 20:05:38 Method "stop" exited with status 0. ] > > > > > There is also some more info about configuring Solaris clients in > this bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > > > The ldap/client service is enabled when you run the ldapclient > script. There should be no need for doing this manually. When you > run ldapclient, run it with the -v flag and look for errors. > > > I have rerun ldapclient after running ldapclient uninit and saw no errors. > > After a reboot, what does "svcs -xv ldap/client" output? > > > # svcs -xv ldap/client > svc:/network/ldap/client:default (LDAP client) > State: disabled since September 2, 2012 08:05:38 PM CEST > Reason: Temporarily disabled by an administrator. > See: http://illumos.org/msg/SMF-8000-1S > See: man -M /usr/share/man -s 1M ldap_cachemgr > See: /var/svc/log/network-ldap-client:default.log > Impact: This service is not running. > > But I have not temporarily disabled it (option -t to svcadm, I believe). > > Is the services is depend on in online state? "svcs -d ldap/client" > > # svcs -d ldap/client > STATE STIME FMRI > online 19:51:58 svc:/system/filesystem/minimal:default > online 19:51:59 svc:/network/initial:default > online 19:52:10 svc:/network/location:default > > What does /var/svc/log/network-ldap-client:default.log display > after a reboot? > > see above. > > What files do you have in /var/ldap? > > ls -l /var/ldap/ > total 7 > -rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log > -r-------- 1 root root 100 2012-09-02 11:16 ldap_client_cred > -r-------- 1 root root 371 2012-09-02 11:16 ldap_client_file > drwxr-xr-x 2 root root 4 2012-09-02 11:16 restore > > What is the content of the /var/ldap/ldap_client_file? > > > # > # Do not edit this file manually; your changes will be lost.Please use > ldapclient (1M) instead. > # > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= kdc.ipa.asenjo.nx > NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= > passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx > NS_LDAP_SERVICE_SEARCH_DESC= > group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > Thank for your tips. I think there might just be something broken with > the ldap/client service in openindiana. This DUAProfile thing is > really nice to use > Agreed, it sounds like a bug in OpenIndiana. That's odd. A service becomes temporarily disabled usually when a service it depends on cannot start due to failed depedencies or fails to start. On the SPARC platform you can boot with "boot -v" to get a verbose startup. Adding "-v" to the $kernel line in GRUB manually at startup will display a verbose startup on the X86 platform. Be aware, it will get really verbose. Are you using a static IP or DHCP? Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sun Sep 2 19:57:53 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 2 Sep 2012 21:57:53 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: <5043B176.7070808@nixtra.com> References: <50439019.8080804@nixtra.com> <5043B176.7070808@nixtra.com> Message-ID: On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie wrote: > > Thank for your tips. I think there might just be something broken with > the ldap/client service in openindiana. This DUAProfile thing is really > nice to use > > > Agreed, it sounds like a bug in OpenIndiana. > > That's odd. A service becomes temporarily disabled usually when a service > it depends on cannot start due to failed depedencies or fails to start. On > the SPARC platform you can boot with "boot -v" to get a verbose startup. > Adding "-v" to the $kernel line in GRUB manually at startup will display a > verbose startup on the X86 platform. Be aware, it will get really verbose. > > ok, I'll give that a try, thanks. > Are you using a static IP or DHCP? > dhcp so far, just testing. I'll try with a fixed ip. This should just work with dhcp too, obviously. Great tips, Sigbjorn. Much appreciated. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at bjorkevik.se Mon Sep 3 12:49:45 2012 From: david at bjorkevik.se (=?ISO-8859-1?Q?David_Bj=F6rkevik?=) Date: Mon, 03 Sep 2012 14:49:45 +0200 Subject: [Freeipa-users] FreeIPA samba integration Message-ID: <5044A769.9060706@bjorkevik.se> Hi List I just recently deployed FreeIPA 2.2 on a CentOS 6 box. Everything went very smooth until I got to the issue of Samba integeration. What I want to accomplish is a "dumb" Windows file sharing server, without domain logons or anything. I just want Windows (and Linux) users to be able to map a share using the user name and password they have in the FreeIPA database. The windows clients do not have kerberos and are not authenticated against the FreeIPA server. I gathered some ideas from http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ and http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html neither of which work to 100% or go into the smb.conf part of the setup. Are there any other HowTos on this that I may have missed? Does anyone have a working configuration similar to this? Regards, David Bj?rkevik From george_he7 at yahoo.com Mon Sep 3 22:00:15 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 3 Sep 2012 15:00:15 -0700 (PDT) Subject: [Freeipa-users] ipa host-del Message-ID: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Sep 4 12:10:59 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 04 Sep 2012 08:10:59 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <5045EFD3.6010606@redhat.com> On 09/03/2012 06:00 PM, george he wrote: > Hello all, > > I'm trying to reinstall myipaclient so I did ipa-client-install > --uninstall on my client, but when I try to do > ipa host-del on the sever, I got the following error: > > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > What does it mean, and how do I fix this? > ps, both the server and the client are centos 6.3 I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From george_he7 at yahoo.com Tue Sep 4 12:28:31 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 05:28:31 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <5045EFD3.6010606@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> Message-ID: <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker Thanks for your help, George >________________________________ > From: John Dennis >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 8:10 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/03/2012 06:00 PM, george he wrote: >> Hello all, >> >> I'm trying to reinstall myipaclient so I did ipa-client-install >> --uninstall on my client, but when I try to do >> ipa host-del on the sever, I got the following error: >> >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> What does it mean, and how do I fix this? >> ps, both the server and the client are centos 6.3 > >I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? > >One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Sep 4 12:53:29 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 04 Sep 2012 08:53:29 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <5045F9C9.7050705@redhat.com> On 09/04/2012 08:28 AM, george he wrote: > > There's only one conf file in /etc/ipa/, which is default.conf. ca_host > is not defined there. But I think my CA is the IPA server. > > Everything is reported running: > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > but when I try # ipactl restart, it reports: > Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker > ajp://localhost:9447/ already used by another worker > [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already > used by another worker ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf debug=True and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Sep 4 13:02:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Sep 2012 09:02:59 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <5045FC03.2060203@redhat.com> george he wrote: > > There's only one conf file in /etc/ipa/, which is default.conf. ca_host > is not defined there. But I think my CA is the IPA server. > > Everything is reported running: > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > but when I try # ipactl restart, it reports: > Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker > ajp://localhost:9447/ already used by another worker > [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already > used by another worker This can be ignored, it is a known issue in Apache and doesn't mean anything is wrong. We're tracking an upstream fix for this, https://fedorahosted.org/freeipa/ticket/1853 I would set debug = True in /etc/ipa/default.conf and restart Apache. Then try the host-del again and examine /var/log/httpd/error_log. We currently only log CS connection issues when in debug mode (there is a ticket on that too). The CA log in /var/log/pki-ca/debug may have some tips too. When a host is deleted we try to revoke its certificate. If we can't talk to the CA then the delete fails. rob From george_he7 at yahoo.com Tue Sep 4 14:23:01 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 07:23:01 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <5045F9C9.7050705@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> Message-ID: <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu ...... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a "fault 4301" being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George >________________________________ > From: John Dennis >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 8:53 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 08:28 AM, george he wrote: >> >> There's only one conf file in /etc/ipa/, which is default.conf. ca_host >> is not defined there. But I think my CA is the IPA server. >> >> Everything is reported running: >> # ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> but when I try # ipactl restart, it reports: >> Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker >> ajp://localhost:9447/ already used by another worker >> [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already >> used by another worker > >ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). > >BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. > >If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf > >debug=True > >and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 4 14:26:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Sep 2012 10:26:30 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <50460F96.5070503@redhat.com> george he wrote: > First of all, i don't see any java process after ipactl stop. > > Then I turned on debug and this is what I get on terminal: > # ipa host-del hnl09.psych.yale.edu > ...... > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" > ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 > ipa: DEBUG: Caught fault 4301 from server > http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be > completed: Unable to communicate with CMS (Service Temporarily Unavailable) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Service Temporarily Unavailable) > > So there's a "fault 4301" being caught. > And this is at the end of /var/log/httpd/error_log: > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for > "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer > = 130.132.167.68:443 > [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: > attempt to connect to 127.0.0.1:9447 (localhost) failed > [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling > worker for (localhost) > [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection > to backend: localhost > [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: > host_del((u'hnl09.psych.yale.edu',), updatedns=False): > CertificateOperationError > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: > CertificateOperationError: Certificate operation cannot be completed: > Unable to communicate with CMS (Service Temporarily Unavailable) > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection > context.ldap2 dogtag does not appear to be running. I'd suggest looking at /var/log/pki-ca/catalina.out or debug to see if it has any hints as what the problem is. What distribution is this? rob From jdennis at redhat.com Tue Sep 4 14:40:29 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 04 Sep 2012 10:40:29 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <504612DD.5010104@redhat.com> On 09/04/2012 10:23 AM, george he wrote: > First of all, i don't see any java process after ipactl stop. > > Then I turned on debug and this is what I get on terminal: > # ipa host-del hnl09.psych.yale.edu > ...... > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" > ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 > ipa: DEBUG: Caught fault 4301 from server > http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be > completed: Unable to communicate with CMS (Service Temporarily Unavailable) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Service Temporarily Unavailable) > > So there's a "fault 4301" being caught. > And this is at the end of /var/log/httpd/error_log: > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for > "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer > = 130.132.167.68:443 > [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: > attempt to connect to 127.0.0.1:9447 (localhost) failed > [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling > worker for (localhost) > [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection > to backend: localhost > [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: > host_del((u'hnl09.psych.yale.edu',), updatedns=False): > CertificateOperationError > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: > CertificateOperationError: Certificate operation cannot be completed: > Unable to communicate with CMS (Service Temporarily Unavailable) > [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection > context.ldap2 > > Thanks, > George It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From george_he7 at yahoo.com Tue Sep 4 17:49:46 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 10:49:46 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <504612DD.5010104@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> Message-ID: <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:? Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca Thanks, George >________________________________ > From: John Dennis >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 10:40 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 10:23 AM, george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> ...... >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 >> >> Thanks, >> George > >It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca? > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Sep 4 17:52:44 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 10:52:44 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <50460F96.5070503@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <50460F96.5070503@redhat.com> Message-ID: <1346781164.22991.YahooMailNeo@web120001.mail.ne1.yahoo.com> How do I start dogtag? It's centos 6.3. some errors are posted to my other email. Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 10:26 AM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> ...... >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 > >dogtag does not appear to be running. I'd suggest looking at >/var/log/pki-ca/catalina.out or debug to see if it has any hints as what >the problem is. > >What distribution is this? > >rob > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Sep 4 18:02:36 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 11:02:36 -0700 (PDT) Subject: [Freeipa-users] cannot logon: system error? Message-ID: <1346781756.62549.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hi all, This is another issue I'm having with another ipa client. Both the sever and the client are centos 6.3 The client was configured all right. I was able to log on at a point. but then after the screen was auto-locked over the night, I cannot log on any more. If I try on the console, it says "system error" and return to the locked screen. If I try ssh myclient, it says "Connection closed by myclient". This is what in /var/log/secure Sep? 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal jhe at PSYCH.YALE.EDU (krb5_kuserok) Sep? 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied for user jhe: 4 (System error) Sep? 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by PAM account configuration What do I do to fix this problem? Thanks in advance, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Sep 4 19:05:39 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 4 Sep 2012 21:05:39 +0200 Subject: [Freeipa-users] cannot logon: system error? In-Reply-To: <1346781756.62549.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1346781756.62549.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <20120904190539.GS28427@zeppelin.brq.redhat.com> On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote: > Hi all, > > This is another issue I'm having with another ipa client. > Both the sever and the client are centos 6.3 > The client was configured all right. I was able to log on at a point. > but then after the screen was auto-locked over the night, I cannot log on any more. > If I try on the console, it says "system error" and return to the locked screen. > If I try ssh myclient, it says "Connection closed by myclient". > > This is what in /var/log/secure > Sep? 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal jhe at PSYCH.YALE.EDU (krb5_kuserok) > Sep? 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied for user jhe: 4 (System error) > Sep? 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by PAM account configuration > System Error usually means an internal error in the SSSD. Please put debug_level = 8 into the [pam] and [domain] sections, restart the SSSD, re-run the login attempt and attach or copy the relevant sections of /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$domain.log From rcritten at redhat.com Tue Sep 4 20:20:05 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Sep 2012 16:20:05 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <50466275.2080203@redhat.com> george he wrote: > I'm running centos 6.3 > # uname -r > 2.6.32-279.5.2.el6.x86_64 > > pki-ca: unrecognized service > > There are tons of errors in /var/log/pki-ca/*, some of them are: > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] > Cannot build CA chain. Error java.security.cert.CertificateException: > Certificate is not a PKCS #11 certificate > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] > authz instance DirAclAuthz initialization failed and skipped, > error=Property internaldb.ldapconn.port missing value > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] > [3] [3] Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] > [3] [3] CASigningUnit: Object certificate not found. Error > org.mozilla.jss.crypto.ObjectNotFoundException > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In > Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing > socket factory > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol > handler initialization failed: java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web > application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob From george_he7 at yahoo.com Tue Sep 4 21:12:55 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 14:12:55 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <50466275.2080203@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> Message-ID: <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> both of the commands "service dirsrv restart" and "service pki-cad restart" reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 4:20 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> I'm running centos 6.3 >> # uname -r >> 2.6.32-279.5.2.el6.x86_64 >> >> pki-ca: unrecognized service >> >> There are tons of errors in /var/log/pki-ca/*, some of them are: >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] >> Cannot build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS #11 certificate >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] >> authz instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >> [3] [3] Cannot build CA chain. Error >> java.security.cert.CertificateException: Certificate is not a PKCS #11 >> certificate >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >> [3] [3] CASigningUnit: Object certificate not found. Error >> org.mozilla.jss.crypto.ObjectNotFoundException >> /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In >> Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, >> Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >> failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >> >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >> socket factory >> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:? Protocol >> handler initialization failed: java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web >> application directory ca > >The problem looks to be that the dogtag 389-ds instance is not started. >I'd try: service dirsrv restart PKI-IPA > >Then service pki-cad restart > >rob > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 4 21:18:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 4 Sep 2012 21:18:45 +0000 Subject: [Freeipa-users] time limiting users Message-ID: <833D8E48405E064EBC54C84EC6B36E404CDAD88D@STAWINCOX10MBX1.staff.vuw.ac.nz> Is it possible to limit when users can login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Sep 4 21:27:10 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 4 Sep 2012 23:27:10 +0200 Subject: [Freeipa-users] time limiting users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDAD88D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDAD88D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: On Tue, Sep 4, 2012 at 11:18 PM, Steven Jones wrote: > Is it possible to limit when users can login? > > of course, pam + time (see https://www.google.com/search?q=pam%20time, the first result looked good on first sight if I recall it correctly). It would be nice to have this functionality in ipa, but using a config management tool (like cfengine) it is quite trivial to distribute it to all the clients in your network if the need arises. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Sep 4 21:41:04 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 4 Sep 2012 14:41:04 -0700 (PDT) Subject: [Freeipa-users] cannot logon: system error? In-Reply-To: <20120904190539.GS28427@zeppelin.brq.redhat.com> References: <1346781756.62549.YahooMailNeo@web120003.mail.ne1.yahoo.com> <20120904190539.GS28427@zeppelin.brq.redhat.com> Message-ID: <1346794864.72726.YahooMailNeo@web120006.mail.ne1.yahoo.com> I removed the host on ipa server (ipa host-del, which works for this client but not another one), reinstalled the system, and configured the client, it worked. Thanks, George >________________________________ > From: Jakub Hrozek >To: freeipa-users at redhat.com >Sent: Tuesday, September 4, 2012 3:05 PM >Subject: Re: [Freeipa-users] cannot logon: system error? > >On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote: >> Hi all, >> >> This is another issue I'm having with another ipa client. >> Both the sever and the client are centos 6.3 >> The client was configured all right. I was able to log on at a point. >> but then after the screen was auto-locked over the night, I cannot log on any more. >> If I try on the console, it says "system error" and return to the locked screen. >> If I try ssh myclient, it says "Connection closed by myclient". >> >> This is what in /var/log/secure >> Sep? 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal jhe at PSYCH.YALE.EDU (krb5_kuserok) >> Sep? 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied for user jhe: 4 (System error) >> Sep? 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by PAM account configuration >> > >System Error usually means an internal error in the SSSD. > >Please put debug_level = 8 into the [pam] and [domain] sections, restart >the SSSD, re-run the login attempt and attach or copy the relevant >sections of /var/log/sssd/sssd_pam.log and >/var/log/sssd/sssd_$domain.log > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Sep 4 23:32:20 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Sep 2012 19:32:20 -0400 Subject: [Freeipa-users] time limiting users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDAD88D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDAD88D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1346801540.1150.11.camel@willson.li.ssimo.org> On Tue, 2012-09-04 at 21:18 +0000, Steven Jones wrote: > Is it possible to limit when users can login? > Initially we had plans to do time based rules as part of HBAC. However we decided to step back and wait on that front. Time based rules sound simple, but are very complex, both to understand and implement. Especially as soon as you start considering timezones, how to express them reasonably and which one to consider (the server's timezone or the client's timezone ?) and so on ... So in a nutshell, no at the moment we do not support time based rules. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 5 01:49:14 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Sep 2012 21:49:14 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <5046AF9A.2040407@redhat.com> george he wrote: > both of the commands "service dirsrv restart" and "service pki-cad > restart" reported: > stopping ... OK > starting ... OK > but host-del still has the same error. > More suggestions? Check the logs again. The service starting does not mean it kept running. rob > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* John Dennis ; "freeipa-users at redhat.com" > > *Sent:* Tuesday, September 4, 2012 4:20 PM > *Subject:* Re: [Freeipa-users] ipa host-del > > george he wrote: > > I'm running centos 6.3 > > # uname -r > > 2.6.32-279.5.2.el6.x86_64 > > > > pki-ca: unrecognized service > > > > There are tons of errors in /var/log/pki-ca/*, some of them are: > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] > [3] [3] > > Cannot build CA chain. Error java.security.cert.CertificateException: > > Certificate is not a PKCS #11 certificate > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] > [13] [3] > > authz instance DirAclAuthz initialization failed and skipped, > > error=Property internaldb.ldapconn.port missing value > > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] > > [3] [3] Cannot build CA chain. Error > > java.security.cert.CertificateException: Certificate is not a > PKCS #11 > > certificate > > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] > > [3] [3] CASigningUnit: Object certificate not found. Error > > org.mozilla.jss.crypto.ObjectNotFoundException > > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] > [3] In > > Ldap (bound) connection pool to host cushing.psych.yale.edu port > 7389, > > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: > > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing > > socket factory > > > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: > Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol > > handler initialization failed: java.lang.ClassNotFoundException: > Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web > > application directory ca > > The problem looks to be that the dogtag 389-ds instance is not started. > I'd try: service dirsrv restart PKI-IPA > > Then service pki-cad restart > > rob > > > > From george_he7 at yahoo.com Wed Sep 5 10:00:35 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 5 Sep 2012 03:00:35 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <5046AF9A.2040407@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> Message-ID: <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:? Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException:? Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException:? Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >________________________________ > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users at redhat.com" >Sent: Tuesday, September 4, 2012 9:49 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> both of the commands "service dirsrv restart" and "service pki-cad >> restart" reported: >> stopping ... OK >> starting ... OK >> but host-del still has the same error. >> More suggestions? > >Check the logs again. The service starting does not mean it kept running. > >rob > >> Thanks, >> George >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Rob Crittenden >>? ? *To:* george he >>? ? *Cc:* John Dennis ; "freeipa-users at redhat.com" >>? ? >>? ? *Sent:* Tuesday, September 4, 2012 4:20 PM >>? ? *Subject:* Re: [Freeipa-users] ipa host-del >> >>? ? george he wrote: >>? ? ? > I'm running centos 6.3 >>? ? ? > # uname -r >>? ? ? > 2.6.32-279.5.2.el6.x86_64 >>? ? ? > >>? ? ? > pki-ca: unrecognized service >>? ? ? > >>? ? ? > There are tons of errors in /var/log/pki-ca/*, some of them are: >>? ? ? > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >>? ? [3] [3] >>? ? ? > Cannot build CA chain. Error java.security.cert.CertificateException: >>? ? ? > Certificate is not a PKCS #11 certificate >>? ? ? > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >>? ? [13] [3] >>? ? ? > authz instance DirAclAuthz initialization failed and skipped, >>? ? ? > error=Property internaldb.ldapconn.port missing value >>? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >>? ? ? > [3] [3] Cannot build CA chain. Error >>? ? ? > java.security.cert.CertificateException: Certificate is not a >>? ? PKCS #11 >>? ? ? > certificate >>? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >>? ? ? > [3] [3] CASigningUnit: Object certificate not found. Error >>? ? ? > org.mozilla.jss.crypto.ObjectNotFoundException >>? ? ? > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] >>? ? [3] In >>? ? ? > Ldap (bound) connection pool to host cushing.psych.yale.edu port >>? ? 7389, >>? ? ? > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >>? ? ? > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >>? ? ? > >>? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >>? ? ? > socket factory >>? ? ? > >>? ? /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >>? ? Error >>? ? ? > loading SSL Implementation >>? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >>? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:? Protocol >>? ? ? > handler initialization failed: java.lang.ClassNotFoundException: >>? ? Error >>? ? ? > loading SSL Implementation >>? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >>? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web >>? ? ? > application directory ca >> >>? ? The problem looks to be that the dogtag 389-ds instance is not started. >>? ? I'd try: service dirsrv restart PKI-IPA >> >>? ? Then service pki-cad restart >> >>? ? rob >> >> >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Wed Sep 5 11:58:09 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 05 Sep 2012 12:58:09 +0100 Subject: [Freeipa-users] RHEV-M + service accounts in IPA Message-ID: <50473E51.1050201@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Afternoon all I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( ipa-server-2.2-16) I have an api script that handles all my deployments and I am trying to set up a role account for my script to run within a jenkins environment. I have created an ldap sysaccount, however that doesn't appear in the RHEV users list when I do a search. So its clear its looking for specific IPA users. Is there a way (or on the roadmap), to create service/role accounts in IPA where the password doesn't expire? I'm trying to avoid scenarios like this https://access.redhat.com/knowledge/solutions/67562 Any comments / suggestions are welcome Thanks everyone Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQRz5OAAoJEAJsWS61tB+qt78QALc+ocH5PAKbhHKJ24QeYzfe pZNeyQZ98UwTfCCdWrr4hwPrILhqZwCFogBsQPnM5uiAT1n+pbfvAaypsbBtsJM1 Gw9bajHkkb663twOlsOdetXxQt/jzKo8FdxHgAhTU7PSA6sr3O/SEjAaObUBw3yd wS1XOErGD/6IkKCbLZVO0gkoyt29Ir8HTq1dTX9JYAmG+i0XseZ1C5be9vtUvT7E G/am0ICyd4mErSwaA/RRyrRxDzjfbi0XtlqlAuMsirDGyPTqPhisoB2ZMmY00ix3 nAaJp/fECqW20jmPJ1u+YktCYRou4LC4vZUnbmMWMJTOhRO5J90GhIh74OjjHMnp kmj6r88QpSl7QDVRjWxTZdPj60WvhAp1/FRDZnBjUlfR0ENk2xxemLq9Ek2SRkJQ FqS++FQ1+lIERx4ng5rPR0DBLvd7xnaTvcGjRou/h/5tvmERbrUVtCKn9kJ6b6jJ KY0o89uJRgdiH1eEwIasq8zUnrrEPIxJXzl6iJV52kN705bob3rSXacGDWr9poOE eALPQQzxv743TKr4O41owOienwxw9pWR2Yw/pSvCua4rTJ+ryiZztWAX9HNVClBt krtgn+GHjAukxVdhboXTHabF1zGj1REle36sK0+0/NMYxTYgdZrPkwAhv0kp/n36 WWl86kBI+IhIxvlbKTs+ =TUAu -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 5 12:39:20 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Sep 2012 08:39:20 -0400 Subject: [Freeipa-users] RHEV-M + service accounts in IPA In-Reply-To: <50473E51.1050201@themacartneyclan.com> References: <50473E51.1050201@themacartneyclan.com> Message-ID: <504747F8.7000403@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Afternoon all > > I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( > ipa-server-2.2-16) > > I have an api script that handles all my deployments and I am trying to > set up a role account for my script to run within a jenkins environment. > > I have created an ldap sysaccount, however that doesn't appear in the > RHEV users list when I do a search. So its clear its looking for > specific IPA users. > > Is there a way (or on the roadmap), to create service/role accounts in > IPA where the password doesn't expire? > > I'm trying to avoid scenarios like this > > https://access.redhat.com/knowledge/solutions/67562 > > Any comments / suggestions are welcome > > Thanks everyone > > Dale > A work-around is to set krbpasswordexpiration of the user somewhere far in the future to prevent expiration. We have a ticket open on this, https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 3.3. rob From rcritten at redhat.com Wed Sep 5 12:40:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Sep 2012 08:40:35 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <50474843.7050505@redhat.com> george he wrote: > here are the new errors: > # rm /var/log/pki-ca/* > # service dirsrv restart > # service pki-cad restart > # grep -i error /var/log/pki-ca/* > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing > context [/ca] > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing > socket factory > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol > handler initialization failed: java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web > application directory ca > /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler > initialization failed: java.lang.ClassNotFoundException: Error loading > SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application > directory ca > /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler > initialization failed: java.lang.ClassNotFoundException: Error loading > SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket Hmm. Is there any additional information in the debug log? Any AVCs in /var/log/audit/audit.log? Have you updated any packages recently? I'm not sure why dogtag would be throwing this exception. rob > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* george he > *Cc:* John Dennis ; "freeipa-users at redhat.com" > > *Sent:* Tuesday, September 4, 2012 9:49 PM > *Subject:* Re: [Freeipa-users] ipa host-del > > george he wrote: > > both of the commands "service dirsrv restart" and "service pki-cad > > restart" reported: > > stopping ... OK > > starting ... OK > > but host-del still has the same error. > > More suggestions? > > Check the logs again. The service starting does not mean it kept > running. > > rob > > > Thanks, > > George > > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > > *To:* george he > > > *Cc:* John Dennis >; "freeipa-users at redhat.com > " > > > > > *Sent:* Tuesday, September 4, 2012 4:20 PM > > *Subject:* Re: [Freeipa-users] ipa host-del > > > > george he wrote: > > > I'm running centos 6.3 > > > # uname -r > > > 2.6.32-279.5.2.el6.x86_64 > > > > > > pki-ca: unrecognized service > > > > > > There are tons of errors in /var/log/pki-ca/*, some of > them are: > > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] > > [3] [3] > > > Cannot build CA chain. Error > java.security.cert.CertificateException: > > > Certificate is not a PKCS #11 certificate > > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] > > [13] [3] > > > authz instance DirAclAuthz initialization failed and skipped, > > > error=Property internaldb.ldapconn.port missing value > > > /var/log/pki-ca/system:11605.http-9445-1 - > [30/Aug/2012:16:35:01 EDT] > > > [3] [3] Cannot build CA chain. Error > > > java.security.cert.CertificateException: Certificate is not a > > PKCS #11 > > > certificate > > > /var/log/pki-ca/system:11605.http-9445-1 - > [30/Aug/2012:16:35:10 EDT] > > > [3] [3] CASigningUnit: Object certificate not found. Error > > > org.mozilla.jss.crypto.ObjectNotFoundException > > > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 > EDT] [8] > > [3] In > > > Ldap (bound) connection pool to host > cushing.psych.yale.edu port > > 7389, > > > Cannot connect to LDAP server. Error: > netscape.ldap.LDAPException: > > > failed to connect to server > ldap://cushing.psych.yale.edu:7389 (91) > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error > initializing > > > socket factory > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: > > Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > > > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol > > > handler initialization failed: > java.lang.ClassNotFoundException: > > Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error > deploying web > > > application directory ca > > > > The problem looks to be that the dogtag 389-ds instance is not > started. > > I'd try: service dirsrv restart PKI-IPA > > > > Then service pki-cad restart > > > > rob > > > > > > > > > > > From george_he7 at yahoo.com Wed Sep 5 13:41:40 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 5 Sep 2012 06:41:40 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <50474843.7050505@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> Message-ID: <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> there are somethign like these: type=AVC msg=audit(1346710042.243:56): avc:? denied? { execute } for? pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1346710042.243:57): avc:? denied? { execute } for? pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file and some others like these: type=AVC msg=audit(1346838993.154:2567): avc:? denied? { search } for? pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1346838993.154:2568): avc:? denied? { search } for? pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir And yes, I did yum update recently. Where else should I look? Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: Ade Lee ; "freeipa-users at redhat.com" >Sent: Wednesday, September 5, 2012 8:40 AM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> here are the new errors: >> # rm /var/log/pki-ca/* >> # service dirsrv restart >> # service pki-cad restart >> # grep -i error /var/log/pki-ca/* >> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing >> context [/ca] >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing >> socket factory >> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:? Protocol >> handler initialization failed: java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web >> application directory ca >> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory >> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:LifecycleException:? Protocol handler >> initialization failed: java.lang.ClassNotFoundException: Error loading >> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application >> directory ca >> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory >> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:LifecycleException:? Protocol handler >> initialization failed: java.lang.ClassNotFoundException: Error loading >> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > >Hmm. Is there any additional information in the debug log? Any AVCs in >/var/log/audit/audit.log? > >Have you updated any packages recently? I'm not sure why dogtag would be >throwing this exception. > >rob > >> >>? ? ------------------------------------------------------------------------ >>? ? *From:* Rob Crittenden >>? ? *To:* george he >>? ? *Cc:* John Dennis ; "freeipa-users at redhat.com" >>? ? >>? ? *Sent:* Tuesday, September 4, 2012 9:49 PM >>? ? *Subject:* Re: [Freeipa-users] ipa host-del >> >>? ? george he wrote: >>? ? ? > both of the commands "service dirsrv restart" and "service pki-cad >>? ? ? > restart" reported: >>? ? ? > stopping ... OK >>? ? ? > starting ... OK >>? ? ? > but host-del still has the same error. >>? ? ? > More suggestions? >> >>? ? Check the logs again. The service starting does not mean it kept >>? ? running. >> >>? ? rob >> >>? ? ? > Thanks, >>? ? ? > George >>? ? ? > >>? ? ? > >>? ? ------------------------------------------------------------------------ >>? ? ? >? ? *From:* Rob Crittenden >? ? > >>? ? ? >? ? *To:* george he >? ? > >>? ? ? >? ? *Cc:* John Dennis >? ? >; "freeipa-users at redhat.com >>? ? " >>? ? ? >? ? > >>? ? ? >? ? *Sent:* Tuesday, September 4, 2012 4:20 PM >>? ? ? >? ? *Subject:* Re: [Freeipa-users] ipa host-del >>? ? ? > >>? ? ? >? ? george he wrote: >>? ? ? >? ? ? > I'm running centos 6.3 >>? ? ? >? ? ? > # uname -r >>? ? ? >? ? ? > 2.6.32-279.5.2.el6.x86_64 >>? ? ? >? ? > >>? ? ? >? ? ? > pki-ca: unrecognized service >>? ? ? >? ? ? > >>? ? ? >? ? ? > There are tons of errors in /var/log/pki-ca/*, some of >>? ? them are: >>? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >>? ? ? >? ? [3] [3] >>? ? ? >? ? ? > Cannot build CA chain. Error >>? ? java.security.cert.CertificateException: >>? ? ? >? ? ? > Certificate is not a PKCS #11 certificate >>? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >>? ? ? >? ? [13] [3] >>? ? ? >? ? ? > authz instance DirAclAuthz initialization failed and skipped, >>? ? ? >? ? ? > error=Property internaldb.ldapconn.port missing value >>? ? ? >? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? [30/Aug/2012:16:35:01 EDT] >>? ? ? >? ? ? > [3] [3] Cannot build CA chain. Error >>? ? ? >? ? ? > java.security.cert.CertificateException: Certificate is not a >>? ? ? >? ? PKCS #11 >>? ? ? >? ? ? > certificate >>? ? ? >? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? [30/Aug/2012:16:35:10 EDT] >>? ? ? >? ? ? > [3] [3] CASigningUnit: Object certificate not found. Error >>? ? ? >? ? ? > org.mozilla.jss.crypto.ObjectNotFoundException >>? ? ? >? ? ? > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 >>? ? EDT] [8] >>? ? ? >? ? [3] In >>? ? ? >? ? ? > Ldap (bound) connection pool to host >>? ? cushing.psych.yale.edu port >>? ? ? >? ? 7389, >>? ? ? >? ? ? > Cannot connect to LDAP server. Error: >>? ? netscape.ldap.LDAPException: >>? ? ? >? ? ? > failed to connect to server >>? ? ldap://cushing.psych.yale.edu:7389 (91) >>? ? ? > > >>? ? ? >? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error >>? ? initializing >>? ? ? >? ? ? > socket factory >>? ? ? >? ? ? > >>? ? ? > >>? ? /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >>? ? ? >? ? Error >>? ? ? >? ? ? > loading SSL Implementation >>? ? ? >? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? >? ? ? > >>? ? /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:? Protocol >>? ? ? >? ? ? > handler initialization failed: >>? ? java.lang.ClassNotFoundException: >>? ? ? >? ? Error >>? ? ? >? ? ? > loading SSL Implementation >>? ? ? >? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? >? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error >>? ? deploying web >>? ? ? >? ? ? > application directory ca >>? ? ? > >>? ? ? >? ? The problem looks to be that the dogtag 389-ds instance is not >>? ? started. >>? ? ? >? ? I'd try: service dirsrv restart PKI-IPA >>? ? ? > >>? ? ? >? ? Then service pki-cad restart >>? ? ? > >>? ? ? >? ? rob >>? ? ? > >>? ? ? > >>? ? ? > >>? ? ? > >> >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Wed Sep 5 14:43:29 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 05 Sep 2012 15:43:29 +0100 Subject: [Freeipa-users] RHEV-M + service accounts in IPA In-Reply-To: <504747F8.7000403@redhat.com> References: <50473E51.1050201@themacartneyclan.com> <504747F8.7000403@redhat.com> Message-ID: <50476511.8030700@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/09/12 13:39, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Afternoon all >> >> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( >> ipa-server-2.2-16) >> >> I have an api script that handles all my deployments and I am trying to >> set up a role account for my script to run within a jenkins environment. >> >> I have created an ldap sysaccount, however that doesn't appear in the >> RHEV users list when I do a search. So its clear its looking for >> specific IPA users. >> >> Is there a way (or on the roadmap), to create service/role accounts in >> IPA where the password doesn't expire? >> >> I'm trying to avoid scenarios like this >> >> https://access.redhat.com/knowledge/solutions/67562 >> >> Any comments / suggestions are welcome >> >> Thanks everyone >> >> Dale >> > > A work-around is to set krbpasswordexpiration of the user somewhere far in the future to prevent expiration. That'll work.. Do I need to do anything fancy though? I tried running the below on a new user called rhev-build but it keeps erroring out. I know I have a current TGT otherwise I wouldn't be able to add the user in the first place. [root at ds01 ~]# ipa user-mod rhev-build --setattr=krbPasswordExpiration=20131231011529Z ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. [root at ds01 ~]# > > We have a ticket open on this, https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 3.3. Good to know its on its way. This is a demo lab so setting a long password expiry addresses my needs. > > rob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQR2UNAAoJEAJsWS61tB+qAkEQAIc5mY45SckcSw97SOCIdbKE TDEX5Fl40EYPX7uqwJRa0VFtQukslpL2U9oQMyYY7uCA8KxNh7RbffgJVZb7H588 qGvrsOcK3zLt6lXkxJdIV/YsupkA23HDJgomZHLchwoBEQmwfioz3dguEdIt+lFt X9x6ZN80PV6K2BrOtKmUAGUB/yjFCZyImIqTUxi/uZU+Pf64KHA0bPcJFbi2+JI7 pZytlxmXKFKjks8650Mb+RJsDw+lb8k7fqV9TnwjmQGOYHjrK89znIwoSosPTzGJ r6oI1PCNKWwWFzC3UeNx6TSBBfNlGRdm6a+EuWzq50LzrhYzp7NWudtX4Hu6C7we bpG/umQaaHTlLzK/MGon0RH8Q20foaJCDALBhQk1S7IFmVgtjWraTaxCwtio1d2v CHPFSpe4v+Gl/JypU42V+2nC5qBLYkeAukEKjhHOVPcbS04lZpy2nfJjWMEOBTXo ow2tUCMkPHojE5qQl1DM7pzb2luW3wARTtBnpMNtHnaLz++VwbH6vW6J6MZCCFnu yBtJ8vuClYobdVzh6NLlQCpCn5zGopkIDFO25VUoPqMgfRH8v9TlkNb1VKOIB/3u 4GaYeNX3k7weG6UFyReKCA2QSOqh8r2RjaW0s9vuPvk0l5yka0jmrojog6bfZDDm 7KJE5xzMlLXdqu+Ivo+D =P57b -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From alee at redhat.com Wed Sep 5 14:46:16 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 05 Sep 2012 10:46:16 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1346856377.24731.19.camel@aleeredhat.laptop> The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Ade On Wed, 2012-09-05 at 06:41 -0700, george he wrote: > there are somethign like these: > > type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > > > and some others like these: > type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > scontext=unconfined_u:system_r:pki_ca_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > scontext=unconfined_u:system_r:pki_ca_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > > > And yes, I did yum update recently. > Where else should I look? > Thanks, > George > > > ______________________________________________________________ > From: Rob Crittenden > To: george he > Cc: Ade Lee ; "freeipa-users at redhat.com" > > Sent: Wednesday, September 5, 2012 8:40 AM > Subject: Re: [Freeipa-users] ipa host-del > > > george he wrote: > > here are the new errors: > > # rm /var/log/pki-ca/* > > # service dirsrv restart > > # service pki-cad restart > > # grep -i error /var/log/pki-ca/* > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while > removing > > context [/ca] > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error > initializing > > socket factory > > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: > Protocol > > handler initialization failed: > java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error > deploying web > > application directory ca > > /var/log/pki-ca/catalina.out:SEVERE: Error initializing > socket factory > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:LifecycleException: Protocol > handler > > initialization failed: java.lang.ClassNotFoundException: > Error loading > > SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web > application > > directory ca > > /var/log/pki-ca/catalina.out:SEVERE: Error initializing > socket factory > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:LifecycleException: Protocol > handler > > initialization failed: java.lang.ClassNotFoundException: > Error loading > > SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > Hmm. Is there any additional information in the debug log? Any > AVCs in > /var/log/audit/audit.log? > > Have you updated any packages recently? I'm not sure why > dogtag would be > throwing this exception. > > rob > > > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > *To:* george he > > *Cc:* John Dennis ; > "freeipa-users at redhat.com" > > > > *Sent:* Tuesday, September 4, 2012 9:49 PM > > *Subject:* Re: [Freeipa-users] ipa host-del > > > > george he wrote: > > > both of the commands "service dirsrv restart" and > "service pki-cad > > > restart" reported: > > > stopping ... OK > > > starting ... OK > > > but host-del still has the same error. > > > More suggestions? > > > > Check the logs again. The service starting does not mean > it kept > > running. > > > > rob > > > > > Thanks, > > > George > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* Rob Crittenden > > > > > *To:* george he > > > > > *Cc:* John Dennis > >; "freeipa-users at redhat.com > > " > > > > > > > *Sent:* Tuesday, September 4, 2012 4:20 PM > > > *Subject:* Re: [Freeipa-users] ipa host-del > > > > > > george he wrote: > > > > I'm running centos 6.3 > > > > # uname -r > > > > 2.6.32-279.5.2.el6.x86_64 > > > > > > > > pki-ca: unrecognized service > > > > > > > > There are tons of errors in /var/log/pki-ca/*, > some of > > them are: > > > > /var/log/pki-ca/system:11605.main - > [30/Aug/2012:16:34:56 EDT] > > > [3] [3] > > > > Cannot build CA chain. Error > > java.security.cert.CertificateException: > > > > Certificate is not a PKCS #11 certificate > > > > /var/log/pki-ca/system:11605.main - > [30/Aug/2012:16:34:56 EDT] > > > [13] [3] > > > > authz instance DirAclAuthz initialization > failed and skipped, > > > > error=Property internaldb.ldapconn.port > missing value > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > [30/Aug/2012:16:35:01 EDT] > > > > [3] [3] Cannot build CA chain. Error > > > > java.security.cert.CertificateException: > Certificate is not a > > > PKCS #11 > > > > certificate > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > [30/Aug/2012:16:35:10 EDT] > > > > [3] [3] CASigningUnit: Object certificate not > found. Error > > > > org.mozilla.jss.crypto.ObjectNotFoundException > > > > /var/log/pki-ca/system:3281.main - > [31/Aug/2012:17:54:28 > > EDT] [8] > > > [3] In > > > > Ldap (bound) connection pool to host > > cushing.psych.yale.edu port > > > 7389, > > > > Cannot connect to LDAP server. Error: > > netscape.ldap.LDAPException: > > > > failed to connect to server > > ldap://cushing.psych.yale.edu:7389 (91) > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error > > initializing > > > > socket factory > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: > > > Error > > > > loading SSL Implementation > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: > Protocol > > > > handler initialization failed: > > java.lang.ClassNotFoundException: > > > Error > > > > loading SSL Implementation > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error > > deploying web > > > > application directory ca > > > > > > The problem looks to be that the dogtag 389-ds > instance is not > > started. > > > I'd try: service dirsrv restart PKI-IPA > > > > > > Then service pki-cad restart > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > From rcritten at redhat.com Wed Sep 5 14:53:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Sep 2012 10:53:50 -0400 Subject: [Freeipa-users] RHEV-M + service accounts in IPA In-Reply-To: <50476511.8030700@themacartneyclan.com> References: <50473E51.1050201@themacartneyclan.com> <504747F8.7000403@redhat.com> <50476511.8030700@themacartneyclan.com> Message-ID: <5047677E.8070902@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 05/09/12 13:39, Rob Crittenden wrote: >> Dale Macartney wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Afternoon all >>> >>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( >>> ipa-server-2.2-16) >>> >>> I have an api script that handles all my deployments and I am trying to >>> set up a role account for my script to run within a jenkins environment. >>> >>> I have created an ldap sysaccount, however that doesn't appear in the >>> RHEV users list when I do a search. So its clear its looking for >>> specific IPA users. >>> >>> Is there a way (or on the roadmap), to create service/role accounts in >>> IPA where the password doesn't expire? >>> >>> I'm trying to avoid scenarios like this >>> >>> https://access.redhat.com/knowledge/solutions/67562 >>> >>> Any comments / suggestions are welcome >>> >>> Thanks everyone >>> >>> Dale >>> >> >> A work-around is to set krbpasswordexpiration of the user somewhere > far in the future to prevent expiration. > That'll work.. Do I need to do anything fancy though? I tried running > the below on a new user called rhev-build but it keeps erroring out. I > know I have a current TGT otherwise I wouldn't be able to add the user > in the first place. > > [root at ds01 ~]# ipa user-mod rhev-build > --setattr=krbPasswordExpiration=20131231011529Z > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'krbPasswordExpiration' attribute of entry > 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. > [root at ds01 ~]# We don't let admins muck with the expiration date. Please file an RFE ticket if you'd like that capability. You'll have to resort to ldapmodify: $ ldapmodify -x -D 'cn=directory manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20131231011529Z modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" You might want to consider 2037 as the year. 2014 will be here before you know it. rob > >> >> We have a ticket open on this, > https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA > 3.3. > Good to know its on its way. This is a demo lab so setting a long > password expiry addresses my needs. >> >> rob > > From george_he7 at yahoo.com Wed Sep 5 15:21:19 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 5 Sep 2012 08:21:19 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346856377.24731.19.camel@aleeredhat.laptop> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> Message-ID: <1346858479.70084.YahooMailNeo@web120005.mail.ne1.yahoo.com> This is a newly installed system. It does most of the things, but I just cannot del the host that I have uninstalled ipa-client, which prvents me from re-installing ipa-client. Here are the versions: pki-ca.noarch??????????? ? ? ? ? 9.0.3-24.el6 pki-common.noarch????????? 9.0.3-24.el6 jss.x86_64?????????????????????? ? 4.2.6-22.el6 nss.x86_64??????????????????????? 3.13.5-1.el6_3 tomcat6.noarch????????????????? 6.0.24-45.el6 java-1.5.0-gcj.x86_64?????????? 1.5.0.0-29.1.el6 java-1.6.0-openjdk.x86_64?? 1:1.6.0.0-1.48.1.11.3.el6_2 java_cup.x86_64??? ? ? ? ??????? 1:0.10k-5.el6 Thanks for your help. George >________________________________ > From: Ade Lee >To: george he >Cc: Rob Crittenden ; "freeipa-users at redhat.com" >Sent: Wednesday, September 5, 2012 10:46 AM >Subject: Re: [Freeipa-users] ipa host-del > >The logs seem to show that the CA cannot find JSS. > >What versions of the following are on your system? >pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > >Is this a system that was working and now fails to work?? Or is this a >new instance? > >Ade >On Wed, 2012-09-05 at 06:41 -0700, george he wrote: >> there are somethign like these: >> >> type=AVC msg=audit(1346710042.243:56): avc:? denied? { execute } for >> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >> type=AVC msg=audit(1346710042.243:57): avc:? denied? { execute } for >> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >> >> >> >> and some others like these: >> type=AVC msg=audit(1346838993.154:2567): avc:? denied? { search } for >> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >> scontext=unconfined_u:system_r:pki_ca_t:s0 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >> type=AVC msg=audit(1346838993.154:2568): avc:? denied? { search } for >> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >> scontext=unconfined_u:system_r:pki_ca_t:s0 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >> >> >> >> And yes, I did yum update recently. >> Where else should I look? >> Thanks, >> George >> >>? ? ? ? >>? ? ? ? ______________________________________________________________ >>? ? ? ? From: Rob Crittenden >>? ? ? ? To: george he >>? ? ? ? Cc: Ade Lee ; "freeipa-users at redhat.com" >>? ? ? ? >>? ? ? ? Sent: Wednesday, September 5, 2012 8:40 AM >>? ? ? ? Subject: Re: [Freeipa-users] ipa host-del >>? ? ? ? >>? ? ? ? >>? ? ? ? george he wrote: >>? ? ? ? > here are the new errors: >>? ? ? ? > # rm /var/log/pki-ca/* >>? ? ? ? > # service dirsrv restart >>? ? ? ? > # service pki-cad restart >>? ? ? ? > # grep -i error /var/log/pki-ca/* >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while >>? ? ? ? removing >>? ? ? ? > context [/ca] >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error >>? ? ? ? initializing >>? ? ? ? > socket factory >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error >>? ? ? ? > loading SSL Implementation >>? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: >>? ? ? ? Protocol >>? ? ? ? > handler initialization failed: >>? ? ? ? java.lang.ClassNotFoundException: Error >>? ? ? ? > loading SSL Implementation >>? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error >>? ? ? ? deploying web >>? ? ? ? > application directory ca >>? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error initializing >>? ? ? ? socket factory >>? ? ? ? > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >>? ? ? ? > loading SSL Implementation >>? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > /var/log/pki-ca/catalina.out:LifecycleException:? Protocol >>? ? ? ? handler >>? ? ? ? > initialization failed: java.lang.ClassNotFoundException: >>? ? ? ? Error loading >>? ? ? ? > SSL Implementation >>? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web >>? ? ? ? application >>? ? ? ? > directory ca >>? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error initializing >>? ? ? ? socket factory >>? ? ? ? > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >>? ? ? ? > loading SSL Implementation >>? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > /var/log/pki-ca/catalina.out:LifecycleException:? Protocol >>? ? ? ? handler >>? ? ? ? > initialization failed: java.lang.ClassNotFoundException: >>? ? ? ? Error loading >>? ? ? ? > SSL Implementation >>? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >>? ? ? ? Hmm. Is there any additional information in the debug log? Any >>? ? ? ? AVCs in >>? ? ? ? /var/log/audit/audit.log? >>? ? ? ? >>? ? ? ? Have you updated any packages recently? I'm not sure why >>? ? ? ? dogtag would be >>? ? ? ? throwing this exception. >>? ? ? ? >>? ? ? ? rob >>? ? ? ? >>? ? ? ? > >>? ? ? ? > >>? ? ? ? ------------------------------------------------------------------------ >>? ? ? ? >? ? *From:* Rob Crittenden >>? ? ? ? >? ? *To:* george he >>? ? ? ? >? ? *Cc:* John Dennis ; >>? ? ? ? "freeipa-users at redhat.com" >>? ? ? ? >? ? >>? ? ? ? >? ? *Sent:* Tuesday, September 4, 2012 9:49 PM >>? ? ? ? >? ? *Subject:* Re: [Freeipa-users] ipa host-del >>? ? ? ? > >>? ? ? ? >? ? george he wrote: >>? ? ? ? >? ? ? > both of the commands "service dirsrv restart" and >>? ? ? ? "service pki-cad >>? ? ? ? >? ? ? > restart" reported: >>? ? ? ? >? ? ? > stopping ... OK >>? ? ? ? >? ? ? > starting ... OK >>? ? ? ? >? ? ? > but host-del still has the same error. >>? ? ? ? >? ? ? > More suggestions? >>? ? ? ? > >>? ? ? ? >? ? Check the logs again. The service starting does not mean >>? ? ? ? it kept >>? ? ? ? >? ? running. >>? ? ? ? > >>? ? ? ? >? ? rob >>? ? ? ? > >>? ? ? ? >? ? ? > Thanks, >>? ? ? ? >? ? ? > George >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? > >>? ? ? ? > >>? ? ? ? ------------------------------------------------------------------------ >>? ? ? ? >? ? ? >? ? *From:* Rob Crittenden >? ? ? ? >? ? > >>? ? ? ? >? ? ? >? ? *To:* george he >? ? ? ? >? ? > >>? ? ? ? >? ? ? >? ? *Cc:* John Dennis >? ? ? ? >? ? >; "freeipa-users at redhat.com >>? ? ? ? >? ? " >>? ? ? ? >? ? ? >? ? >? ? ? ? > >>? ? ? ? >? ? ? >? ? *Sent:* Tuesday, September 4, 2012 4:20 PM >>? ? ? ? >? ? ? >? ? *Subject:* Re: [Freeipa-users] ipa host-del >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? >? ? george he wrote: >>? ? ? ? >? ? ? >? ? ? > I'm running centos 6.3 >>? ? ? ? >? ? ? >? ? ? > # uname -r >>? ? ? ? >? ? ? >? ? ? > 2.6.32-279.5.2.el6.x86_64 >>? ? ? ? >? ? ? >? ? > >>? ? ? ? >? ? ? >? ? ? > pki-ca: unrecognized service >>? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? >? ? ? > There are tons of errors in /var/log/pki-ca/*, >>? ? ? ? some of >>? ? ? ? >? ? them are: >>? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - >>? ? ? ? [30/Aug/2012:16:34:56 EDT] >>? ? ? ? >? ? ? >? ? [3] [3] >>? ? ? ? >? ? ? >? ? ? > Cannot build CA chain. Error >>? ? ? ? >? ? java.security.cert.CertificateException: >>? ? ? ? >? ? ? >? ? ? > Certificate is not a PKCS #11 certificate >>? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - >>? ? ? ? [30/Aug/2012:16:34:56 EDT] >>? ? ? ? >? ? ? >? ? [13] [3] >>? ? ? ? >? ? ? >? ? ? > authz instance DirAclAuthz initialization >>? ? ? ? failed and skipped, >>? ? ? ? >? ? ? >? ? ? > error=Property internaldb.ldapconn.port >>? ? ? ? missing value >>? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? ? ? >? ? [30/Aug/2012:16:35:01 EDT] >>? ? ? ? >? ? ? >? ? ? > [3] [3] Cannot build CA chain. Error >>? ? ? ? >? ? ? >? ? ? > java.security.cert.CertificateException: >>? ? ? ? Certificate is not a >>? ? ? ? >? ? ? >? ? PKCS #11 >>? ? ? ? >? ? ? >? ? ? > certificate >>? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? ? ? >? ? [30/Aug/2012:16:35:10 EDT] >>? ? ? ? >? ? ? >? ? ? > [3] [3] CASigningUnit: Object certificate not >>? ? ? ? found. Error >>? ? ? ? >? ? ? >? ? ? > org.mozilla.jss.crypto.ObjectNotFoundException >>? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:3281.main - >>? ? ? ? [31/Aug/2012:17:54:28 >>? ? ? ? >? ? EDT] [8] >>? ? ? ? >? ? ? >? ? [3] In >>? ? ? ? >? ? ? >? ? ? > Ldap (bound) connection pool to host >>? ? ? ? >? ? cushing.psych.yale.edu port >>? ? ? ? >? ? ? >? ? 7389, >>? ? ? ? >? ? ? >? ? ? > Cannot connect to LDAP server. Error: >>? ? ? ? >? ? netscape.ldap.LDAPException: >>? ? ? ? >? ? ? >? ? ? > failed to connect to server >>? ? ? ? >? ? ldap://cushing.psych.yale.edu:7389 (91) >>? ? ? ? >? ? ? > > >>? ? ? ? >? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error >>? ? ? ? >? ? initializing >>? ? ? ? >? ? ? >? ? ? > socket factory >>? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? > >>? ? ? ? > >>? ? ? ? ? /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? >? ? Error >>? ? ? ? >? ? ? >? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? >? ? ? > >>? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? >? ? ? > >>? ? ? ? > >>? ? ? ? ? /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: >>? ? ? ? Protocol >>? ? ? ? >? ? ? >? ? ? > handler initialization failed: >>? ? ? ? >? ? java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? >? ? Error >>? ? ? ? >? ? ? >? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? >? ? ? > >>? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error >>? ? ? ? >? ? deploying web >>? ? ? ? >? ? ? >? ? ? > application directory ca >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? >? ? The problem looks to be that the dogtag 389-ds >>? ? ? ? instance is not >>? ? ? ? >? ? started. >>? ? ? ? >? ? ? >? ? I'd try: service dirsrv restart PKI-IPA >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? >? ? Then service pki-cad restart >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? >? ? rob >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? > >>? ? ? ? >? ? ? > >>? ? ? ? > >>? ? ? ? > >>? ? ? ? > >>? ? ? ? >>? ? ? ? >>? ? ? ? >>? ? ? ? > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Sep 5 15:38:42 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 05 Sep 2012 11:38:42 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346858479.70084.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <1346858479.70084.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1346859522.24731.22.camel@aleeredhat.laptop> weird. Can you try putting selinux in permissive mode, and then restarting ipa? On Wed, 2012-09-05 at 08:21 -0700, george he wrote: > This is a newly installed system. It does most of the things, but I > just cannot del the host that I have uninstalled ipa-client, which > prvents me from re-installing ipa-client. > Here are the versions: > > pki-ca.noarch 9.0.3-24.el6 > pki-common.noarch 9.0.3-24.el6 > jss.x86_64 4.2.6-22.el6 > nss.x86_64 3.13.5-1.el6_3 > tomcat6.noarch 6.0.24-45.el6 > java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 > java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2 > java_cup.x86_64 1:0.10k-5.el6 > Thanks for your help. > George > > > ______________________________________________________________ > From: Ade Lee > To: george he > Cc: Rob Crittenden ; > "freeipa-users at redhat.com" > Sent: Wednesday, September 5, 2012 10:46 AM > Subject: Re: [Freeipa-users] ipa host-del > > > The logs seem to show that the CA cannot find JSS. > > What versions of the following are on your system? > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > Is this a system that was working and now fails to work? Or > is this a > new instance? > > Ade > On Wed, 2012-09-05 at 06:41 -0700, george he wrote: > > there are somethign like these: > > > > type=AVC msg=audit(1346710042.243:56): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > type=AVC msg=audit(1346710042.243:57): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > > > > > > > and some others like these: > > type=AVC msg=audit(1346838993.154:2567): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > type=AVC msg=audit(1346838993.154:2568): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > > > > > > > And yes, I did yum update recently. > > Where else should I look? > > Thanks, > > George > > > > > > > ______________________________________________________________ > > From: Rob Crittenden > > To: george he > > Cc: Ade Lee ; > "freeipa-users at redhat.com" > > > > Sent: Wednesday, September 5, 2012 8:40 AM > > Subject: Re: [Freeipa-users] ipa host-del > > > > > > george he wrote: > > > here are the new errors: > > > # rm /var/log/pki-ca/* > > > # service dirsrv restart > > > # service pki-cad restart > > > # grep -i error /var/log/pki-ca/* > > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: > Error while > > removing > > > context [/ca] > > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: > Error > > initializing > > > socket factory > > > > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: > > Protocol > > > handler initialization failed: > > java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: > Error > > deploying web > > > application directory ca > > > /var/log/pki-ca/catalina.out:SEVERE: Error > initializing > > socket factory > > > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:LifecycleException: > Protocol > > handler > > > initialization failed: > java.lang.ClassNotFoundException: > > Error loading > > > SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:SEVERE: Error > deploying web > > application > > > directory ca > > > /var/log/pki-ca/catalina.out:SEVERE: Error > initializing > > socket factory > > > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:LifecycleException: > Protocol > > handler > > > initialization failed: > java.lang.ClassNotFoundException: > > Error loading > > > SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > Hmm. Is there any additional information in the debug > log? Any > > AVCs in > > /var/log/audit/audit.log? > > > > Have you updated any packages recently? I'm not sure > why > > dogtag would be > > throwing this exception. > > > > rob > > > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* Rob Crittenden > > > *To:* george he > > > *Cc:* John Dennis ; > > "freeipa-users at redhat.com" > > > > > > *Sent:* Tuesday, September 4, 2012 9:49 PM > > > *Subject:* Re: [Freeipa-users] ipa host-del > > > > > > george he wrote: > > > > both of the commands "service dirsrv > restart" and > > "service pki-cad > > > > restart" reported: > > > > stopping ... OK > > > > starting ... OK > > > > but host-del still has the same error. > > > > More suggestions? > > > > > > Check the logs again. The service starting does > not mean > > it kept > > > running. > > > > > > rob > > > > > > > Thanks, > > > > George > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > *From:* Rob Crittenden > > > > > > > > *To:* george he > > > > > > > *Cc:* John Dennis > > >; > "freeipa-users at redhat.com > > > " > > > > > > > > > > *Sent:* Tuesday, September 4, 2012 4:20 > PM > > > > *Subject:* Re: [Freeipa-users] ipa > host-del > > > > > > > > george he wrote: > > > > > I'm running centos 6.3 > > > > > # uname -r > > > > > 2.6.32-279.5.2.el6.x86_64 > > > > > > > > > > pki-ca: unrecognized service > > > > > > > > > > There are tons of errors > in /var/log/pki-ca/*, > > some of > > > them are: > > > > > /var/log/pki-ca/system:11605.main - > > [30/Aug/2012:16:34:56 EDT] > > > > [3] [3] > > > > > Cannot build CA chain. Error > > > java.security.cert.CertificateException: > > > > > Certificate is not a PKCS #11 > certificate > > > > > /var/log/pki-ca/system:11605.main - > > [30/Aug/2012:16:34:56 EDT] > > > > [13] [3] > > > > > authz instance DirAclAuthz > initialization > > failed and skipped, > > > > > error=Property > internaldb.ldapconn.port > > missing value > > > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > > [30/Aug/2012:16:35:01 EDT] > > > > > [3] [3] Cannot build CA chain. Error > > > > > > java.security.cert.CertificateException: > > Certificate is not a > > > > PKCS #11 > > > > > certificate > > > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > > [30/Aug/2012:16:35:10 EDT] > > > > > [3] [3] CASigningUnit: Object > certificate not > > found. Error > > > > > > org.mozilla.jss.crypto.ObjectNotFoundException > > > > > /var/log/pki-ca/system:3281.main - > > [31/Aug/2012:17:54:28 > > > EDT] [8] > > > > [3] In > > > > > Ldap (bound) connection pool to host > > > cushing.psych.yale.edu port > > > > 7389, > > > > > Cannot connect to LDAP server. Error: > > > netscape.ldap.LDAPException: > > > > > failed to connect to server > > > ldap://cushing.psych.yale.edu:7389 (91) > > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: > Error > > > initializing > > > > > socket factory > > > > > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: > > > > Error > > > > > loading SSL Implementation > > > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > > :java.lang.ClassNotFoundException: > > > org.mozilla.jss.ssl.SSLSocket > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: > > Protocol > > > > > handler initialization failed: > > > java.lang.ClassNotFoundException: > > > > Error > > > > > loading SSL Implementation > > > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > > :java.lang.ClassNotFoundException: > > > org.mozilla.jss.ssl.SSLSocket > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: > Error > > > deploying web > > > > > application directory ca > > > > > > > > The problem looks to be that the dogtag > 389-ds > > instance is not > > > started. > > > > I'd try: service dirsrv restart PKI-IPA > > > > > > > > Then service pki-cad restart > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From george_he7 at yahoo.com Wed Sep 5 16:00:00 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 5 Sep 2012 09:00:00 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346859522.24731.22.camel@aleeredhat.laptop> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <1346858479.70084.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346859522.24731.22.camel@aleeredhat.laptop> Message-ID: <1346860800.34965.YahooMailNeo@web120003.mail.ne1.yahoo.com> I did: # setenforce 0 # ipactl restart ?(here still the same error about worker ajp://localhost:9447/ already used by another worker ) # ipa host-del myclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) By the way, I can delete other clients with no problem. The only difference of this client is that I once did ipa-getkeytab on it for nfs client (and it turns out I don't need a keytab to be an nfs client). Thanks, George >________________________________ > From: Ade Lee >To: george he >Cc: Rob Crittenden ; "freeipa-users at redhat.com" >Sent: Wednesday, September 5, 2012 11:38 AM >Subject: Re: [Freeipa-users] ipa host-del > >weird.? Can you try putting selinux in permissive mode, and then >restarting ipa? > >On Wed, 2012-09-05 at 08:21 -0700, george he wrote: >> This is a newly installed system. It does most of the things, but I >> just cannot del the host that I have uninstalled ipa-client, which >> prvents me from re-installing ipa-client. >> Here are the versions: >> >> pki-ca.noarch? ? ? ? ? ? ? ? ? ? 9.0.3-24.el6 >> pki-common.noarch? ? ? ? ? 9.0.3-24.el6 >> jss.x86_64? ? ? ? ? ? ? ? ? ? ? ? 4.2.6-22.el6 >> nss.x86_64? ? ? ? ? ? ? ? ? ? ? ? 3.13.5-1.el6_3 >> tomcat6.noarch? ? ? ? ? ? ? ? ? 6.0.24-45.el6 >> java-1.5.0-gcj.x86_64? ? ? ? ? 1.5.0.0-29.1.el6 >> java-1.6.0-openjdk.x86_64? 1:1.6.0.0-1.48.1.11.3.el6_2 >> java_cup.x86_64? ? ? ? ? ? ? ? ? 1:0.10k-5.el6 >> Thanks for your help. >> George >> >>? ? ? ? >>? ? ? ? ______________________________________________________________ >>? ? ? ? From: Ade Lee >>? ? ? ? To: george he >>? ? ? ? Cc: Rob Crittenden ; >>? ? ? ? "freeipa-users at redhat.com" >>? ? ? ? Sent: Wednesday, September 5, 2012 10:46 AM >>? ? ? ? Subject: Re: [Freeipa-users] ipa host-del >>? ? ? ? >>? ? ? ? >>? ? ? ? The logs seem to show that the CA cannot find JSS. >>? ? ? ? >>? ? ? ? What versions of the following are on your system? >>? ? ? ? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java >>? ? ? ? >>? ? ? ? Is this a system that was working and now fails to work?? Or >>? ? ? ? is this a >>? ? ? ? new instance? >>? ? ? ? >>? ? ? ? Ade >>? ? ? ? On Wed, 2012-09-05 at 06:41 -0700, george he wrote: >>? ? ? ? > there are somethign like these: >>? ? ? ? > >>? ? ? ? > type=AVC msg=audit(1346710042.243:56): avc:? denied >>? ? ? ? { execute } for >>? ? ? ? > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >>? ? ? ? > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >>? ? ? ? > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >>? ? ? ? > type=AVC msg=audit(1346710042.243:57): avc:? denied >>? ? ? ? { execute } for >>? ? ? ? > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >>? ? ? ? > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >>? ? ? ? > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >>? ? ? ? > >>? ? ? ? > >>? ? ? ? > >>? ? ? ? > and some others like these: >>? ? ? ? > type=AVC msg=audit(1346838993.154:2567): avc:? denied >>? ? ? ? { search } for >>? ? ? ? > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >>? ? ? ? > scontext=unconfined_u:system_r:pki_ca_t:s0 >>? ? ? ? > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >>? ? ? ? > type=AVC msg=audit(1346838993.154:2568): avc:? denied >>? ? ? ? { search } for >>? ? ? ? > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >>? ? ? ? > scontext=unconfined_u:system_r:pki_ca_t:s0 >>? ? ? ? > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >>? ? ? ? > >>? ? ? ? > >>? ? ? ? > >>? ? ? ? > And yes, I did yum update recently. >>? ? ? ? > Where else should I look? >>? ? ? ? > Thanks, >>? ? ? ? > George >>? ? ? ? > >>? ? ? ? >? ? ? ? >>? ? ? ? > >>? ? ? ? ______________________________________________________________ >>? ? ? ? >? ? ? ? From: Rob Crittenden >>? ? ? ? >? ? ? ? To: george he >>? ? ? ? >? ? ? ? Cc: Ade Lee ; >>? ? ? ? "freeipa-users at redhat.com" >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? Sent: Wednesday, September 5, 2012 8:40 AM >>? ? ? ? >? ? ? ? Subject: Re: [Freeipa-users] ipa host-del >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? george he wrote: >>? ? ? ? >? ? ? ? > here are the new errors: >>? ? ? ? >? ? ? ? > # rm /var/log/pki-ca/* >>? ? ? ? >? ? ? ? > # service dirsrv restart >>? ? ? ? >? ? ? ? > # service pki-cad restart >>? ? ? ? >? ? ? ? > # grep -i error /var/log/pki-ca/* >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: >>? ? ? ? Error while >>? ? ? ? >? ? ? ? removing >>? ? ? ? >? ? ? ? > context [/ca] >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: >>? ? ? ? Error >>? ? ? ? >? ? ? ? initializing >>? ? ? ? >? ? ? ? > socket factory >>? ? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error >>? ? ? ? >? ? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: >>? ? ? ? >? ? ? ? Protocol >>? ? ? ? >? ? ? ? > handler initialization failed: >>? ? ? ? >? ? ? ? java.lang.ClassNotFoundException: Error >>? ? ? ? >? ? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: >>? ? ? ? Error >>? ? ? ? >? ? ? ? deploying web >>? ? ? ? >? ? ? ? > application directory ca >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error >>? ? ? ? initializing >>? ? ? ? >? ? ? ? socket factory >>? ? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >>? ? ? ? >? ? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.out:LifecycleException: >>? ? ? ? Protocol >>? ? ? ? >? ? ? ? handler >>? ? ? ? >? ? ? ? > initialization failed: >>? ? ? ? java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? Error loading >>? ? ? ? >? ? ? ? > SSL Implementation >>? ? ? ? >? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error >>? ? ? ? deploying web >>? ? ? ? >? ? ? ? application >>? ? ? ? >? ? ? ? > directory ca >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.out:SEVERE: Error >>? ? ? ? initializing >>? ? ? ? >? ? ? ? socket factory >>? ? ? ? > >>? ? ? ? > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >>? ? ? ? >? ? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? > org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.out:LifecycleException: >>? ? ? ? Protocol >>? ? ? ? >? ? ? ? handler >>? ? ? ? >? ? ? ? > initialization failed: >>? ? ? ? java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? Error loading >>? ? ? ? >? ? ? ? > SSL Implementation >>? ? ? ? >? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? Hmm. Is there any additional information in the debug >>? ? ? ? log? Any >>? ? ? ? >? ? ? ? AVCs in >>? ? ? ? >? ? ? ? /var/log/audit/audit.log? >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? Have you updated any packages recently? I'm not sure >>? ? ? ? why >>? ? ? ? >? ? ? ? dogtag would be >>? ? ? ? >? ? ? ? throwing this exception. >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? rob >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? > >>? ? ? ? ------------------------------------------------------------------------ >>? ? ? ? >? ? ? ? >? ? *From:* Rob Crittenden >>? ? ? ? >? ? ? ? >? ? *To:* george he >>? ? ? ? >? ? ? ? >? ? *Cc:* John Dennis ; >>? ? ? ? >? ? ? ? "freeipa-users at redhat.com" >>? ? ? ? >? ? ? ? >? ? >>? ? ? ? >? ? ? ? >? ? *Sent:* Tuesday, September 4, 2012 9:49 PM >>? ? ? ? >? ? ? ? >? ? *Subject:* Re: [Freeipa-users] ipa host-del >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >? ? george he wrote: >>? ? ? ? >? ? ? ? >? ? ? > both of the commands "service dirsrv >>? ? ? ? restart" and >>? ? ? ? >? ? ? ? "service pki-cad >>? ? ? ? >? ? ? ? >? ? ? > restart" reported: >>? ? ? ? >? ? ? ? >? ? ? > stopping ... OK >>? ? ? ? >? ? ? ? >? ? ? > starting ... OK >>? ? ? ? >? ? ? ? >? ? ? > but host-del still has the same error. >>? ? ? ? >? ? ? ? >? ? ? > More suggestions? >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >? ? Check the logs again. The service starting does >>? ? ? ? not mean >>? ? ? ? >? ? ? ? it kept >>? ? ? ? >? ? ? ? >? ? running. >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >? ? rob >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > Thanks, >>? ? ? ? >? ? ? ? >? ? ? > George >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? > >>? ? ? ? ------------------------------------------------------------------------ >>? ? ? ? >? ? ? ? >? ? ? >? ? *From:* Rob Crittenden >>? ? ? ? >? ? ? ? >? ? ? ? >? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? *To:* george he >? ? ? ? >? ? ? ? >? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? *Cc:* John Dennis >? ? ? ? >? ? ? ? >? ? >; >>? ? ? ? "freeipa-users at redhat.com >>? ? ? ? >? ? ? ? >? ? " >>? ? ? ? >? ? ? ? >? ? ? >? ? >? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? *Sent:* Tuesday, September 4, 2012 4:20 >>? ? ? ? PM >>? ? ? ? >? ? ? ? >? ? ? >? ? *Subject:* Re: [Freeipa-users] ipa >>? ? ? ? host-del >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? george he wrote: >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > I'm running centos 6.3 >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > # uname -r >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > 2.6.32-279.5.2.el6.x86_64 >>? ? ? ? >? ? ? ? >? ? ? >? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > pki-ca: unrecognized service >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > There are tons of errors >>? ? ? ? in /var/log/pki-ca/*, >>? ? ? ? >? ? ? ? some of >>? ? ? ? >? ? ? ? >? ? them are: >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - >>? ? ? ? >? ? ? ? [30/Aug/2012:16:34:56 EDT] >>? ? ? ? >? ? ? ? >? ? ? >? ? [3] [3] >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > Cannot build CA chain. Error >>? ? ? ? >? ? ? ? >? ? java.security.cert.CertificateException: >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > Certificate is not a PKCS #11 >>? ? ? ? certificate >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:11605.main - >>? ? ? ? >? ? ? ? [30/Aug/2012:16:34:56 EDT] >>? ? ? ? >? ? ? ? >? ? ? >? ? [13] [3] >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > authz instance DirAclAuthz >>? ? ? ? initialization >>? ? ? ? >? ? ? ? failed and skipped, >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > error=Property >>? ? ? ? internaldb.ldapconn.port >>? ? ? ? >? ? ? ? missing value >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? ? ? >? ? ? ? >? ? [30/Aug/2012:16:35:01 EDT] >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > [3] [3] Cannot build CA chain. Error >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? java.security.cert.CertificateException: >>? ? ? ? >? ? ? ? Certificate is not a >>? ? ? ? >? ? ? ? >? ? ? >? ? PKCS #11 >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > certificate >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? > /var/log/pki-ca/system:11605.http-9445-1 - >>? ? ? ? >? ? ? ? >? ? [30/Aug/2012:16:35:10 EDT] >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > [3] [3] CASigningUnit: Object >>? ? ? ? certificate not >>? ? ? ? >? ? ? ? found. Error >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? org.mozilla.jss.crypto.ObjectNotFoundException >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > /var/log/pki-ca/system:3281.main - >>? ? ? ? >? ? ? ? [31/Aug/2012:17:54:28 >>? ? ? ? >? ? ? ? >? ? EDT] [8] >>? ? ? ? >? ? ? ? >? ? ? >? ? [3] In >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > Ldap (bound) connection pool to host >>? ? ? ? >? ? ? ? >? ? cushing.psych.yale.edu port >>? ? ? ? >? ? ? ? >? ? ? >? ? 7389, >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > Cannot connect to LDAP server. Error: >>? ? ? ? >? ? ? ? >? ? netscape.ldap.LDAPException: >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > failed to connect to server >>? ? ? ? >? ? ? ? >? ? ldap://cushing.psych.yale.edu:7389 (91) >>? ? ? ? >? ? ? ? >? ? ? > > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: >>? ? ? ? Error >>? ? ? ? >? ? ? ? >? ? initializing >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > socket factory >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? > >>? ? ? ? ? /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? >? ? ? >? ? Error >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? >? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? > >>? ? ? ? ? /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: >>? ? ? ? >? ? ? ? Protocol >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > handler initialization failed: >>? ? ? ? >? ? ? ? >? ? java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? >? ? ? >? ? Error >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > loading SSL Implementation >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > >>? ? ? ? >? ? ? ? org.apache.tomcat.util.net.jss.JSSImplementation >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > :java.lang.ClassNotFoundException: >>? ? ? ? >? ? ? ? >? ? org.mozilla.jss.ssl.SSLSocket >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: >>? ? ? ? Error >>? ? ? ? >? ? ? ? >? ? deploying web >>? ? ? ? >? ? ? ? >? ? ? >? ? ? > application directory ca >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? The problem looks to be that the dogtag >>? ? ? ? 389-ds >>? ? ? ? >? ? ? ? instance is not >>? ? ? ? >? ? ? ? >? ? started. >>? ? ? ? >? ? ? ? >? ? ? >? ? I'd try: service dirsrv restart PKI-IPA >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? Then service pki-cad restart >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? >? ? rob >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? >? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? > >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? >>? ? ? ? >? ? ? ? >>? ? ? ? >>? ? ? ? >>? ? ? ? >>? ? ? ? >>? ? ? ? > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Wed Sep 5 18:04:57 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 05 Sep 2012 14:04:57 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346856377.24731.19.camel@aleeredhat.laptop> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> Message-ID: <50479449.4080207@redhat.com> On 09/05/2012 10:46 AM, Ade Lee wrote: > The logs seem to show that the CA cannot find JSS. > > What versions of the following are on your system? > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > Is this a system that was working and now fails to work? Or is this a > new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From natxo.asenjo at gmail.com Wed Sep 5 18:12:35 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 5 Sep 2012 20:12:35 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? Message-ID: hi, the subject says it all, I guess. I know from another thread that with nexanta it is possible using nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Wed Sep 5 18:40:10 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 5 Sep 2012 11:40:10 -0700 (PDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <50479449.4080207@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <50479449.4080207@redhat.com> Message-ID: <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George >________________________________ > From: John Dennis >To: alee at redhat.com >Cc: george he ; "freeipa-users at redhat.com" >Sent: Wednesday, September 5, 2012 2:04 PM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/05/2012 10:46 AM, Ade Lee wrote: >> The logs seem to show that the CA cannot find JSS. >> >> What versions of the following are on your system? >> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java >> >> Is this a system that was working and now fails to work?? Or is this a >> new instance? > >Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. > >Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. > >sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib > >We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? > >John > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 5 18:43:18 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Sep 2012 14:43:18 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <50479449.4080207@redhat.com> <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <50479D46.3010509@redhat.com> george he wrote: > Thanks a lot. It's deleted now! > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing > to /usr/lib/..., but when I was struggling, I read on the web there was > a post saying they should point to /usr/lib64/..., so I changed them. > The weird thing is I THINK they were pointing to existing files, but now > they are not. > So I changed the links one more times to make them pointing to > /usr/lib/..., restarted ipa, and host-del worked. Glad it's working. I just wanted to follow up on this though. The host-del failure was just one symptom of the problem. Eventually you'd have hit a harder wall, such as not being able to prepare a new replica. regards rob From jdennis at redhat.com Wed Sep 5 19:41:29 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 05 Sep 2012 15:41:29 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <50479449.4080207@redhat.com> <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <5047AAE9.6090500@redhat.com> On 09/05/2012 02:40 PM, george he wrote: > Thanks a lot. It's deleted now! > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing > to /usr/lib/..., but when I was struggling, I read on the web there was > a post saying they should point to /usr/lib64/..., so I changed them. > The weird thing is I THINK they were pointing to existing files, but now > they are not. > So I changed the links one more times to make them pointing to > /usr/lib/..., restarted ipa, and host-del worked. > Thanks again, guys. > George Glad it's working. Obviously we would like to know how you got into this situation and perhaps open a bug. But unfortunately since you've manually changed links it's hard to know if the logic used to update an existing system is robust or not. I recall when the issue of where to locate native jars on 64bit came up there was a fair amount of back and forth over where things would be installed and which links to introduce. Unfortunately I do not recall the final resolution, it might be that the tomcat instances were supposed to continue to point to /usr/lib/java and links would be set up there to point to the 64bit version. In any event I don't think we can file a bug at this point, but perhaps we need to pay attention and see if anyone else gets bitten by this. John > ------------------------------------------------------------------------ > *From:* John Dennis > *To:* alee at redhat.com > *Cc:* george he ; "freeipa-users at redhat.com" > > *Sent:* Wednesday, September 5, 2012 2:04 PM > *Subject:* Re: [Freeipa-users] ipa host-del > > On 09/05/2012 10:46 AM, Ade Lee wrote: > > The logs seem to show that the CA cannot find JSS. > > > > What versions of the following are on your system? > > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > > > Is this a system that was working and now fails to work? Or is > this a > > new instance? > > Let's verify the link to the jss4.jar is in place. Note this is an > x86_64 system, Mathew did make some adjustments to where native > (i.e. arch specific) jars are located. I think it moved from > /usr/lib/java to /usr/lib64/java. pki-create would have been > modified to set up links to them on a new install but it's possible > the links weren't updated on an existing install. Not sure, guessing > at the moment but I think it's worth pursuing. > > Please do this, it will list all the jars which should be visible to > the CA tomcat instance, the jss4.jar should have a link under > /var/lib/pki-ca/common/lib. > > sudo ls -l /var/lib/pki-ca/common/lib > /var/lib/pki-ca/webapps/ca/WEB-INF/lib > > We want to verify none of the symbolic links listed above are > dangling (point to a non-existent file). Pay particular attention to > /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing > file that's a valid jar? If not can you locate jss4.jar? Is it now > under /var/lib64/java? If so adjust the symbolic link under > /var/lib/pki-ca/common/lib to point to it. Do thinks work now after > restarting? > > John > > > -- John Dennis > > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From natxo.asenjo at gmail.com Wed Sep 5 20:46:57 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 5 Sep 2012 22:46:57 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: References: <50439019.8080804@nixtra.com> <5043B176.7070808@nixtra.com> Message-ID: On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo wrote: > On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie wrote: > >> >> Thank for your tips. I think there might just be something broken with >> the ldap/client service in openindiana. This DUAProfile thing is really >> nice to use >> >> >> Agreed, it sounds like a bug in OpenIndiana. >> >> That's odd. A service becomes temporarily disabled usually when a service >> it depends on cannot start due to failed depedencies or fails to start. On >> the SPARC platform you can boot with "boot -v" to get a verbose startup. >> Adding "-v" to the $kernel line in GRUB manually at startup will display a >> verbose startup on the X86 platform. Be aware, it will get really verbose. >> >> ok, I'll give that a try, thanks. > > >> Are you using a static IP or DHCP? >> > > dhcp so far, just testing. I'll try with a fixed ip. This should just work > with dhcp too, obviously. > following up, using a fixed ip address 'fixed' the problem :) no dhcp workstations with openindiana until this is 'fixed' then. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Sep 5 21:40:48 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 05 Sep 2012 17:40:48 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <5047AAE9.6090500@redhat.com> References: <1346709615.99841.YahooMailNeo@web120002.mail.ne1.yahoo.com> <5045EFD3.6010606@redhat.com> <1346761711.58439.YahooMailNeo@web120004.mail.ne1.yahoo.com> <5045F9C9.7050705@redhat.com> <1346768581.46529.YahooMailNeo@web120006.mail.ne1.yahoo.com> <504612DD.5010104@redhat.com> <1346780986.82165.YahooMailNeo@web120002.mail.ne1.yahoo.com> <50466275.2080203@redhat.com> <1346793175.89071.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5046AF9A.2040407@redhat.com> <1346839235.81365.YahooMailNeo@web120005.mail.ne1.yahoo.com> <50474843.7050505@redhat.com> <1346852500.28963.YahooMailNeo@web120005.mail.ne1.yahoo.com> <1346856377.24731.19.camel@aleeredhat.laptop> <50479449.4080207@redhat.com> <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> <5047AAE9.6090500@redhat.com> Message-ID: <1346881248.1150.530.camel@willson.li.ssimo.org> On Wed, 2012-09-05 at 15:41 -0400, John Dennis wrote: > On 09/05/2012 02:40 PM, george he wrote: > > Thanks a lot. It's deleted now! > > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing > > to /usr/lib/..., but when I was struggling, I read on the web there was > > a post saying they should point to /usr/lib64/..., so I changed them. > > The weird thing is I THINK they were pointing to existing files, but now > > they are not. > > So I changed the links one more times to make them pointing to > > /usr/lib/..., restarted ipa, and host-del worked. > > Thanks again, guys. > > George > > Glad it's working. Obviously we would like to know how you got into this > situation and perhaps open a bug. But unfortunately since you've > manually changed links it's hard to know if the logic used to update an > existing system is robust or not. I recall when the issue of where to > locate native jars on 64bit came up there was a fair amount of back and > forth over where things would be installed and which links to introduce. > Unfortunately I do not recall the final resolution, it might be that the > tomcat instances were supposed to continue to point to /usr/lib/java and > links would be set up there to point to the 64bit version. In any event > I don't think we can file a bug at this point, but perhaps we need to > pay attention and see if anyone else gets bitten by this. I just recently had to fix this for my 'stable' install too, seem like we need to do better on upgrades going forward. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Sep 5 23:47:21 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Sep 2012 19:47:21 -0400 (EDT) Subject: [Freeipa-users] ipa host-del In-Reply-To: <1346870410.2993.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <856889955.4483759.1346888841039.JavaMail.root@redhat.com> I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks. Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same). -- / Alexander Bokovoy ----- Original Message ----- > From: "george he" > To: "John Dennis" , alee at redhat.com > Cc: freeipa-users at redhat.com > Sent: Wednesday, September 5, 2012 9:40:10 PM > Subject: Re: [Freeipa-users] ipa host-del > > Thanks a lot. It's deleted now! > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was > pointing to /usr/lib/..., but when I was struggling, I read on the > web there was a post saying they should point to /usr/lib64/..., so > I changed them. The weird thing is I THINK they were pointing to > existing files, but now they are not. > > So I changed the links one more times to make them pointing to > /usr/lib/..., restarted ipa, and host-del worked. > Thanks again, guys. > George > > > > > > > > > From: John Dennis > To: alee at redhat.com > Cc: george he ; "freeipa-users at redhat.com" > > Sent: Wednesday, September 5, 2012 2:04 PM > Subject: Re: [Freeipa-users] ipa host-del > > On 09/05/2012 10:46 AM, Ade Lee wrote: > > Let's verify the link to the jss4.jar is in place. Note this is an > x86_64 system, Mathew did make some adjustments to where native > (i.e. arch specific) jars are located. I think it moved from > /usr/lib/java to /usr/lib64/java. pki-create would have been > modified to set up links to them on a new install but it's possible > the links weren't updated on an existing install. Not sure, guessing > at the moment but I think it's worth pursuing. > > Please do this, it will list all the jars which should be visible to > the CA tomcat instance, the jss4.jar should have a link under > /var/lib/pki-ca/common/lib. > > sudo ls -l /var/lib/pki-ca/common/lib > /var/lib/pki-ca/webapps/ca/WEB-INF/lib > > We want to verify none of the symbolic links listed above are > dangling (point to a non-existent file). Pay particular attention to > /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing > file that's a valid jar? If not can you locate jss4.jar? Is it now > under /var/lib64/java? If so adjust the symbolic link under > /var/lib/pki-ca/common/lib to point to it. Do thinks work now after > restarting? > > John > From naufal26.tik at gmail.com Thu Sep 6 05:46:47 2012 From: naufal26.tik at gmail.com (Muhammad Naufal Velayati) Date: Thu, 6 Sep 2012 05:46:47 +0000 (UTC) Subject: [Freeipa-users] Invitation to connect on LinkedIn Message-ID: <963540268.10507342.1346910407246.JavaMail.app@ela4-app2317.prod> LinkedIn ------------ I'd like to add you to my professional network on LinkedIn. - Muhammad Naufal Muhammad Naufal Velayati Web Developer at BAPPENAS Greater Jakarta Area, Indonesia Confirm that you know Muhammad Naufal Velayati: https://www.linkedin.com/e/-r5pc7g-h6rfohmw-49/isd/8524518201/OaaXLGWR/?hs=false&tok=36FE2riNFWylo1 -- You are receiving Invitation to Connect emails. Click to unsubscribe: http://www.linkedin.com/e/-r5pc7g-h6rfohmw-49/uui716k2tux9_xE7In0PMzrVtaBR__BP8AHchq/goo/freeipa-users%40redhat%2Ecom/20061/I2866720120_1/?hs=false&tok=3SPmkUg_NWylo1 (c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmercier at gmail.com Thu Sep 6 14:40:26 2012 From: mmercier at gmail.com (Michael Mercier) Date: Thu, 6 Sep 2012 10:40:26 -0400 Subject: [Freeipa-users] errors when one ipa server down Message-ID: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root at ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root at ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root at ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root at ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike at ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root at zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root at ipaserver ~]#ifup eth0 [root at ipaserver2 ~]#ifdown eth0 [mike at ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root at ipaserver2 ~]#ifup eth0 [mike at ipaclient ~]$ kinit Password for mike at MPLS.LOCAL: [mike at ipaclient ~]$ [root at ipaserver2 ~]#ifdown eth0 ... wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike at ipaclient ~]$kinit Password for mike at MPLS.LOCAL: [mike at ipaclient ~]$ Any ideas? Thanks, Mike From sigbjorn at nixtra.com Thu Sep 6 20:31:30 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 06 Sep 2012 22:31:30 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: References: Message-ID: <50490822.5030207@nixtra.com> On 09/05/2012 08:12 PM, Natxo Asenjo wrote: > hi, > > the subject says it all, I guess. > > I know from another thread that with nexanta it is possible using > nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) > this setup working. > > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, Yes I use NetApp filers connected to both AD and IPA at the same time. It's easy to get going. These notes are taken from the top of my head, I don't have my documentation in front of me just now. Configure the NetApp's DNS client to point to a set of DNS servers that knows both your AD and your IPA DNS domain. Configure the DNS search path to point at both the IPA domain, and the AD domain (if you have a different DNS domain for your IPA and AD instances) Join the CIFS server to the AD domain. ("cifs setup") Setup the LDAP client ("options ldap" to list, "options ldap.option value" to configure each value). I use authenticated simple binds, I have created an account for the NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose. The LDAP attribute mapping options can be left alone as far as I can remember. You need to specify the compat tree for group, and netgroup lookups. I cannot remember if I pointed users to the compat or accounts tree. I specify each user/group/ng lookup path fully (e.g. I do NOT specify the base DN and request subtree for lookups). Configure the "options ldap.enabled" after configuring all the other options. Leave "ldap.ADdomain" blank. NOTE: I have been unable to get the LDAP SSL client of NetApp to work with IPA as of yet. I have opened a support case with NetApp for this issue. Not really a big issue as users password are not being transmitted. To make of of SSL NetApp's documentation is to upload the CA certificate in PEM format into /etc on the filer and use the keymgr command to import it. After uploading the CA cert SSL is enabled using "options ldap.ssl.enable on". Grant yourself advanced privileges on the filer "priv set advanced", and use the "getXXbyYY" command to verify that the LDAP naming services works as expected for users, groups and netgroups. If the previous test was successful: Configure the NetApp's nsswitch.conf (using the filer webui is the easiest). Specify files before ldap. You should now have a working AD (CIFS) and IPA (NFS) setup. If you syncronize IPA with AD the ntUserDomainId attribute will be set to AD's sAMAccountName. If you do not sync you can script a sync of these attributes manually to allow automatic user mapping in the NetApp filer when Windows CIFS users connect. The username may be the same, but the NetApp's user mapping has been seen to be case sensitive in our environment. Syncing the sAMAccountName from AD into IPA's ntUserDomainId attribute fixed these issue for us. You also need to enable usermap lookup on the NetApp filer (a "option ldap" configuration value). I hope this helps. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Thu Sep 6 22:10:30 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 7 Sep 2012 00:10:30 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <50490822.5030207@nixtra.com> References: <50490822.5030207@nixtra.com> Message-ID: On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie wrote: > On 09/05/2012 08:12 PM, Natxo Asenjo wrote: > > hi, > > the subject says it all, I guess. > > I know from another thread that with nexanta it is possible using > nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this > setup working. > > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > Hi, > > Yes I use NetApp filers connected to both AD and IPA at the same time. > It's easy to get going. These notes are taken from the top of my head, I > don't have my documentation in front of me just now. > Awesome :-) This stuff really should be documented in the wiki somewhere. This is the stuff businesses need. I know I need it :-). I had already seen your post with the info about ipa and netapp in 2011 I think, but nowhere could I get the confirmation that both directories could be used at the same time. Perhaps we need to bug netapp more to be more explicit on this. Thanks, you made my day. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Fri Sep 7 01:32:48 2012 From: sakodak at gmail.com (KodaK) Date: Thu, 6 Sep 2012 20:32:48 -0500 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said "we can't authenticate to anything but MS AD," apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was "good news, everyone! We don't need AD!" It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From pspacek at redhat.com Fri Sep 7 07:36:22 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 07 Sep 2012 09:36:22 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: References: <50490822.5030207@nixtra.com> Message-ID: <5049A3F6.5090103@redhat.com> On 09/07/2012 12:10 AM, Natxo Asenjo wrote: > On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie > wrote: > > On 09/05/2012 08:12 PM, Natxo Asenjo wrote: >> hi, >> >> the subject says it all, I guess. >> >> I know from another thread that with nexanta it is possible using >> nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) >> this setup working. >> > > Hi, > > Yes I use NetApp filers connected to both AD and IPA at the same time. > It's easy to get going. These notes are taken from the top of my head, I > don't have my documentation in front of me just now. > > > Awesome :-) > > This stuff really should be documented in the wiki somewhere. This is the > stuff businesses need. I know I need it :-). I had already seen your post with Hello, we can create a wiki account at freeipa.org for you, if you are implementing it right now. Best articles come from real users! :-) Petr^2 Spacek > the info about ipa and netapp in 2011 I think, but nowhere could I get the > confirmation that both directories could be used at the same time. Perhaps we > need to bug netapp more to be more explicit on this. > > Thanks, you made my day. > From sigbjorn at nixtra.com Fri Sep 7 08:07:00 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 7 Sep 2012 10:07:00 +0200 (CEST) Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: References: <50490822.5030207@nixtra.com> Message-ID: <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> On Fri, September 7, 2012 00:10, Natxo Asenjo wrote: > On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie wrote: > > >> On 09/05/2012 08:12 PM, Natxo Asenjo wrote: >> >> >> hi, >> >> the subject says it all, I guess. >> >> I know from another thread that with nexanta it is possible using >> nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. >> >> -- >> Groeten, >> natxo >> >> >> _______________________________________________ >> Freeipa-users mailing >> listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> Hi, >> >> >> Yes I use NetApp filers connected to both AD and IPA at the same time. >> It's easy to get going. These notes are taken from the top of my head, I >> don't have my documentation in front of me just now. >> > > Awesome :-) > > > This stuff really should be documented in the wiki somewhere. This is the > stuff businesses need. I know I need it :-). I had already seen your post with the info about ipa > and netapp in 2011 I think, but nowhere could I get the confirmation that both directories could > be used at the same time. Perhaps we need to bug netapp more to be more explicit on this. > Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far as I remember most things worked, but I stumbeled across some issue. > > Thanks, you made my day. > Glad to be able to help. :) Rgds, Siggi From sigbjorn at nixtra.com Fri Sep 7 08:12:34 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 7 Sep 2012 10:12:34 +0200 (CEST) Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <5049A3F6.5090103@redhat.com> References: <50490822.5030207@nixtra.com> <5049A3F6.5090103@redhat.com> Message-ID: <19447.213.225.75.97.1347005554.squirrel@www.nixtra.com> On Fri, September 7, 2012 09:36, Petr Spacek wrote: > On 09/07/2012 12:10 AM, Natxo Asenjo wrote: > >> On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie > > wrote: >> >> >> On 09/05/2012 08:12 PM, Natxo Asenjo wrote: >> >>> hi, >>> >>> the subject says it all, I guess. >>> >>> I know from another thread that with nexanta it is possible using >>> nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. >>> >> >> Hi, >> >> >> Yes I use NetApp filers connected to both AD and IPA at the same time. >> It's easy to get going. These notes are taken from the top of my head, I >> don't have my documentation in front of me just now. >> >> >> Awesome :-) >> >> >> This stuff really should be documented in the wiki somewhere. This is the >> stuff businesses need. I know I need it :-). I had already seen your post with > Hello, > > > we can create a wiki account at freeipa.org for you, if you are implementing it right now. Best > articles come from real users! :-) > Sure, do that. I'll do my best do write down my integration experiences. :) I hope they end up in the RHEL documentation on docs.redhat.com. I suppose this is where most businesses will look for IPA integration documentation. Rgds, Siggi From ondrejv at s3group.cz Fri Sep 7 11:33:33 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 07 Sep 2012 13:33:33 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> References: <50490822.5030207@nixtra.com> <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> Message-ID: <5049DB8D.2080304@s3group.cz> That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load balancing/failover functionality. We are paying for NetApp support, too so if anyone is going to bug NetApp about this, I am happy to join you. Ondrej On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: > Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the > NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to > have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far > as I remember most things worked, but I stumbeled across some issue. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 7 15:50:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 11:50:18 -0400 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <5049DB8D.2080304@s3group.cz> References: <50490822.5030207@nixtra.com> <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> <5049DB8D.2080304@s3group.cz> Message-ID: <504A17BA.4090408@redhat.com> On 09/07/2012 07:33 AM, Ondrej Valousek wrote: > That is actually the main benefit of the 'ldap.ADdomain' parameter. It > will allow you to simplify configuration and allows easy load > balancing/failover functionality. > We are paying for NetApp support, too so if anyone is going to bug > NetApp about this, I am happy to join you. > > Ondrej > > On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: >> Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the >> NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to >> have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far >> as I remember most things worked, but I stumbeled across some issue. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I will. Siggi I will also send you a private email to give you access to the wiki. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 7 16:07:43 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 12:07:43 -0400 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: <504A1BCF.7010203@redhat.com> On 09/06/2012 09:32 PM, KodaK wrote: > Thank you everyone. We finally had our meeting today (it was delayed > from Tuesday.) It went much better than I was expecting. Regardless > of the email that said "we can't authenticate to anything but MS AD," > apparently his *actual* concern was having a third party tie-in to > Active Directory that would keep them from applying patches to AD. > Pretty much all I had to say was "good news, everyone! We don't need > AD!" It pissed off the Windows Director who was in the room and was > pushing for us to auth directly against AD, but the veep who had the > initial problem was satiated. > > All is right with the world again. Or at least my tiny piece of it. > Until tomorrow. > > Thanks again, > > --Jason > Would you ask too much if I ask to write a blog about all this somewhere ;-) ? And thank you all for the kind words towards IPA project. We are here to give you control that you need and we are very glad we are on the right track. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 16:14:29 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 12:14:29 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> Message-ID: <504A1D65.40500@redhat.com> On 09/06/2012 10:40 AM, Michael Mercier wrote: > Hello, > > I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. > > [root at ipaserver ~]#ipa-replica-manage list > ipaserver.mpls.local: master > ipaserver2.mpls.local: master > [root at ipaserver ~]# rpm -qa|grep ipa > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > > > [root at ipaserver2 ~]#ipa-replica-manage list > ipaserver.mpls.local: master > ipaserver2.mpls.local: master > [root at ipaserver2 ~]# rpm -qa|grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > > > [mike at ipaclient ~]$ rpm -qa|grep ipa > ipa-admintools-2.2.0-16.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > > > I have a webserver (zenoss) using kerberos authentication. > > [root at zenoss ~]# rpm -qa|grep ipa > libipa_hbac-1.8.0-32.el6.x86_64 > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-admintools-2.2.0-16.el6.x86_64 > > > SSLRequireSSL > AuthType Kerberos > AuthName "Kerberos Login" > > KrbMethodK5Passwd Off > KrbAuthRealms MPLS.LOCAL > KrbSaveCredentials on > KrbServiceName HTTP > Krb5KeyTab /etc/http/conf.d/http.keytab > > AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" > RequestHeader set X_REMOTE_USER %{remoteUser}e > require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local > > > > With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: > > 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. > 2. It takes a longer period of time to do a kinit > > If the I then perform: > [root at ipaserver ~]#ifup eth0 > > [root at ipaserver2 ~]#ifdown eth0 > > [mike at ipaclient ~]$kinit > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > > [root at ipaserver2 ~]#ifup eth0 > > [mike at ipaclient ~]$ kinit > Password for mike at MPLS.LOCAL: > [mike at ipaclient ~]$ > > [root at ipaserver2 ~]#ifdown eth0 > > .. wait number of minutes > > ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes > > [mike at ipaclient ~]$kinit > Password for mike at MPLS.LOCAL: > [mike at ipaclient ~]$ > > Any ideas? > > Thanks, > Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 16:34:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 12:34:02 -0400 Subject: [Freeipa-users] ipa host-del In-Reply-To: <856889955.4483759.1346888841039.JavaMail.root@redhat.com> References: <856889955.4483759.1346888841039.JavaMail.root@redhat.com> Message-ID: <504A21FA.6030907@redhat.com> On 09/05/2012 07:47 PM, Alexander Bokovoy wrote: > I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks. > Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same). https://bugzilla.redhat.com/show_bug.cgi?id=855413 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Fri Sep 7 16:42:07 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 7 Sep 2012 12:42:07 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504A1D65.40500@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> Message-ID: <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > On 09/06/2012 10:40 AM, Michael Mercier wrote: >> Hello, >> >> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >> >> [root at ipaserver ~]#ipa-replica-manage list >> ipaserver.mpls.local: master >> ipaserver2.mpls.local: master >> [root at ipaserver ~]# rpm -qa|grep ipa >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> >> >> [root at ipaserver2 ~]#ipa-replica-manage list >> ipaserver.mpls.local: master >> ipaserver2.mpls.local: master >> [root at ipaserver2 ~]# rpm -qa|grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> libipa_hbac-1.8.0-32.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> >> >> [mike at ipaclient ~]$ rpm -qa|grep ipa >> ipa-admintools-2.2.0-16.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> libipa_hbac-1.8.0-32.el6.x86_64 >> >> >> I have a webserver (zenoss) using kerberos authentication. >> >> [root at zenoss ~]# rpm -qa|grep ipa >> libipa_hbac-1.8.0-32.el6.x86_64 >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> >> SSLRequireSSL >> AuthType Kerberos >> AuthName "Kerberos Login" >> >> KrbMethodK5Passwd Off >> KrbAuthRealms MPLS.LOCAL >> KrbSaveCredentials on >> KrbServiceName HTTP >> Krb5KeyTab /etc/http/conf.d/http.keytab >> >> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >> RequestHeader set X_REMOTE_USER %{remoteUser}e >> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >> >> >> >> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >> >> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >> 2. It takes a longer period of time to do a kinit >> >> If the I then perform: >> [root at ipaserver ~]#ifup eth0 >> >> [root at ipaserver2 ~]#ifdown eth0 >> >> [mike at ipaclient ~]$kinit >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >> >> [root at ipaserver2 ~]#ifup eth0 >> >> [mike at ipaclient ~]$ kinit >> Password for mike at MPLS.LOCAL: >> [mike at ipaclient ~]$ >> >> [root at ipaserver2 ~]#ifdown eth0 >> >> .. wait number of minutes >> >> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >> >> [mike at ipaclient ~]$kinit >> Password for mike at MPLS.LOCAL: >> [mike at ipaclient ~]$ >> >> Any ideas? >> >> Thanks, >> Mike > > This seems to be some DNS problem. > You client does not see the second replica and might have some name > resolution timeouts. > > Please check your dns setup and krb5.conf on the client. > > To help more we need more details about you client configuration DNS and > kerberos. Hi, Additional information... [root at zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root at zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root at ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root at ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root at ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root at ipaserver ~]#ifdown eth0 [root at ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root at ipaclient ~]# nslookup ipaserver2 Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver2.mpls.local Address: 172.16.112.8 Copy/paste from the DNS page on ipaserver/ipaserver2 @ NS ipaserver.mpls.local. NS ipaserver2.mpls.local. _kerberos TXT MPLS.LOCAL _kerberos-master._tcp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos-master._udp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos._tcp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos._udp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kpasswd._tcp SRV 0 100 464 ipaserver SRV 0 100 464 ipaserver2 _kpasswd._udp SRV 0 100 464 ipaserver SRV 0 100 464 ipaserver2 _ldap._tcp SRV 0 100 389 ipaserver SRV 0 100 389 ipaserver2 _ntp._udp SRV 0 100 123 ipaserver SRV 0 100 123 ipaserver2 ipaclient A 172.16.112.9 ipaclient2 A 172.16.112.145 ipaserver A 172.16.112.5 ipaserver2 A 172.16.112.8 zenoss A 172.16.112.6 Thanks, Mike From natxo.asenjo at gmail.com Fri Sep 7 17:09:31 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 7 Sep 2012 19:09:31 +0200 Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <5049DB8D.2080304@s3group.cz> References: <50490822.5030207@nixtra.com> <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> <5049DB8D.2080304@s3group.cz> Message-ID: On Fri, Sep 7, 2012 at 1:33 PM, Ondrej Valousek wrote: > That is actually the main benefit of the 'ldap.ADdomain' parameter. It > will allow you to simplify configuration and allows easy load > balancing/failover functionality. > We are paying for NetApp support, too so if anyone is going to bug NetApp > about this, I am happy to join you. > I will open a case in the next weeks, when I am back at the office and get all the netapp support info (very new customer). We are now migrating the storage so it is a bit busy, but as soon as I file the case I will post the number here for you guys to support it. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Fri Sep 7 18:22:51 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 07 Sep 2012 20:22:51 +0200 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: <504A1BCF.7010203@redhat.com> References: <504A1BCF.7010203@redhat.com> Message-ID: <76cf5bc4-c0be-415b-9414-b4c153d7ed4c@email.android.com> Thanks. I believe Rob already created the account. I got some emails regarding a wiki account. Haven't had time to check it out yet. Rgds Siggi Dmitri Pal wrote: >On 09/06/2012 09:32 PM, KodaK wrote: >> Thank you everyone. We finally had our meeting today (it was delayed >> from Tuesday.) It went much better than I was expecting. Regardless >> of the email that said "we can't authenticate to anything but MS AD," >> apparently his *actual* concern was having a third party tie-in to >> Active Directory that would keep them from applying patches to AD. >> Pretty much all I had to say was "good news, everyone! We don't need >> AD!" It pissed off the Windows Director who was in the room and was >> pushing for us to auth directly against AD, but the veep who had the >> initial problem was satiated. >> >> All is right with the world again. Or at least my tiny piece of it. >> Until tomorrow. >> >> Thanks again, >> >> --Jason >> >Would you ask too much if I ask to write a blog about all this >somewhere >;-) ? > >And thank you all for the kind words towards IPA project. >We are here to give you control that you need and we are very glad we >are on the right track. > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager for IdM portfolio >Red Hat Inc. > > >------------------------------- >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 7 18:30:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 14:30:57 -0400 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: <76cf5bc4-c0be-415b-9414-b4c153d7ed4c@email.android.com> References: <504A1BCF.7010203@redhat.com> <76cf5bc4-c0be-415b-9414-b4c153d7ed4c@email.android.com> Message-ID: <504A3D61.6010803@redhat.com> On 09/07/2012 02:22 PM, Sigbjorn Lie wrote: > Thanks. I believe Rob already created the account. I got some emails > regarding a wiki account. Haven't had time to check it out yet. Yes. He pinged me before I created the second one for you. > > Rgds > Siggi > > Dmitri Pal wrote: > > On 09/06/2012 09:32 PM, KodaK wrote: > > Thank you everyone. We finally had our meeting today (it was > delayed from Tuesday.) It went much better than I was > expecting. Regardless of the email that said "we can't > authenticate to anything but MS AD," apparently his *actual* > concern was having a third party tie-in to Active Directory > that would keep them from applying patches to AD. Pretty much > all I had to say was "good news, everyone! We don't need AD!" > It pissed off the Windows Director who was in the room and was > pushing for us to auth directly against AD, but the veep who > had the initial problem was satiated. All is right with the > world again. Or at least my tiny piece of it. Until tomorrow. > Thanks again, --Jason > > > Would you ask too much if I ask to write a blog about all this somewhere > ;-) ? > > And thank you all for the kind words towards IPA project. > We are here to give you control that you need and we are very glad we > are on the right track. > > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 7 18:38:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 14:38:02 -0400 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: <50439019.8080804@nixtra.com> References: <50439019.8080804@nixtra.com> Message-ID: <504A3F0A.4090402@redhat.com> On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: > On 09/02/2012 04:37 PM, Natxo Asenjo wrote: >> hi, >> >> Recently I have been playing with the zfs for its native nfs4 acl >> capabilities. I have used openindiana for this. For those wondering >> about openindiana, it is a distribution of the former opensolaris code. >> >> I got the ldap client to work for retrieveing user/group info from >> ipa using the ldapclient command: >> >> # ldapclient manual \ >> -a authenticationMethod=none \ >> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ >> -a domainName=*ipa.asenjo.nx* \ >> -a defaultServerList=kdc.ipa.asenjo.nx \ >> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ >> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] >> >> you need to enable the ldap/client service: >> >> # svcadm enable ldap/client:default [enter] >> >> After which, modify /etc/nsswitch.conf to add the ldap provider for >> passwd and group: >> >> passwd: files ldap >> group: files ldap >> >> That's it, test it: >> >> # id admin >> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) >> >> # getent passwd admin >> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash >> >> So it works. The kerberos stuff will be next ... >> >> One thing I have not yet gotten to work is that these changes are not >> persistent accross reboots. The ldapclient config stays, but the >> service ldap/client does not start (stays disabled) and nsswitch.conf >> missess the ldap entries. So far I am fixing this from cfengine >> (gotta love it). >> >> So apparently, for solaris 10 and newer versions, the procedure >> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no >> longer necessary as far as the ldap client is concerned. >> >> >> -- >> Groeten, >> natxo >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hi, > > I'm using Nexenta as an IPA client, another derivative of OpenSolaris. > I use a DUAProfile with ldapclient. This stays configured and the > ldap/client service is enabled across reboots. > > > There is a DUAProfile included by default with IPA, but it requires > some tweaking to support more than just the basic features. See this > bugzilla for a more comprehensive example: > > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > > There is also some more info about configuring Solaris clients in this > bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=815533 Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? > > > The ldap/client service is enabled when you run the ldapclient script. > There should be no need for doing this manually. When you run > ldapclient, run it with the -v flag and look for errors. > > After a reboot, what does "svcs -xv ldap/client" output? > > Is the services is depend on in online state? "svcs -d ldap/client" > > What does /var/svc/log/network-ldap-client:default.log display after a > reboot? > > What files do you have in /var/ldap? > > What is the content of the /var/ldap/ldap_client_file? > > > > Regards, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 7 18:47:55 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 14:47:55 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> Message-ID: <504A415B.1070609@redhat.com> On 09/07/2012 12:42 PM, Michael Mercier wrote: > On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > >> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>> Hello, >>> >>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>> >>> [root at ipaserver ~]#ipa-replica-manage list >>> ipaserver.mpls.local: master >>> ipaserver2.mpls.local: master >>> [root at ipaserver ~]# rpm -qa|grep ipa >>> libipa_hbac-1.8.0-32.el6.x86_64 >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> ipa-server-2.2.0-16.el6.x86_64 >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> python-iniparse-0.3.1-2.1.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> >>> >>> [root at ipaserver2 ~]#ipa-replica-manage list >>> ipaserver.mpls.local: master >>> ipaserver2.mpls.local: master >>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>> ipa-client-2.2.0-16.el6.x86_64 >>> ipa-server-2.2.0-16.el6.x86_64 >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> libipa_hbac-1.8.0-32.el6.x86_64 >>> python-iniparse-0.3.1-2.1.el6.noarch >>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> >>> >>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> python-iniparse-0.3.1-2.1.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> libipa_hbac-1.8.0-32.el6.x86_64 >>> >>> >>> I have a webserver (zenoss) using kerberos authentication. >>> >>> [root at zenoss ~]# rpm -qa|grep ipa >>> libipa_hbac-1.8.0-32.el6.x86_64 >>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>> ipa-python-2.2.0-16.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> python-iniparse-0.3.1-2.1.el6.noarch >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> >>> >>> SSLRequireSSL >>> AuthType Kerberos >>> AuthName "Kerberos Login" >>> >>> KrbMethodK5Passwd Off >>> KrbAuthRealms MPLS.LOCAL >>> KrbSaveCredentials on >>> KrbServiceName HTTP >>> Krb5KeyTab /etc/http/conf.d/http.keytab >>> >>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>> >>> >>> >>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>> >>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>> 2. It takes a longer period of time to do a kinit >>> >>> If the I then perform: >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaserver2 ~]#ifdown eth0 >>> >>> [mike at ipaclient ~]$kinit >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>> >>> [root at ipaserver2 ~]#ifup eth0 >>> >>> [mike at ipaclient ~]$ kinit >>> Password for mike at MPLS.LOCAL: >>> [mike at ipaclient ~]$ >>> >>> [root at ipaserver2 ~]#ifdown eth0 >>> >>> .. wait number of minutes >>> >>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>> >>> [mike at ipaclient ~]$kinit >>> Password for mike at MPLS.LOCAL: >>> [mike at ipaclient ~]$ >>> >>> Any ideas? >>> >>> Thanks, >>> Mike >> This seems to be some DNS problem. >> You client does not see the second replica and might have some name >> resolution timeouts. >> >> Please check your dns setup and krb5.conf on the client. >> >> To help more we need more details about you client configuration DNS and >> kerberos. > Hi, > > Additional information... > > [root at zenoss ~]#more /etc/resolv.conf > search mpls.local > domain mpls.local > nameserver 172.16.112.5 > nameserver 172.16.112.8 > > [root at zenoss ~]# more /etc/krb5.conf > #File modified by ipa-client-install > > [libdefaults] > default_realm = MPLS.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > MPLS.LOCAL = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .mpls.local = MPLS.LOCAL > mpls.local = MPLS.LOCAL > > [root at ipaclient ~]# more /etc/resolv.conf > # Generated by NetworkManager > search mpls.local > nameserver 172.16.112.5 > nameserver 172.16.112.8 > > [root at ipaclient ~]# more /etc/krb5.conf > #File modified by ipa-client-install > > [libdefaults] > default_realm = MPLS.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > MPLS.LOCAL = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .mpls.local = MPLS.LOCAL > mpls.local = MPLS.LOCAL > > [root at ipaclient ~]# nslookup ipaserver > Server: 172.16.112.5 > Address: 172.16.112.5#53 > > Name: ipaserver.mpls.local > Address: 172.16.112.5 > > [root at ipaserver ~]#ifdown eth0 > > [root at ipaclient ~]# nslookup ipaserver > Server: 172.16.112.8 > Address: 172.16.112.8#53 > > Name: ipaserver.mpls.local > Address: 172.16.112.5 > > [root at ipaclient ~]# nslookup ipaserver2 > Server: 172.16.112.8 > Address: 172.16.112.8#53 > > Name: ipaserver2.mpls.local > Address: 172.16.112.8 > > Copy/paste from the DNS page on ipaserver/ipaserver2 > > @ NS ipaserver.mpls.local. > NS ipaserver2.mpls.local. > _kerberos TXT MPLS.LOCAL > _kerberos-master._tcp SRV 0 100 88 ipaserver > SRV 0 100 88 ipaserver2 > _kerberos-master._udp SRV 0 100 88 ipaserver > SRV 0 100 88 ipaserver2 > _kerberos._tcp SRV 0 100 88 ipaserver > SRV 0 100 88 ipaserver2 > _kerberos._udp SRV 0 100 88 ipaserver > SRV 0 100 88 ipaserver2 > _kpasswd._tcp SRV 0 100 464 ipaserver > SRV 0 100 464 ipaserver2 > _kpasswd._udp SRV 0 100 464 ipaserver > SRV 0 100 464 ipaserver2 > _ldap._tcp SRV 0 100 389 ipaserver > SRV 0 100 389 ipaserver2 > _ntp._udp SRV 0 100 123 ipaserver > SRV 0 100 123 ipaserver2 > ipaclient A 172.16.112.9 > ipaclient2 A 172.16.112.145 > ipaserver A 172.16.112.5 > ipaserver2 A 172.16.112.8 > zenoss A 172.16.112.6 > > Thanks, > Mike > I noticed that there is no domain line in the resolv.conf on the client. AFAIU in this case it would determine the domain by the gethostname and in case of network being down it will fail over to the hosts file. I wonder what is in your /etc/hosts? Dose it have just a short host name? I do not know if that would help though. I am at the boundary of my knowledge so someone more skilled would need to take over. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 19:00:58 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 15:00:58 -0400 Subject: [Freeipa-users] RHEV-M + service accounts in IPA In-Reply-To: <5047677E.8070902@redhat.com> References: <50473E51.1050201@themacartneyclan.com> <504747F8.7000403@redhat.com> <50476511.8030700@themacartneyclan.com> <5047677E.8070902@redhat.com> Message-ID: <504A446A.9080806@redhat.com> On 09/05/2012 10:53 AM, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 05/09/12 13:39, Rob Crittenden wrote: >>> Dale Macartney wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Afternoon all >>>> >>>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 ( >>>> ipa-server-2.2-16) >>>> >>>> I have an api script that handles all my deployments and I am >>>> trying to >>>> set up a role account for my script to run within a jenkins >>>> environment. >>>> >>>> I have created an ldap sysaccount, however that doesn't appear in the >>>> RHEV users list when I do a search. So its clear its looking for >>>> specific IPA users. >>>> >>>> Is there a way (or on the roadmap), to create service/role accounts in >>>> IPA where the password doesn't expire? >>>> >>>> I'm trying to avoid scenarios like this >>>> >>>> https://access.redhat.com/knowledge/solutions/67562 >>>> >>>> Any comments / suggestions are welcome >>>> >>>> Thanks everyone >>>> >>>> Dale >>>> >>> >>> A work-around is to set krbpasswordexpiration of the user somewhere >> far in the future to prevent expiration. >> That'll work.. Do I need to do anything fancy though? I tried running >> the below on a new user called rhev-build but it keeps erroring out. I >> know I have a current TGT otherwise I wouldn't be able to add the user >> in the first place. >> >> [root at ds01 ~]# ipa user-mod rhev-build >> --setattr=krbPasswordExpiration=20131231011529Z >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'krbPasswordExpiration' attribute of entry >> 'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'. >> [root at ds01 ~]# > > We don't let admins muck with the expiration date. Please file an RFE > ticket if you'd like that capability. https://fedorahosted.org/freeipa/ticket/3062 > > You'll have to resort to ldapmodify: > > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com > changetype: modify > replace: krbPasswordExpiration > krbPasswordExpiration: 20131231011529Z > > modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" > > You might want to consider 2037 as the year. 2014 will be here before > you know it. > > rob > >> >>> >>> We have a ticket open on this, >> https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA >> 3.3. >> Good to know its on its way. This is a demo lab so setting a long >> password expiry addresses my needs. >>> >>> rob >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Fri Sep 7 19:42:58 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 7 Sep 2012 15:42:58 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504A415B.1070609@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> Message-ID: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: > On 09/07/2012 12:42 PM, Michael Mercier wrote: >> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >> >>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>> Hello, >>>> >>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>> >>>> [root at ipaserver ~]#ipa-replica-manage list >>>> ipaserver.mpls.local: master >>>> ipaserver2.mpls.local: master >>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> ipa-server-2.2.0-16.el6.x86_64 >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> python-iniparse-0.3.1-2.1.el6.noarch >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> >>>> >>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>> ipaserver.mpls.local: master >>>> ipaserver2.mpls.local: master >>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> ipa-server-2.2.0-16.el6.x86_64 >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>> python-iniparse-0.3.1-2.1.el6.noarch >>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> >>>> >>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> python-iniparse-0.3.1-2.1.el6.noarch >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>> >>>> >>>> I have a webserver (zenoss) using kerberos authentication. >>>> >>>> [root at zenoss ~]# rpm -qa|grep ipa >>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> python-iniparse-0.3.1-2.1.el6.noarch >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> >>>> >>>> SSLRequireSSL >>>> AuthType Kerberos >>>> AuthName "Kerberos Login" >>>> >>>> KrbMethodK5Passwd Off >>>> KrbAuthRealms MPLS.LOCAL >>>> KrbSaveCredentials on >>>> KrbServiceName HTTP >>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>> >>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>> >>>> >>>> >>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>> >>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>> 2. It takes a longer period of time to do a kinit >>>> >>>> If the I then perform: >>>> [root at ipaserver ~]#ifup eth0 >>>> >>>> [root at ipaserver2 ~]#ifdown eth0 >>>> >>>> [mike at ipaclient ~]$kinit >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>> >>>> [root at ipaserver2 ~]#ifup eth0 >>>> >>>> [mike at ipaclient ~]$ kinit >>>> Password for mike at MPLS.LOCAL: >>>> [mike at ipaclient ~]$ >>>> >>>> [root at ipaserver2 ~]#ifdown eth0 >>>> >>>> .. wait number of minutes >>>> >>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>> >>>> [mike at ipaclient ~]$kinit >>>> Password for mike at MPLS.LOCAL: >>>> [mike at ipaclient ~]$ >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Mike >>> This seems to be some DNS problem. >>> You client does not see the second replica and might have some name >>> resolution timeouts. >>> >>> Please check your dns setup and krb5.conf on the client. >>> >>> To help more we need more details about you client configuration DNS and >>> kerberos. >> Hi, >> >> Additional information... >> >> [root at zenoss ~]#more /etc/resolv.conf >> search mpls.local >> domain mpls.local >> nameserver 172.16.112.5 >> nameserver 172.16.112.8 >> >> [root at zenoss ~]# more /etc/krb5.conf >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = MPLS.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> MPLS.LOCAL = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .mpls.local = MPLS.LOCAL >> mpls.local = MPLS.LOCAL >> >> [root at ipaclient ~]# more /etc/resolv.conf >> # Generated by NetworkManager >> search mpls.local >> nameserver 172.16.112.5 >> nameserver 172.16.112.8 >> >> [root at ipaclient ~]# more /etc/krb5.conf >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = MPLS.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> MPLS.LOCAL = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .mpls.local = MPLS.LOCAL >> mpls.local = MPLS.LOCAL >> >> [root at ipaclient ~]# nslookup ipaserver >> Server: 172.16.112.5 >> Address: 172.16.112.5#53 >> >> Name: ipaserver.mpls.local >> Address: 172.16.112.5 >> >> [root at ipaserver ~]#ifdown eth0 >> >> [root at ipaclient ~]# nslookup ipaserver >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver.mpls.local >> Address: 172.16.112.5 >> >> [root at ipaclient ~]# nslookup ipaserver2 >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver2.mpls.local >> Address: 172.16.112.8 >> >> Copy/paste from the DNS page on ipaserver/ipaserver2 >> >> @ NS ipaserver.mpls.local. >> NS ipaserver2.mpls.local. >> _kerberos TXT MPLS.LOCAL >> _kerberos-master._tcp SRV 0 100 88 ipaserver >> SRV 0 100 88 ipaserver2 >> _kerberos-master._udp SRV 0 100 88 ipaserver >> SRV 0 100 88 ipaserver2 >> _kerberos._tcp SRV 0 100 88 ipaserver >> SRV 0 100 88 ipaserver2 >> _kerberos._udp SRV 0 100 88 ipaserver >> SRV 0 100 88 ipaserver2 >> _kpasswd._tcp SRV 0 100 464 ipaserver >> SRV 0 100 464 ipaserver2 >> _kpasswd._udp SRV 0 100 464 ipaserver >> SRV 0 100 464 ipaserver2 >> _ldap._tcp SRV 0 100 389 ipaserver >> SRV 0 100 389 ipaserver2 >> _ntp._udp SRV 0 100 123 ipaserver >> SRV 0 100 123 ipaserver2 >> ipaclient A 172.16.112.9 >> ipaclient2 A 172.16.112.145 >> ipaserver A 172.16.112.5 >> ipaserver2 A 172.16.112.8 >> zenoss A 172.16.112.6 >> >> Thanks, >> Mike >> > I noticed that there is no domain line in the resolv.conf on the client. > AFAIU in this case it would determine the domain by the gethostname and > in case of network being down it will fail over to the hosts file. > I wonder what is in your /etc/hosts? > Dose it have just a short host name? [root at ipaclient ~]# more /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 Add domain mpls.local to /etc/resolv.conf [root at ipaserver ~]#ifdown eth0 [root at ipaclient ~]# kinit mike kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root at ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root at ipaclient ~]# nslookup ipaserver2 Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver2.mpls.local Address: 172.16.112.8 add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts [root at ipaserver ~]#ifup eth0 [root at ipaclient ~]# kinit mike Password for mike at MPLS.LOCAL: [root at ipaserver ~]#ifdown eth0 [root at ipaclient ~]# kinit mike kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp Server: 172.16.112.8 Address: 172.16.112.8#53 _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp Server: 172.16.112.5 Address: 172.16.112.5#53 _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. [root at ipaclient ~]# kinit mike kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root at ipaserver ~]#ifup eth0 [root at ipaclient ~]# kinit mike Password for mike at MPLS.LOCAL: Thanks, Mike > > I do not know if that would help though. I am at the boundary of my > knowledge so someone more skilled would need to take over. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From dpal at redhat.com Fri Sep 7 19:51:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 15:51:01 -0400 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD6539B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108879.7090007@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD65372@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108F11.7080708@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD6539B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <504A5025.6030608@redhat.com> On 07/25/2012 08:32 PM, Steven Jones wrote: > Hi, > > I will ask.... > I am trying to make sure we closed all the loose ends. Steven, is there any update? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Thursday, 26 July 2012 12:28 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/25/2012 06:11 PM, Steven Jones wrote: >> Hi, >> >> From a RH support case as I dont have access to the RDS channel. > We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi > files. > >> No, its doesn't allay my Windows and security ppls concerns.... > I was speaking specifically about your original concerns: > > "No not specific developers but some sort of statement of ownership from > RedHat I suppose. So they are I assume looking for some sort of > confidence that it wont trash AD and if I install it and it does trash > our AD some liability." > > Does the fact that you are now getting a Red Hat branded binary from an > official Red Hat download site allay these particular fears? > >> http://port389.org/wiki/Download >> >> "This is an Active Directory "plug-in" that intercepts password changes made to AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the Windows Sync feature of 389 DS). >> >> Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. " > "This is an Active Directory "plug-in" that intercepts password changes > made to AD Domain Controllers and sends the clear text password over an > encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync. > It works in conjunction with the Windows Sync feature of 389. You must > install this on every Domain Controller. " > > Better? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Thursday, 26 July 2012 11:59 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/25/2012 02:41 PM, Steven Jones wrote: >>> Hi, >>> >>> Ah ok, I have the "official" one. >> From where did you get it? And does it allay your concerns? >> >>> One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. >> Which page is that? The Howto:WindowsSync? >> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [rmeggins at redhat.com] >>> Sent: Thursday, 26 July 2012 1:58 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/24/2012 03:15 PM, Steven Jones wrote: >>>> Hi Rich, >>>> >>>> I can appreciate what you are saying, but.... >>>> >>>> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. >>>> >>>> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. >>>> >>>> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. >>>> >>>> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? >>>> >>>> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. >>>> >>>> Crazy thing of course is, yes IPA is free....... >>>> >>>> ;] >>>> >>>> I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... >>> Ok. If you are a Red Hat paying customer, you should get the >>> RedHat-PassSync .msi from an official Red Hat channel. We are working >>> on addressing this issue. >>>> :) >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rich Megginson [rmeggins at redhat.com] >>>> Sent: Wednesday, 25 July 2012 2:54 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] winsync msi >>>> >>>> On 07/23/2012 06:32 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. >>>> Can you point me at another open source project that provides Windows >>>> binaries that provides some sort of guarantee or statement or >>>> documentation like this? I'd like to see what other projects do and >>>> provide something similar. >>>> >>>> Or is this the first (and only?) time anyone in your organization has >>>> ever installed any open source software on Windows? >>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ________________________________________ >>>>> From: Rich Megginson [rmeggins at redhat.com] >>>>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>>>> To: Steven Jones >>>>> Cc: freeipa-users at redhat.com >>>>> Subject: Re: [Freeipa-users] winsync msi >>>>> >>>>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> For the winsync agreement my Windows and security teams want to know its details, >>>>>> >>>>>> eg who wrote it, >>>>> Red Hat - do you need to know the names of the developers? >>>>> >>>>>> it is Microsoft certified etc. >>>>> Not that I know of - how would one go about doing that? >>>>>> Where will I find such info? >>>>>> >>>>>> All I have is >>>>>> >>>>>> http://port389.org/wiki/Download >>>>>> >>>>>> Which doesn't tell me much. >>>>> There is more info in the actual .msi file. >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 19:55:41 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 15:55:41 -0400 Subject: [Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin) In-Reply-To: <503B5FA5.3070503@redhat.com> References: <503B5FA5.3070503@redhat.com> Message-ID: <504A513D.8000603@redhat.com> On 08/27/2012 07:53 AM, Petr Spacek wrote: > Hello, > > On 08/23/2012 07:00 AM, Franklin Catoni wrote: >> >>Hi, >> Hello, >> >>Is the zone not transferring at all, or is it just the updates that's >> >>not transferred to the AD slave server? >> It's not transferring at all. >> >>If the zone is not transferring at all: Did yo modify the "Allow >> >>transfer" property of the zone ? >> yes, I change the parameter to allow zone transfers from the AD >> >>If the updates is not transferring: I believe automatic increment >> of the >> >>zone serial number will be supported in IPA 3.0. The IPA >> developers will >> >>have to confirm that. However you can manually change the serial >> number >> >>under Zone Settings. >> Yes, I also read this information but I was hoping there was some other >> solution to the issue. And I've done manually change the serial >> number of the >> zone but without success >> >>Hope this helps. >> Thanks >> >> >>Regards, >> >>Siggi > > I'm a bit confused, so I tried to summarize your configuration. Please > correct me if I'm wrong: > > zone "ejemplo.com" = hosted on AD server > zone "ejemplo.gob.ve" = hosted on FreeIPA server > > What is your target? Do you want to have both zones on each server? > I.e. one server will be master for one zone and slave for the other > zone (at the same time)? > > Zone transfers are supported from IPA 3.0. IPA can host only master > zones, slave zones have to be set in /etc/named.conf manually. There > is no centralized management of slave zones. > > > Generally, you can test zone-transfers with dig: > > slave$ dig @master_IP -t AXFR zone.name > > It should print something like: > > zone.example. 86400 IN SOA > unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 > 123 666 1 > zone.example. 86400 IN NS unused-4-107.brq.redhat.com. > zone.example. 86400 IN TXT "zone.example" > ... > zone.example. 86400 IN SOA > unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 > 123 666 1 > > This way you can test ACL and other settings on master. > > Does transfer with dig it work for both master servers? > > Petr^2 Spacek > I can find any updates on this thread. Has the issue been resolved? > >> >> 2012/8/20 > > >> >> Send Freeipa-users mailing list submissions to >> freeipa-users at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-users >> or, via email, send a message with subject or body 'help' to >> freeipa-users-request at redhat.com >> >> >> You can reach the person managing the list at >> freeipa-users-owner at redhat.com >> >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeipa-users digest..." >> >> >> Today's Topics: >> >> 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) >> 2. Re: sssd client cache timer and merging IPA domains >> (Rob Crittenden) >> 3. Re: Question about migration and scripts variables >> (Rob Crittenden) >> 4. Specifying load balancing to SSSD clients (Innes, Duncan) >> 5. Re: Specifying load balancing to SSSD clients (Mark St. >> Laurent) >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sun, 19 Aug 2012 18:23:20 +0200 >> From: Sigbjorn Lie > > >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA >> DNS >> Message-ID: <503112F8.8000900 at nixtra.com >> > >> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" >> >> On 08/19/2012 04:39 PM, Franklin Catoni wrote: >> > Greetings community. >> > >> > I do not speak English so I will do my best. >> > >> > I have two environments in my company, a domain "ejemplo.com >> >> > " with Windows Active Directory running on >> Windows >> > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve >> >> > " with FreeIPA v2.2. mounted on Centos >> 6.3 x64. >> > This is because we are in the middle of a platform migration >> process >> > (a very slow process) from proprietary solutions to open source. >> > >> > DNS and DHCP service for my two environments is offered by the >> server >> > Centos 6.3 which is mounted FreeIPA directory, clients are >> Windows >> > computers Active Directory domain and linux computers in the >> domain Ipa. >> > >> > Currently the zone "ejemplo.gob.ve >> " is >> > administered by the FreeIPA DNS using the plugin >> > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone >> using >> > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain >> > "ejemplo.com " Active >> Directory >> > >> > Name resolution works perfectly for both Linux and Windows >> clients. >> > >> > Now here comes the tricky part >> > >> > In order to find a more centralized management of my services, >> I try >> > to configure a slave zone to Active Directory through FreeIPA >> with >> > dyndb bind-plugin-ldap and so to eliminate configuration >> through bind, >> > but the transfers zone does not work, causing this many >> problems on >> > both platforms. >> > >> > The log shows me the following error: >> > >> > ServidorIPA named[3706]: zone ejemplo.com/IN/local >> >> > : zone serial (2012081801) >> unchanged. >> > zone may fail to transfer to slaves >> > >> > I've spent enough time looking at Super Google information >> that can >> > help me but it has not been easy, because it seems to be a >> rare situation. >> > >> > I ask. You can set this up under these circumstances? >> > Someone has accomplished? >> > Some information that horiente me to get a solution? >> > >> > Thanks for your time. >> > >> Hi, >> >> Is the zone not transferring at all, or is it just the updates >> that's >> not transferred to the AD slave server? >> >> If the zone is not transferring at all: Did yo modify the "Allow >> transfer" property of the zone ? >> >> If the updates is not transferring: I believe automatic increment >> of the >> zone serial number will be supported in IPA 3.0. The IPA >> developers will >> have to confirm that. However you can manually change the serial >> number >> under Zone Settings. >> >> Hope this helps. >> >> >> Regards, >> Siggi >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 20 Aug 2012 08:44:32 -0400 >> From: Rob Crittenden > > >> To: Lucas Yamanishi > > >> Cc: "freeipa-users at redhat.com " >> > >> Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA >> domains >> Message-ID: <50323130.6030102 at redhat.com >> > >> Content-Type: text/plain; charset=UTF-8; format=flowed >> >> Lucas Yamanishi wrote: >> > >> > On 08/17/2012 08:38 AM, Rob Crittenden wrote: >> >> Lucas Yamanishi wrote: >> >>> >> >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >> >>>> Lucas Yamanishi wrote: >> >>>>> >> >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >> >>>>>> Lucas Yamanishi wrote: >> >>>>>>> I just migrated my IPA instance from one to another a >> couple days >> >>>>>>> ago to >> >>>>>>> recover after a lost CA and failed yum upgrade. The >> "ipa migrate-ds" >> >>>>>>> tool works very well, though I am having a few very >> minor issues. On >> >>>>>>> the upside, as far as I can tell, you can skip the steps >> about >> >>>>>>> Kerberos >> >>>>>>> key generation as outlined in the documentation. I've >> been able to >> >>>>>>> kinit just fine with my migrated users. >> >>>>>>> >> >>>>>>> >> >>>>>>> Below are the few errors I've noticed. >> >>>>>>> >> >>>>>>> * When I ssh into an enrolled host using a migrated user's >> >>>>>>> credentials I >> >>>>>>> get this error: >> >>>>>>> >> >>>>>>> id: cannot find name for group ID 104600003\ >> >>>>>> >> >>>>>> Does a group exist with that GID? You can try something >> like: >> >>>>>> >> >>>>>> $ ipa group-find --gid=104600003 >> >>>>>> >> >>>>> >> >>>>> The group doesn't exist. The GID is the counterpart to my >> UID. >> >>>> >> >>>> Try adding --private. >> >>>> >> >>>> rob >> >>>> >> >>> >> >>> Nope. It doesn't exist. >> >>> >> >>> Other groups migrated. Why would the private groups fail? >> >> >> >> I don't know, what have you done to date, including versions? >> >> >> >> rob >> > I've been following the stable Scientific Linux releases since >> 6.1. >> > Based on repo archives, I guess that would be >> 2.0.0-23.el6.x86_64. The >> > version was at 2.2.0-16.el6.x86_64 when I migrated, which I >> had just >> > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >> > 2.2.0-16.el6.x86_64. >> > >> > So... >> > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> >> 2.2.0-16.el6.x86_64 ----> >> > 2.2.0-16.el6.x86_64 >> > >> > >> >> Can you verify that managed entries are configured: >> >> # ipa-managed-entries -l >> >> It should return: >> >> UPG Definition >> NGP Definition >> >> This enables user-private groups and netgroup-private groups. >> >> rob >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Mon, 20 Aug 2012 08:56:51 -0400 >> From: Rob Crittenden > > >> To: James James > >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Question about migration and scripts >> variables >> Message-ID: <50323413.4090906 at redhat.com >> > >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> James James wrote: >> > Hi, >> > >> > my first question is about the migrate process. Is it possible to >> > renumber the users during the migrate process (ipa migrate-ds) >> in a way >> > that all imported users will have a new UID ? >> >> I haven't tested this but you might try >> --user-ignore-attribute=uidnumber,gidnumber. >> >> > my second question is about ipalib. I wanted to make a hook on >> the user >> > creation. The hook works fine. I just want to know if there is >> a way to >> > have the value of variables like the username, the name of the >> creator, >> > the e-mail of the creator and stuff like that. >> >> The current user is available via: principal = getattr(context, >> 'principal') >> >> Using this you can look up that user: >> >> (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", >> principal, >> "krbPrincipalAux") >> >> rob >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Mon, 20 Aug 2012 14:48:30 +0100 >> From: "Innes, Duncan" > > >> To: > >> Subject: [Freeipa-users] Specifying load balancing to SSSD clients >> Message-ID: >> >> <56343345B145C043AE990701E3D193952B5511 at EXVS2.nrplc.localnet> >> Content-Type: text/plain; charset="us-ascii" >> >> Folks, >> >> Hopefully this isn't a dumb question, but I'm constrained by a few >> things on my estate and would be looking to deploy something like >> the >> following: >> >> 2 Datacentres >> 2 IPA servers at each datacentre >> >> ipa1.domain.com \_ datacentre A >> ipa2.domain.com / >> >> ipa3.domain.com \_ datacentre B >> ipa4.domain.com / >> >> The datacentres are linekd, but bandwidth not great. >> >> Client's in datacentre A should therefore use ipa1.domain.com >> and >> ipa2.domain.com as primary servers and >> only fail >> over to ipa3 & ipa4 >> when both 1 & 2 are out of action. Clients would revert to using >> ipa1/ipa2 whenever either of them came back online. >> >> I understand this configuration has already been done as part of >> https://fedorahosted.org/freeipa/ticket/2282 >> >> What I'm wondering is if I can force my clients to load balance >> communication between ipa1 & ipa2. >> >> I don't have the ability to use the _srv_ records in DNS as >> that's set >> up for the AD servers on our network. I also can't create >> separate DNS >> servers for the Linux estate (not that I'd particularly want to). >> >> Is there any current configuration that I can use to force load >> balancing between ipa1/ipa2 under ideal conditions. Falling back to >> ipa2 when ipa1 is out of action. Falling back to (load balanced >> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. >> >> Hope the description is reasonable. >> >> Thanks >> >> Duncan Innes | Linux Architect >> >> ------------------------------ >> >> Message: 5 >> Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) >> From: "Mark St. Laurent" > > >> To: Duncan Innes > > >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Specifying load balancing to SSSD >> clients >> Message-ID: >> <290044214.13057699.1345472108805.JavaMail.root at redhat.com >> > >> Content-Type: text/plain; charset="utf-8" >> >> >> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ >> >> >> Norman "Mark" St. Laurent >> Federal Team: Senior Solutions Architect >> Red Hat >> 8260 Greensboro Drive, Suite 300 >> McLean VA, 22102 >> Email: msl at redhat.com >> Cell: 703.772.1434 >> >> Check this Link out!!! Cool Stuff: http://mil-oss.org/ >> >> ----- Original Message ----- >> >> From: "Duncan Innes" > > >> To: freeipa-users at redhat.com >> Sent: Monday, August 20, 2012 9:48:30 AM >> Subject: [Freeipa-users] Specifying load balancing to SSSD clients >> >> Folks, >> >> Hopefully this isn't a dumb question, but I'm constrained by a few >> things on my estate and would be looking to deploy something like >> the >> following: >> >> 2 Datacentres >> 2 IPA servers at each datacentre >> >> ipa1.domain.com \_ datacentre A >> ipa2.domain.com / >> >> ipa3.domain.com \_ datacentre B >> ipa4.domain.com / >> >> The datacentres are linekd, but bandwidth not great. >> >> Client's in datacentre A should therefore use ipa1.domain.com >> and >> ipa2.domain.com as primary servers and >> only fail >> over to ipa3 & ipa4 >> when both 1 & 2 are out of action. Clients would revert to using >> ipa1/ipa2 whenever either of them came back online. >> >> I understand this configuration has already been done as part of >> https://fedorahosted.org/freeipa/ticket/2282 >> >> What I'm wondering is if I can force my clients to load balance >> communication between ipa1 & ipa2. >> >> I don't have the ability to use the _srv_ records in DNS as >> that's set >> up for the AD servers on our network. I also can't create >> separate DNS >> servers for the Linux estate (not that I'd particularly want to). >> >> Is there any current configuration that I can use to force load >> balancing between ipa1/ipa2 under ideal conditions. Falling back to >> ipa2 when ipa1 is out of action. Falling back to (load balanced >> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. >> >> Hope the description is reasonable. >> >> Thanks >> >> Duncan Innes | Linux Architect >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Sep 7 20:50:02 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Sep 2012 16:50:02 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> Message-ID: <504A5DFA.1040401@redhat.com> Michael Mercier wrote: > > On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: > >> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>> >>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>> Hello, >>>>> >>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>> >>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>> ipaserver.mpls.local: master >>>>> ipaserver2.mpls.local: master >>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>> >>>>> >>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>> ipaserver.mpls.local: master >>>>> ipaserver2.mpls.local: master >>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>> >>>>> >>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>> >>>>> >>>>> I have a webserver (zenoss) using kerberos authentication. >>>>> >>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>> >>>>> >>>>> SSLRequireSSL >>>>> AuthType Kerberos >>>>> AuthName "Kerberos Login" >>>>> >>>>> KrbMethodK5Passwd Off >>>>> KrbAuthRealms MPLS.LOCAL >>>>> KrbSaveCredentials on >>>>> KrbServiceName HTTP >>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>> >>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>> >>>>> >>>>> >>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>> >>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>> 2. It takes a longer period of time to do a kinit >>>>> >>>>> If the I then perform: >>>>> [root at ipaserver ~]#ifup eth0 >>>>> >>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>> >>>>> [mike at ipaclient ~]$kinit >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>> >>>>> [root at ipaserver2 ~]#ifup eth0 >>>>> >>>>> [mike at ipaclient ~]$ kinit >>>>> Password for mike at MPLS.LOCAL: >>>>> [mike at ipaclient ~]$ >>>>> >>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>> >>>>> .. wait number of minutes >>>>> >>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>> >>>>> [mike at ipaclient ~]$kinit >>>>> Password for mike at MPLS.LOCAL: >>>>> [mike at ipaclient ~]$ >>>>> >>>>> Any ideas? >>>>> >>>>> Thanks, >>>>> Mike >>>> This seems to be some DNS problem. >>>> You client does not see the second replica and might have some name >>>> resolution timeouts. >>>> >>>> Please check your dns setup and krb5.conf on the client. >>>> >>>> To help more we need more details about you client configuration DNS and >>>> kerberos. >>> Hi, >>> >>> Additional information... >>> >>> [root at zenoss ~]#more /etc/resolv.conf >>> search mpls.local >>> domain mpls.local >>> nameserver 172.16.112.5 >>> nameserver 172.16.112.8 >>> >>> [root at zenoss ~]# more /etc/krb5.conf >>> #File modified by ipa-client-install >>> >>> [libdefaults] >>> default_realm = MPLS.LOCAL >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> MPLS.LOCAL = { >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >>> [domain_realm] >>> .mpls.local = MPLS.LOCAL >>> mpls.local = MPLS.LOCAL >>> >>> [root at ipaclient ~]# more /etc/resolv.conf >>> # Generated by NetworkManager >>> search mpls.local >>> nameserver 172.16.112.5 >>> nameserver 172.16.112.8 >>> >>> [root at ipaclient ~]# more /etc/krb5.conf >>> #File modified by ipa-client-install >>> >>> [libdefaults] >>> default_realm = MPLS.LOCAL >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> MPLS.LOCAL = { >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >>> [domain_realm] >>> .mpls.local = MPLS.LOCAL >>> mpls.local = MPLS.LOCAL >>> >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.5 >>> Address: 172.16.112.5#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaclient ~]# nslookup ipaserver2 >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver2.mpls.local >>> Address: 172.16.112.8 >>> >>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>> >>> @ NS ipaserver.mpls.local. >>> NS ipaserver2.mpls.local. >>> _kerberos TXT MPLS.LOCAL >>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>> SRV 0 100 88 ipaserver2 >>> _kerberos-master._udp SRV 0 100 88 ipaserver >>> SRV 0 100 88 ipaserver2 >>> _kerberos._tcp SRV 0 100 88 ipaserver >>> SRV 0 100 88 ipaserver2 >>> _kerberos._udp SRV 0 100 88 ipaserver >>> SRV 0 100 88 ipaserver2 >>> _kpasswd._tcp SRV 0 100 464 ipaserver >>> SRV 0 100 464 ipaserver2 >>> _kpasswd._udp SRV 0 100 464 ipaserver >>> SRV 0 100 464 ipaserver2 >>> _ldap._tcp SRV 0 100 389 ipaserver >>> SRV 0 100 389 ipaserver2 >>> _ntp._udp SRV 0 100 123 ipaserver >>> SRV 0 100 123 ipaserver2 >>> ipaclient A 172.16.112.9 >>> ipaclient2 A 172.16.112.145 >>> ipaserver A 172.16.112.5 >>> ipaserver2 A 172.16.112.8 >>> zenoss A 172.16.112.6 >>> >>> Thanks, >>> Mike >>> >> I noticed that there is no domain line in the resolv.conf on the client. >> AFAIU in this case it would determine the domain by the gethostname and >> in case of network being down it will fail over to the hosts file. >> I wonder what is in your /etc/hosts? >> Dose it have just a short host name? > > [root at ipaclient ~]# more /etc/hosts > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > > > Add domain mpls.local to /etc/resolv.conf > > [root at ipaserver ~]#ifdown eth0 > > [root at ipaclient ~]# kinit mike > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > [root at ipaclient ~]# nslookup ipaserver > Server: 172.16.112.8 > Address: 172.16.112.8#53 > > Name: ipaserver.mpls.local > Address: 172.16.112.5 > > [root at ipaclient ~]# nslookup ipaserver2 > Server: 172.16.112.8 > Address: 172.16.112.8#53 > > Name: ipaserver2.mpls.local > Address: 172.16.112.8 > > add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts > > [root at ipaserver ~]#ifup eth0 > > [root at ipaclient ~]# kinit mike > Password for mike at MPLS.LOCAL: > > [root at ipaserver ~]#ifdown eth0 > > [root at ipaclient ~]# kinit mike > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp > Server: 172.16.112.8 > Address: 172.16.112.8#53 > > _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. > _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. > > [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp > Server: 172.16.112.5 > Address: 172.16.112.5#53 > > _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. > _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. > > > [root at ipaclient ~]# kinit mike > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > > [root at ipaserver ~]#ifup eth0 > > [root at ipaclient ~]# kinit mike > Password for mike at MPLS.LOCAL: I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? rob From dpal at redhat.com Fri Sep 7 23:34:46 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 19:34:46 -0400 Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <5011482C.9070507@nixtra.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> <50113DCF.2060902@redhat.com> <5011482C.9070507@nixtra.com> Message-ID: <504A8496.2010102@redhat.com> On 07/26/2012 09:37 AM, Sigbjorn Lie wrote: > On 07/26/2012 02:53 PM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> On Wed, July 25, 2012 09:54, Sigbjorn Lie wrote: >>>> On Tue, July 24, 2012 20:29, Simo Sorce wrote: >>>> >>>>> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> >>>>>> I keep seing this error message in our production environment >>>>>> "Request is a replay" in >>>>>> variuos services using kerberos like ssh, sssd, automounter, >>>>>> squid +++ after the upgrade to >>>>>> RHEL 6.3 / >>>>>> IPA >>>>>> 2.2. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS >>>>>> failure. Minor code may >>>>>> provide more information (Request is a replay) >>>>>> >>>>>> Seaching google seem to suggest that this is an error with time. >>>>>> However we have NTP >>>>>> configured (IPA servers as NTP servers) which is synchronized to >>>>>> external NTP servers. There >>>>>> has been no issue before, and I cannot find issue with the time >>>>>> being out of sync on the >>>>>> machines where this is happening. >>>>> >>>>> This error usually appears only when a same request is found in the >>>>> replay cache. It shouldn't be related to time issues, in that case >>>>> you usually get clock-skew. >>>>> >>>>> Can you tell me what operation was being performed by sssd when you >>>>> caught that error ? Can you check if immediately before another >>>>> identical operation had been >>>>> performed ? >>>>> >>>> >>>> That being said, I do have 1 IPA server (out of 3) that has >>>> significantly higher CPU usage than >>>> the other 2, the 15-minute load average is sitting at between 0.85 >>>> and 0.95 the entire day, where >>>> ns-slapd 389-ds process is running at 100% most of the time. >>>> >>>> Load: 1.02, 0.94, 0.87 >>>> >>>> >>>> In comparison the other two IPA servers has a 15-minute average >>>> between 0.10 - 0.30 throughout >>>> the day, and the ns-slapd process is far from being such a cpu hog. >>>> >>>> On the server having high load, running even a command such as >>>> "ipactl status" can take up to 20 >>>> seconds to complete, where "Directory Service: RUNNING" returns >>>> after a second or so, and to list >>>> the rest of the services takes the remainding 19 seconds. >>>> >>>> Also the web interface on this particular IPA server is rendered >>>> unusable, returning "Limits >>>> exceeded for the query" for almost any action. >>>> >>>> Restarting all the IPA servies (ipactl restart) on the problematic >>>> host soemwhat improves the >>>> situation, however that particular server returns to having heavy >>>> load quickly. >>>> >>>> Using logconv.pl to analyze the dirsrv access log file displays >>>> that the server in question has >>>> the lowest search queries per min with 106 queries/min. The other >>>> servers have 710 search >>>> queries/sec and 168 queries/sec. >>>> >>>> For modifications all the IPA servers has about 5-6 queries/sec. >>>> For unindexed searches the >>>> problematic server is the server with the lowest number. It does >>>> however have more than twice the >>>> amount of GSSAPI binds than the other servers with over 61000 >>>> GSSAPI binds over a 17 hour period. >>>> >>>> >>>> The problematic server is a physical server with 2 x AMD 2.4GHz >>>> Quad core CPU and 8GB of RAM. >>>> >>>> >>>> This issue is also impacting all the clients, where I see random >>>> hangs with anything involving a >>>> ldap or kerberos query to the IPA servers. >>>> >>>> Any suggestions? >>>> >>>> >>> >>> Anyone ? >>> >>> I am starting to see the Replay error when using the "ipa" CLI tool >>> as well, causing the request >>> to drop out in an error. >>> >>> ipa dnsrecord-show example.com hostname >>> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: >>> Unspecified GSS failure. Minor >>> code may provide more information (Request is a replay) >> >> Sorry, I had started a reply yesterday and got side-tracked and never >> sent it. >> > I know that feeling. :) >> For the one server is busier than others, how are your clients >> configured? Are you using DNS SRV records? >> > We use DNS SRV records for everything LDAP that does support it -> > SSSD and Linux automounter. Solaris clients, Red Hat 5 using nss_ldap, > and NetApp use statically configured machines, however this is the > second server in the server list for these machines. The primary > server got more than 7x more LDAP queries per minute, and the load on > the primary is much, much lower. All kerberos clients are using DNS > SRV for lookups, no static configuration there. > > I see some hickups on the clients as well, when browsing nfs shares > (looking up UIDs), unlocking a client etc. It would seem like these > are related to the "faulty" IPA server with high load, as it seem to > respond very slowly to a lot of ldap queries too. I have tried > removing it from the DNS SRV records an hour ago, and things seem to > run smoother. A few services are still looking up there though, and > the load on the "faulty" server is still high even with fewer clients. > The primary server that's now receiving most of the queries barely > increased anything at all in CPU usage. > >> For the replay, are your servers running in bare metal or in VMs? How >> about the clients? This sure seems like a time issue. > > The time is configured as it has been for a long time. The physical > IPA servers are syncronized from external time sources, providing the > rest of the network with time. We have 2 physical servers and 1 > virtual server. I have looked into the time, and it does seem like > everything is syncronized. > > The amount of clients has not changed much over the last few months. > > These issues started appearing just after the upgrade to RHEL 6.3 / > IPA 2.2. > > Any suggestions to where to continue the troubleshooting? > > Was this issue ever resolved? > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 23:35:41 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 19:35:41 -0400 Subject: [Freeipa-users] dirsrv@PKI-IPA.service disappeared In-Reply-To: References: Message-ID: <504A84CD.9080809@redhat.com> On 07/26/2012 09:57 AM, Tomasz 'Zen' Napiera?a wrote: > Hi, > > After upgrade from F16 to F17 FreeIPA 2.2.0.1 on secondary servers dirsrv at PKI-IPA.service disappeared. > There is an entry for it in systemd, but no config files, etc. > > /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory > /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. > > /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory > /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. > > I upgraded two replicas and then master during 2 days. What ca I do to fix that problem? > > Regards, Sorry I do not see any reply. Was this issue resolved? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 7 23:58:30 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 19:58:30 -0400 Subject: [Freeipa-users] Re-run install script? In-Reply-To: <1343933918.20530.133.camel@willson.li.ssimo.org> References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> <1343933918.20530.133.camel@willson.li.ssimo.org> Message-ID: <504A8A26.7020508@redhat.com> On 08/02/2012 02:58 PM, Simo Sorce wrote: > On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: >> Copied from below: >> I get the same error if I try to use ipa host-del although again this works fine for other entries. >> >> I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. >> People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. > Can you see if there is any error in the https error log on the ipa > server related to this error when running ipa host-del ? > > Simo. > > Was this issue ever resolved? It remind me of another thread that I have read today. In that thread the issue was that the PKI server DS instance was not running. That was causing the command to fail to communicate with CS and and send out and error. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sat Sep 8 00:05:00 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Sep 2012 20:05:00 -0400 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <5012A5F2.102@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> <50129765.8010700@redhat.com> <5012A5F2.102@redhat.com> Message-ID: <504A8BAC.8050108@redhat.com> On 07/27/2012 10:30 AM, Petr Spacek wrote: > On 07/27/2012 03:28 PM, John Dennis wrote: >> On 07/27/2012 02:06 AM, Dan Scott wrote: >>> Hi, >>> >>> I'm not sure if this is relevant, but Firefox preserves session >>> cookies across browser restarts. This was discussed on the Security >>> Now! podcast recently: >>> >>> http://www.grc.com/sn/sn-360.htm >>> >>> Search for 'sessionstore' and read a little before and after. >>> >>> Are session cookies relevant for kerberos authentication? >> >> It's only tangentially relevant. IPA does use session cookies. IPA >> logout >> destroys the session on the server making the session cookie stored >> in the >> browser invalid. >> >> However, SSO (Single Sign-On) continues to work as it's supposed to. >> As long >> as you have valid credentials in your kerberos cache you'll be >> automatically >> logged in (albeit with a brand new session and session cookie). All >> this is by >> design. >> >> You can logout of IPA which destroys your session, but unless you >> also destroy >> your credentials the automatic SSO process will be applied the next >> time you >> visit the web UI. >> >> > Would it be possible to add "login as another user" functionality? I > mean "destroy session && ignore any Kerberos tickets && start > form-based auth"? > > IMHO it could be handy, at least for demonstration purposes. > Please log a ticket. > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sat Sep 8 15:03:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 08 Sep 2012 11:03:34 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504A5DFA.1040401@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> Message-ID: <504B5E46.1020002@redhat.com> On 09/07/2012 04:50 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> >> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >> >>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>> >>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>> Hello, >>>>>> >>>>>> I have experienced some odd connectivity issues using MMR with >>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>> >>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>> ipaserver.mpls.local: master >>>>>> ipaserver2.mpls.local: master >>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> >>>>>> >>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>> ipaserver.mpls.local: master >>>>>> ipaserver2.mpls.local: master >>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>> >>>>>> >>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> >>>>>> >>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>> >>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> >>>>>> >>>>>> SSLRequireSSL >>>>>> AuthType Kerberos >>>>>> AuthName "Kerberos Login" >>>>>> >>>>>> KrbMethodK5Passwd Off >>>>>> KrbAuthRealms MPLS.LOCAL >>>>>> KrbSaveCredentials on >>>>>> KrbServiceName HTTP >>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>> >>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>> require ldap-group >>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>> >>>>>> >>>>>> >>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>> attempt another connection, it fails. I have also noticed the >>>>>> following: >>>>>> >>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>> ipaserver is unavailable. >>>>>> 2. It takes a longer period of time to do a kinit >>>>>> >>>>>> If the I then perform: >>>>>> [root at ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>> >>>>>> [mike at ipaclient ~]$kinit >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>> getting initial credentials >>>>>> >>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>> >>>>>> [mike at ipaclient ~]$ kinit >>>>>> Password for mike at MPLS.LOCAL: >>>>>> [mike at ipaclient ~]$ >>>>>> >>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>> >>>>>> .. wait number of minutes >>>>>> >>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>> seconds) screen unlock compeletes >>>>>> >>>>>> [mike at ipaclient ~]$kinit >>>>>> Password for mike at MPLS.LOCAL: >>>>>> [mike at ipaclient ~]$ >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Thanks, >>>>>> Mike >>>>> This seems to be some DNS problem. >>>>> You client does not see the second replica and might have some name >>>>> resolution timeouts. >>>>> >>>>> Please check your dns setup and krb5.conf on the client. >>>>> >>>>> To help more we need more details about you client configuration >>>>> DNS and >>>>> kerberos. >>>> Hi, >>>> >>>> Additional information... >>>> >>>> [root at zenoss ~]#more /etc/resolv.conf >>>> search mpls.local >>>> domain mpls.local >>>> nameserver 172.16.112.5 >>>> nameserver 172.16.112.8 >>>> >>>> [root at zenoss ~]# more /etc/krb5.conf >>>> #File modified by ipa-client-install >>>> >>>> [libdefaults] >>>> default_realm = MPLS.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> MPLS.LOCAL = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> .mpls.local = MPLS.LOCAL >>>> mpls.local = MPLS.LOCAL >>>> >>>> [root at ipaclient ~]# more /etc/resolv.conf >>>> # Generated by NetworkManager >>>> search mpls.local >>>> nameserver 172.16.112.5 >>>> nameserver 172.16.112.8 >>>> >>>> [root at ipaclient ~]# more /etc/krb5.conf >>>> #File modified by ipa-client-install >>>> >>>> [libdefaults] >>>> default_realm = MPLS.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> MPLS.LOCAL = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> .mpls.local = MPLS.LOCAL >>>> mpls.local = MPLS.LOCAL >>>> >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.5 >>>> Address: 172.16.112.5#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver2 >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver2.mpls.local >>>> Address: 172.16.112.8 >>>> >>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>> >>>> @ NS ipaserver.mpls.local. >>>> NS ipaserver2.mpls.local. >>>> _kerberos TXT MPLS.LOCAL >>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos._udp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>> SRV 0 100 464 ipaserver2 >>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>> SRV 0 100 464 ipaserver2 >>>> _ldap._tcp SRV 0 100 389 ipaserver >>>> SRV 0 100 389 ipaserver2 >>>> _ntp._udp SRV 0 100 123 ipaserver >>>> SRV 0 100 123 ipaserver2 >>>> ipaclient A 172.16.112.9 >>>> ipaclient2 A 172.16.112.145 >>>> ipaserver A 172.16.112.5 >>>> ipaserver2 A 172.16.112.8 >>>> zenoss A 172.16.112.6 >>>> >>>> Thanks, >>>> Mike >>>> >>> I noticed that there is no domain line in the resolv.conf on the >>> client. >>> AFAIU in this case it would determine the domain by the gethostname and >>> in case of network being down it will fail over to the hosts file. >>> I wonder what is in your /etc/hosts? >>> Dose it have just a short host name? >> >> [root at ipaclient ~]# more /etc/hosts >> 127.0.0.1 localhost.localdomain localhost >> ::1 localhost6.localdomain6 localhost6 >> >> >> Add domain mpls.local to /etc/resolv.conf >> >> [root at ipaserver ~]#ifdown eth0 >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >> initial credentials >> [root at ipaclient ~]# nslookup ipaserver >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver.mpls.local >> Address: 172.16.112.5 >> >> [root at ipaclient ~]# nslookup ipaserver2 >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver2.mpls.local >> Address: 172.16.112.8 >> >> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >> >> [root at ipaserver ~]#ifup eth0 >> >> [root at ipaclient ~]# kinit mike >> Password for mike at MPLS.LOCAL: >> >> [root at ipaserver ~]#ifdown eth0 >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >> initial credentials >> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> _kerberos-master._tcp.mpls.local service = 0 100 88 >> ipaserver2.mpls.local. >> _kerberos-master._tcp.mpls.local service = 0 100 88 >> ipaserver.mpls.local. >> >> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >> Server: 172.16.112.5 >> Address: 172.16.112.5#53 >> >> _kerberos-master._udp.mpls.local service = 0 100 88 >> ipaserver.mpls.local. >> _kerberos-master._udp.mpls.local service = 0 100 88 >> ipaserver2.mpls.local. >> >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >> initial credentials >> >> [root at ipaserver ~]#ifup eth0 >> >> [root at ipaclient ~]# kinit mike >> Password for mike at MPLS.LOCAL: > > I'd start with the sssd logs. Is it seeing the main server go offline > and not switching to the second one? Or is it going into offline mode? > > Do you have _srv_ or both servers listed in ipa_server in > /etc/sssd/sssd.conf? > > rob > Rob, may be I am missing something but how SSSD is related in this case? The test is done using kinit not SSSD. It would actually be an interesting test to try the same via SSSD for example do su to mike instead of kinit and see what would happen (watch SSSD logs with high debug level, 8 for example). If that works it would probably mean that kinit does not fail over properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sat Sep 8 15:08:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 08 Sep 2012 11:08:18 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results In-Reply-To: References: Message-ID: <504B5F62.10308@redhat.com> On 08/31/2012 09:33 AM, Michael Mercier wrote: > Hello, > > I seem to be having a problem with the HBAC test: > > Versions: > [root at ipaserver ipatest]# rpm -qa|grep ^ipa > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > > > On the web console: > > Browse to HBAC TEST > > Who: mike > Accessing: pix.beta.local > Via service: tac_plus > From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) > Rules: tacacs > > Run Test -> Access Granted with matched rules showing tacacs > > On the command line: > > ipa hbactest > User name: mike > Target Host: pix.beta.local > Service: tac_plus > --------------------- > Access granted: False > --------------------- > Not matched rules: tacacs > > tacacs rule: > General: Enabled > Who: user group: ciscoadmin -> mike is a member > accessing: cisco-devices -> pix.beta.local is a member > Via Service: tac_plus > From: any host > > NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) > > Any ideas? > > Thanks, > Mike > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the "from host" I believe. Please do not use the "from host". The whole concept is a bit broken and not reliable. Please let me know if you need more details or you already found this info from mail archives and docs. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From tomasz at napierala.org Sat Sep 8 17:49:19 2012 From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=) Date: Sat, 8 Sep 2012 19:49:19 +0200 Subject: [Freeipa-users] dirsrv@PKI-IPA.service disappeared In-Reply-To: <504A84CD.9080809@redhat.com> References: <504A84CD.9080809@redhat.com> Message-ID: <92A6ED45-78FE-476B-9B07-1C48271B0E24@napierala.org> On Sep 8, 2012, at 1:35 AM, Dmitri Pal wrote: > On 07/26/2012 09:57 AM, Tomasz 'Zen' Napiera?a wrote: >> Hi, >> >> After upgrade from F16 to F17 FreeIPA 2.2.0.1 on secondary servers dirsrv at PKI-IPA.service disappeared. >> There is an entry for it in systemd, but no config files, etc. >> >> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory >> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. >> >> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory >> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. >> >> I upgraded two replicas and then master during 2 days. What ca I do to fix that problem? >> >> Regards, > Sorry I do not see any reply. Was this issue resolved? Not really, I didn't have time to investigate that, I created new replicas ;) Regards, -- Tomasz 'Zen' Napiera?a tomasz at napierala.org From sigbjorn at nixtra.com Sun Sep 9 20:16:46 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 09 Sep 2012 22:16:46 +0200 Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <504A8496.2010102@redhat.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> <50113DCF.2060902@redhat.com> <5011482C.9070507@nixtra.com> <504A8496.2010102@redhat.com> Message-ID: <504CF92E.8000200@nixtra.com> On 09/08/2012 01:34 AM, Dmitri Pal wrote: > On 07/26/2012 09:37 AM, Sigbjorn Lie wrote: >> On 07/26/2012 02:53 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> On Wed, July 25, 2012 09:54, Sigbjorn Lie wrote: >>>>> On Tue, July 24, 2012 20:29, Simo Sorce wrote: >>>>> >>>>>> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I keep seing this error message in our production environment >>>>>>> "Request is a replay" in >>>>>>> variuos services using kerberos like ssh, sssd, automounter, >>>>>>> squid +++ after the upgrade to >>>>>>> RHEL 6.3 / >>>>>>> IPA >>>>>>> 2.2. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS >>>>>>> failure. Minor code may >>>>>>> provide more information (Request is a replay) >>>>>>> >>>>>>> Seaching google seem to suggest that this is an error with time. >>>>>>> However we have NTP >>>>>>> configured (IPA servers as NTP servers) which is synchronized to >>>>>>> external NTP servers. There >>>>>>> has been no issue before, and I cannot find issue with the time >>>>>>> being out of sync on the >>>>>>> machines where this is happening. >>>>>> This error usually appears only when a same request is found in the >>>>>> replay cache. It shouldn't be related to time issues, in that case >>>>>> you usually get clock-skew. >>>>>> >>>>>> Can you tell me what operation was being performed by sssd when you >>>>>> caught that error ? Can you check if immediately before another >>>>>> identical operation had been >>>>>> performed ? >>>>>> >>>>> That being said, I do have 1 IPA server (out of 3) that has >>>>> significantly higher CPU usage than >>>>> the other 2, the 15-minute load average is sitting at between 0.85 >>>>> and 0.95 the entire day, where >>>>> ns-slapd 389-ds process is running at 100% most of the time. >>>>> >>>>> Load: 1.02, 0.94, 0.87 >>>>> >>>>> >>>>> In comparison the other two IPA servers has a 15-minute average >>>>> between 0.10 - 0.30 throughout >>>>> the day, and the ns-slapd process is far from being such a cpu hog. >>>>> >>>>> On the server having high load, running even a command such as >>>>> "ipactl status" can take up to 20 >>>>> seconds to complete, where "Directory Service: RUNNING" returns >>>>> after a second or so, and to list >>>>> the rest of the services takes the remainding 19 seconds. >>>>> >>>>> Also the web interface on this particular IPA server is rendered >>>>> unusable, returning "Limits >>>>> exceeded for the query" for almost any action. >>>>> >>>>> Restarting all the IPA servies (ipactl restart) on the problematic >>>>> host soemwhat improves the >>>>> situation, however that particular server returns to having heavy >>>>> load quickly. >>>>> >>>>> Using logconv.pl to analyze the dirsrv access log file displays >>>>> that the server in question has >>>>> the lowest search queries per min with 106 queries/min. The other >>>>> servers have 710 search >>>>> queries/sec and 168 queries/sec. >>>>> >>>>> For modifications all the IPA servers has about 5-6 queries/sec. >>>>> For unindexed searches the >>>>> problematic server is the server with the lowest number. It does >>>>> however have more than twice the >>>>> amount of GSSAPI binds than the other servers with over 61000 >>>>> GSSAPI binds over a 17 hour period. >>>>> >>>>> >>>>> The problematic server is a physical server with 2 x AMD 2.4GHz >>>>> Quad core CPU and 8GB of RAM. >>>>> >>>>> >>>>> This issue is also impacting all the clients, where I see random >>>>> hangs with anything involving a >>>>> ldap or kerberos query to the IPA servers. >>>>> >>>>> Any suggestions? >>>>> >>>>> >>>> Anyone ? >>>> >>>> I am starting to see the Replay error when using the "ipa" CLI tool >>>> as well, causing the request >>>> to drop out in an error. >>>> >>>> ipa dnsrecord-show example.com hostname >>>> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: >>>> Unspecified GSS failure. Minor >>>> code may provide more information (Request is a replay) >>> Sorry, I had started a reply yesterday and got side-tracked and never >>> sent it. >>> >> I know that feeling. :) >>> For the one server is busier than others, how are your clients >>> configured? Are you using DNS SRV records? >>> >> We use DNS SRV records for everything LDAP that does support it -> >> SSSD and Linux automounter. Solaris clients, Red Hat 5 using nss_ldap, >> and NetApp use statically configured machines, however this is the >> second server in the server list for these machines. The primary >> server got more than 7x more LDAP queries per minute, and the load on >> the primary is much, much lower. All kerberos clients are using DNS >> SRV for lookups, no static configuration there. >> >> I see some hickups on the clients as well, when browsing nfs shares >> (looking up UIDs), unlocking a client etc. It would seem like these >> are related to the "faulty" IPA server with high load, as it seem to >> respond very slowly to a lot of ldap queries too. I have tried >> removing it from the DNS SRV records an hour ago, and things seem to >> run smoother. A few services are still looking up there though, and >> the load on the "faulty" server is still high even with fewer clients. >> The primary server that's now receiving most of the queries barely >> increased anything at all in CPU usage. >> >>> For the replay, are your servers running in bare metal or in VMs? How >>> about the clients? This sure seems like a time issue. >> The time is configured as it has been for a long time. The physical >> IPA servers are syncronized from external time sources, providing the >> rest of the network with time. We have 2 physical servers and 1 >> virtual server. I have looked into the time, and it does seem like >> everything is syncronized. >> >> The amount of clients has not changed much over the last few months. >> >> These issues started appearing just after the upgrade to RHEL 6.3 / >> IPA 2.2. >> >> Any suggestions to where to continue the troubleshooting? >> >> > Was this issue ever resolved? > I believe this is related to slow response from the krb server when binding with GSSAPI as documented in: https://bugzilla.redhat.com/show_bug.cgi?id=845125 I'm waiting for an updated package to become available for RHEL 6.3. In the mean time I have switched the Linux automounters over to a simple bind to work around the issue. Thanks for the follow up. :) Rgds, Siggi From sigbjorn at nixtra.com Sun Sep 9 20:25:59 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 09 Sep 2012 22:25:59 +0200 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: <504A3F0A.4090402@redhat.com> References: <50439019.8080804@nixtra.com> <504A3F0A.4090402@redhat.com> Message-ID: <504CFB57.8030004@nixtra.com> On 09/07/2012 08:38 PM, Dmitri Pal wrote: > On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: >> On 09/02/2012 04:37 PM, Natxo Asenjo wrote: >>> hi, >>> >>> Recently I have been playing with the zfs for its native nfs4 acl >>> capabilities. I have used openindiana for this. For those wondering >>> about openindiana, it is a distribution of the former opensolaris code. >>> >>> I got the ldap client to work for retrieveing user/group info from >>> ipa using the ldapclient command: >>> >>> # ldapclient manual \ >>> -a authenticationMethod=none \ >>> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ >>> -a domainName=*ipa.asenjo.nx* \ >>> -a defaultServerList=kdc.ipa.asenjo.nx \ >>> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ >>> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] >>> >>> you need to enable the ldap/client service: >>> >>> # svcadm enable ldap/client:default [enter] >>> >>> After which, modify /etc/nsswitch.conf to add the ldap provider for >>> passwd and group: >>> >>> passwd: files ldap >>> group: files ldap >>> >>> That's it, test it: >>> >>> # id admin >>> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) >>> >>> # getent passwd admin >>> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash >>> >>> So it works. The kerberos stuff will be next ... >>> >>> One thing I have not yet gotten to work is that these changes are >>> not persistent accross reboots. The ldapclient config stays, but the >>> service ldap/client does not start (stays disabled) and >>> nsswitch.conf missess the ldap entries. So far I am fixing this from >>> cfengine (gotta love it). >>> >>> So apparently, for solaris 10 and newer versions, the procedure >>> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no >>> longer necessary as far as the ldap client is concerned. >>> >>> >>> -- >>> Groeten, >>> natxo >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Hi, >> >> I'm using Nexenta as an IPA client, another derivative of >> OpenSolaris. I use a DUAProfile with ldapclient. This stays >> configured and the ldap/client service is enabled across reboots. >> >> >> There is a DUAProfile included by default with IPA, but it requires >> some tweaking to support more than just the basic features. See this >> bugzilla for a more comprehensive example: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=815515 >> >> >> There is also some more info about configuring Solaris clients in >> this bugzilla: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=815533 > > Siggi, can you please review > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > and confirm that this is correct and has the latest? > > If you find some inconsistency would mind filing a fedora doc bug? There are some issues in that document. I have been working with Rob with regards to the previous 2 bugzilla doc bug's I opened: https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 These BZ covers configuring a DUA profile and configuring Solaris 10 as an IPA client. I presume Rob's work will become the new Solaris 10 IPA Client documentation for both Fedora and RHEL? Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Sep 10 08:26:10 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 10 Sep 2012 10:26:10 +0200 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <504A8BAC.8050108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> <50129765.8010700@redhat.com> <5012A5F2.102@redhat.com> <504A8BAC.8050108@redhat.com> Message-ID: <504DA422.7090301@redhat.com> On 09/08/2012 02:05 AM, Dmitri Pal wrote: > On 07/27/2012 10:30 AM, Petr Spacek wrote: >> On 07/27/2012 03:28 PM, John Dennis wrote: >>> On 07/27/2012 02:06 AM, Dan Scott wrote: >>>> Hi, >>>> >>>> I'm not sure if this is relevant, but Firefox preserves session >>>> cookies across browser restarts. This was discussed on the Security >>>> Now! podcast recently: >>>> >>>> http://www.grc.com/sn/sn-360.htm >>>> >>>> Search for 'sessionstore' and read a little before and after. >>>> >>>> Are session cookies relevant for kerberos authentication? >>> >>> It's only tangentially relevant. IPA does use session cookies. IPA >>> logout >>> destroys the session on the server making the session cookie stored >>> in the >>> browser invalid. >>> >>> However, SSO (Single Sign-On) continues to work as it's supposed to. >>> As long >>> as you have valid credentials in your kerberos cache you'll be >>> automatically >>> logged in (albeit with a brand new session and session cookie). All >>> this is by >>> design. >>> >>> You can logout of IPA which destroys your session, but unless you >>> also destroy >>> your credentials the automatic SSO process will be applied the next >>> time you >>> visit the web UI. >>> >>> >> Would it be possible to add "login as another user" functionality? I >> mean "destroy session && ignore any Kerberos tickets && start >> form-based auth"? >> >> IMHO it could be handy, at least for demonstration purposes. >> > > Please log a ticket. > https://fedorahosted.org/freeipa/ticket/3064 Petr^2 Spacek From pspacek at redhat.com Mon Sep 10 08:35:00 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 10 Sep 2012 10:35:00 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504B5E46.1020002@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> Message-ID: <504DA634.8010903@redhat.com> On 09/08/2012 05:03 PM, Dmitri Pal wrote: > On 09/07/2012 04:50 PM, Rob Crittenden wrote: >> Michael Mercier wrote: >>> >>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>> >>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>>> >>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> >>>>>>> >>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>> >>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> SSLRequireSSL >>>>>>> AuthType Kerberos >>>>>>> AuthName "Kerberos Login" >>>>>>> >>>>>>> KrbMethodK5Passwd Off >>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>> KrbSaveCredentials on >>>>>>> KrbServiceName HTTP >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>> >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>> require ldap-group >>>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>> >>>>>>> >>>>>>> >>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>> following: >>>>>>> >>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>> ipaserver is unavailable. >>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>> >>>>>>> If the I then perform: >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>>> getting initial credentials >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$ kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> .. wait number of minutes >>>>>>> >>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>> seconds) screen unlock compeletes >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>> This seems to be some DNS problem. >>>>>> You client does not see the second replica and might have some name >>>>>> resolution timeouts. >>>>>> >>>>>> Please check your dns setup and krb5.conf on the client. >>>>>> >>>>>> To help more we need more details about you client configuration >>>>>> DNS and >>>>>> kerberos. >>>>> Hi, >>>>> >>>>> Additional information... >>>>> >>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>> search mpls.local >>>>> domain mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>> # Generated by NetworkManager >>>>> search mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>> >>>>> @ NS ipaserver.mpls.local. >>>>> NS ipaserver2.mpls.local. >>>>> _kerberos TXT MPLS.LOCAL >>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>> SRV 0 100 389 ipaserver2 >>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>> SRV 0 100 123 ipaserver2 >>>>> ipaclient A 172.16.112.9 >>>>> ipaclient2 A 172.16.112.145 >>>>> ipaserver A 172.16.112.5 >>>>> ipaserver2 A 172.16.112.8 >>>>> zenoss A 172.16.112.6 >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>> I noticed that there is no domain line in the resolv.conf on the >>>> client. >>>> AFAIU in this case it would determine the domain by the gethostname and >>>> in case of network being down it will fail over to the hosts file. >>>> I wonder what is in your /etc/hosts? >>>> Dose it have just a short host name? >>> >>> [root at ipaclient ~]# more /etc/hosts >>> 127.0.0.1 localhost.localdomain localhost >>> ::1 localhost6.localdomain6 localhost6 >>> >>> >>> Add domain mpls.local to /etc/resolv.conf >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaclient ~]# nslookup ipaserver2 >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver2.mpls.local >>> Address: 172.16.112.8 >>> >>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>> Server: 172.16.112.5 >>> Address: 172.16.112.5#53 >>> >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >> >> I'd start with the sssd logs. Is it seeing the main server go offline >> and not switching to the second one? Or is it going into offline mode? >> >> Do you have _srv_ or both servers listed in ipa_server in >> /etc/sssd/sssd.conf? >> >> rob >> > Rob, may be I am missing something but how SSSD is related in this case? > The test is done using kinit not SSSD. > > It would actually be an interesting test to try the same via SSSD for > example do su to mike instead of kinit and see what would happen (watch > SSSD logs with high debug level, 8 for example). > If that works it would probably mean that kinit does not fail over > properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. > AFAIK there is "sssd_krb5_locator_plugin". This plugin changes Kerberos servers dynamically at library level, so kinit should select same server as SSSD. Manual page sssd_krb5_locator_plugin says: If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value debug messages will be sent to stderr. You can execute SSSD_KRB5_LOCATOR_DEBUG=1 kinit ... and check which server is selected and why. I know next to nothing about internals of this mechanism, so some SSSD guy can tell you more. Petr^2 Spacek From dpal at redhat.com Mon Sep 10 12:42:46 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 08:42:46 -0400 Subject: [Freeipa-users] openindiana ldap client In-Reply-To: <504CFB57.8030004@nixtra.com> References: <50439019.8080804@nixtra.com> <504A3F0A.4090402@redhat.com> <504CFB57.8030004@nixtra.com> Message-ID: <504DE046.60708@redhat.com> On 09/09/2012 04:25 PM, Sigbjorn Lie wrote: > On 09/07/2012 08:38 PM, Dmitri Pal wrote: >> On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: >>> On 09/02/2012 04:37 PM, Natxo Asenjo wrote: >>>> hi, >>>> >>>> Recently I have been playing with the zfs for its native nfs4 acl >>>> capabilities. I have used openindiana for this. For those wondering >>>> about openindiana, it is a distribution of the former opensolaris code. >>>> >>>> I got the ldap client to work for retrieveing user/group info from >>>> ipa using the ldapclient command: >>>> >>>> # ldapclient manual \ >>>> -a authenticationMethod=none \ >>>> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ >>>> -a domainName=*ipa.asenjo.nx* \ >>>> -a defaultServerList=kdc.ipa.asenjo.nx \ >>>> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ >>>> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] >>>> >>>> you need to enable the ldap/client service: >>>> >>>> # svcadm enable ldap/client:default [enter] >>>> >>>> After which, modify /etc/nsswitch.conf to add the ldap provider for >>>> passwd and group: >>>> >>>> passwd: files ldap >>>> group: files ldap >>>> >>>> That's it, test it: >>>> >>>> # id admin >>>> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) >>>> >>>> # getent passwd admin >>>> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash >>>> >>>> So it works. The kerberos stuff will be next ... >>>> >>>> One thing I have not yet gotten to work is that these changes are >>>> not persistent accross reboots. The ldapclient config stays, but >>>> the service ldap/client does not start (stays disabled) and >>>> nsswitch.conf missess the ldap entries. So far I am fixing this >>>> from cfengine (gotta love it). >>>> >>>> So apparently, for solaris 10 and newer versions, the procedure >>>> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no >>>> longer necessary as far as the ldap client is concerned. >>>> >>>> >>>> -- >>>> Groeten, >>>> natxo >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Hi, >>> >>> I'm using Nexenta as an IPA client, another derivative of >>> OpenSolaris. I use a DUAProfile with ldapclient. This stays >>> configured and the ldap/client service is enabled across reboots. >>> >>> >>> There is a DUAProfile included by default with IPA, but it requires >>> some tweaking to support more than just the basic features. See this >>> bugzilla for a more comprehensive example: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=815515 >>> >>> >>> There is also some more info about configuring Solaris clients in >>> this bugzilla: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 >> >> Siggi, can you please review >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> and confirm that this is correct and has the latest? >> >> If you find some inconsistency would mind filing a fedora doc bug? > > There are some issues in that document. > > I have been working with Rob with regards to the previous 2 bugzilla > doc bug's I opened: > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > These BZ covers configuring a DUA profile and configuring Solaris 10 > as an IPA client. > > I presume Rob's work will become the new Solaris 10 IPA Client > documentation for both Fedora and RHEL? Thanks for update. We might ask you for a final review. The Fedora and RHEL documentation is a bit different in this regard. For Fedora we can easily document the information you provided. For RHEL we need to find some other avenue to deliver the information because Red Hat support organization can't be responsible for proper configuration of the non RHEL operating systems so we can't have it in the Red Hat documentation. But we will figure it out. > > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 10 12:47:24 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 08:47:24 -0400 Subject: [Freeipa-users] dirsrv@PKI-IPA.service disappeared In-Reply-To: <92A6ED45-78FE-476B-9B07-1C48271B0E24@napierala.org> References: <504A84CD.9080809@redhat.com> <92A6ED45-78FE-476B-9B07-1C48271B0E24@napierala.org> Message-ID: <504DE15C.7070609@redhat.com> On 09/08/2012 01:49 PM, Tomasz 'Zen' Napiera?a wrote: > On Sep 8, 2012, at 1:35 AM, Dmitri Pal wrote: > >> On 07/26/2012 09:57 AM, Tomasz 'Zen' Napiera?a wrote: >>> Hi, >>> >>> After upgrade from F16 to F17 FreeIPA 2.2.0.1 on secondary servers dirsrv at PKI-IPA.service disappeared. >>> There is an entry for it in systemd, but no config files, etc. >>> >>> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory >>> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. >>> >>> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory >>> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. >>> >>> I upgraded two replicas and then master during 2 days. What ca I do to fix that problem? >>> >>> Regards, >> Sorry I do not see any reply. Was this issue resolved? > > Not really, I didn't have time to investigate that, I created new replicas ;) Sorry that we were not able to provide a timely help. Please let us know if the problem comes back (or any other problem emerges :-) ). > Regards, -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 10 12:54:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 08:54:34 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5037E76F.7000902@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> Message-ID: <504DE30A.9080004@redhat.com> On 08/24/2012 04:43 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> This did not seem to help... >> > > What else isn't working? Does the UI work? Do clients on other > machines work? Does user lookup still work? > > rob Was this issue ever resolved? > >> >> On 08/22/2012 06:02 PM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> [root at ipaserver PROD krb5kdc]# ipactl status >>>> Directory Service: RUNNING >>>> KDC Service: RUNNING >>>> KPASSWD Service: RUNNING >>>> MEMCACHE Service: RUNNING >>>> HTTP Service: RUNNING >>>> CA Service: RUNNING >>>> [root at ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server >>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>> ipa-server-2.2.0-16.el6.x86_64 >>> >>> I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for >>> doing S4U2Proxy. No restart of httpd should be required. >>> >>> rob >>> >>>> >>>> >>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>>>> Nathan Lager wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> I tried the same, kinit, and then ipa passwd commands as before, >>>>>> here's the output: >>>>>> >>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): >>>>>> AS_REQ (4 >>>>>> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >>>>>> lagern at SYSTEMS.LAFAYETTE.EDU for >>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional >>>>>> pre-authentication required >>>>>> >>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): >>>>>> AS_REQ (4 >>>>>> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >>>>>> >>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >>>>>> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>>>> HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>>> >>>>> What version of IPA is this? >>>>> >>>>> Does ipactl status show all services up? >>>>> >>>>> rob >>>> >>>> >>> >>> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 10 12:58:11 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 08:58:11 -0400 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA In-Reply-To: <50377C7A.8040509@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz>, , <833D8E48405E064EBC54C84EC6B36E404CD79299@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD7931E@STAWINCOX10MBX1.staff.vuw.ac.nz> <50377C7A.8040509@redhat.com> Message-ID: <504DE3E3.1020803@redhat.com> On 08/24/2012 09:07 AM, Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> Except the doc says nss_ldap.conf when its actually ldap.conf...so >> doc is wrong. >> >> "4. Edit the NSS/LDAP configuration file and add the following >> sudo-related lines to the >> /etc/nss_ldap.conf file:" >> >> should read, >> >> "4. Edit the NSS/LDAP configuration file and add the following >> sudo-related lines to the >> /etc/ldap.conf file:" >> >> Unless someone can point out how sudo should be done....but it works >> this way. > > It would be very helpful if you could file bugs at > http://bugzilla.redhat.com on the documentation when you find errors. > We review them before publishing but we miss things from time to time > (clearly). > > The component to use is doc-Enterprise_Identity_Management_Guide. Steven, Did you have a chance to file any BZs based on the discussion in this thread? Thank you for your help and contribution! Dmitri > > thanks > > rob > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >> [Steven.Jones at vuw.ac.nz] >> Sent: Friday, 24 August 2012 11:16 a.m. >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA >> >> Hi, >> >> Just found this doc, >> >> Red Hat Enterprise Linux 5.8 >> Configuring Identity Management >> >> So Im working through it. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Stephen Ingram [sbingram at gmail.com] >> Sent: Friday, 24 August 2012 11:00 a.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA >> >> On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones >> wrote: >>> Some notes on the identity manual which says its for RHEl6, >>> >>> "13.4.2. Client Configuration for sudo Rules This example specifically >>> configures a Red Hat Enterprise Linux 6 client for sudo rules. >>> >>> 8><---- >>> >>> 2. Enable debug logging for sudo operations in the /etc/ldap.conf >>> file. If >>> this file does not exist, it can be created. vim /etc/ldap.conf >>> sudoers_debug: >>> >>> It seems for a RHEL6 client its /etc/sudo-ldap.conf >>> >>> ditto 4. >>> >>> Edit the NSS/LDAP configuration file and add the following sudo-related >>> lines to the >>> /etc/nslcd.conf file: >>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com >>> bindpw sudo_password >>> ssl start_tls >>> tls_cacertfile /etc/ipa/ca.crt >>> tls_checkpeer yes >>> bind_timelimit 5 >>> timelimit 15 >>> uri ldap://ipaserver.example.com ldap://backup.example.com:3890 >>> sudoers_base ou=SUDOers,dc=example,dc=com >>> >>> It seems for a RHEL6 client its /etc/sudo-ldap.conf >>> >>> So it that section referring to RHEL5? >> >> Most likely. /etc/sudo-ldap.conf is new with RHEL 6.3. Before that >> (6.0-6.2) you had to use /etc/nslcd.conf. RHEL 5 series used a >> different configuration altogether. I think that will eventually >> change to as this becomes handled directly by sssd. Not a moment too >> soon if you ask me. There are so many competing ways to set this up, >> each with varying advantages and disadvantages. This is probably why >> RH decided to just write sssd from scratch such that they could handle >> all of the existing setups as well as new stuff like laptops out of >> the office that need cached credentials and such. >> >> Steve >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 10 12:59:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 08:59:18 -0400 Subject: [Freeipa-users] Problem with webui: kerberos ticket no longer valid In-Reply-To: References: <50375220.7080001@s3group.cz> Message-ID: <504DE426.9060001@redhat.com> On 08/24/2012 06:31 AM, David Sastre wrote: > On Fri, Aug 24, 2012 at 12:06 PM, Ondrej Valousek wrote: >> try running 'kinit -R'? > Nope. It fails even after kdestroy and kinit a-new. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Was this issue ever resolved? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 10 13:06:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 09:06:15 -0400 Subject: [Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA In-Reply-To: References: Message-ID: <504DE5C7.3050001@redhat.com> On 08/24/2012 02:21 AM, Willem Bos wrote: > Hi Sylvian, > > I'm not familiar with Tivoli but maybe it's able to generate HTTP > requests? I recently did a proof-of-concept (with help from this > mailing list) to provision IPA with usernames/passwords. It's really a > re-write of a post from Adam Young > (http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/) > and info from The IPA API documented at > https://fedorahosted.org/freeipa/browser/API.txt > > In this procedure you should replace curl with Tivoli. > > # Add the (IPA) account you want to use for provisioning to the > passSyncManagerDNs 'group' so that users that are created through > provisioning do not have to change their passwords at first login. In > this example I used 'admin' but you probably whant a dedicated user : > cat > add_passsync_manager.ldif << EOF > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain > EOF > > ldapmodify -x -D "cn=Directory Manager" -W -f add_passsync_manager.ldif > > # Check : > ldapsearch -LLL -x -D "cn=Directory Manager" -W -b > "cn=ipa_pwd_extop,cn=plugins,cn=config" -s base passsyncmanagersdns > ... > passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain > > # The .json file is the 'add user' request that Tivoli should generate.: > cat > add_user_test.json << EOF > { > "method":"user_add", > "params":[ > [], > { > "uid":"test", > "givenname":"test", > "sn":"test", > "userpassword":"test" > } > ] > } > EOF > > # Tivoli needs to be able to pass Kerberos credentials with the HTTP > request (the '--negotiate -u : ` part) : > kinit admin > curl -v \ > --header referer:https:///ipa \ > --header "Content-Type:application/json" \ > --header "Accept:applicaton/json"\ > --negotiate -u : \ > --delegation always \ > --cacert /etc/ipa/ca.crt \ > --data @add_user_test.json \ > --request POST https:///ipa/json > ? > "summary": "Added user \"test\"", > ? > > # Check. The user should not be asked to change his password... : > kinit test > > Regards, > Willem. Sylvain, I am very interested in finding out what did you decide to do to implement this. IMO it would be very beneficial to have a supported way for Tivoly to connect to IPA and provision users. Doing it via IPA interface as mentioned above is the right way to do it. Do you have any pointer to IBM Tivoly documentation that comments on how to create special connectors? I would like to include this as an item for a long term IPA roadmap. If you or anyone else have some information on the matter please help us here. I will open a ticket and capture all the recommendations there. Thanks Dmitri > On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers wrote: >> Hello all, >> >> Within our organisation, we use IBM Tivoli Identity Manager connectors to >> provision user/group onto all our different type of system. Currently there >> is as many connectors as we have unix box. As each unix box use local auth, >> we use ITIM to push user/group to local files...We are investigating IPA >> since a while, and now we wonder if a regular LDAP connector from IBM Tivoli >> Identity manager could be use to feed IPA so we would have one connector to >> manage our UNIX box via IPA. Our security folks would continue to have one >> single interface to do user/group provisionning. >> >> I found out that there is already an IITIM LDAP connector available, but Is >> there such thing as ldap interface to manage ipa? >> Or is the only way to get ITIM to manage IPA would be via new connector >> build from remote ipa command lines? >> >> Thank you! >> >> -- >> Sylvain Angers >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Sep 10 13:08:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Sep 2012 09:08:07 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504B5E46.1020002@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> Message-ID: <504DE637.4010803@redhat.com> Dmitri Pal wrote: > On 09/07/2012 04:50 PM, Rob Crittenden wrote: >> Michael Mercier wrote: >>> >>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>> >>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>>> >>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> >>>>>>> >>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>> >>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> SSLRequireSSL >>>>>>> AuthType Kerberos >>>>>>> AuthName "Kerberos Login" >>>>>>> >>>>>>> KrbMethodK5Passwd Off >>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>> KrbSaveCredentials on >>>>>>> KrbServiceName HTTP >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>> >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>> require ldap-group >>>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>> >>>>>>> >>>>>>> >>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>> following: >>>>>>> >>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>> ipaserver is unavailable. >>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>> >>>>>>> If the I then perform: >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>>> getting initial credentials >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$ kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> .. wait number of minutes >>>>>>> >>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>> seconds) screen unlock compeletes >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>> This seems to be some DNS problem. >>>>>> You client does not see the second replica and might have some name >>>>>> resolution timeouts. >>>>>> >>>>>> Please check your dns setup and krb5.conf on the client. >>>>>> >>>>>> To help more we need more details about you client configuration >>>>>> DNS and >>>>>> kerberos. >>>>> Hi, >>>>> >>>>> Additional information... >>>>> >>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>> search mpls.local >>>>> domain mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>> # Generated by NetworkManager >>>>> search mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>> >>>>> @ NS ipaserver.mpls.local. >>>>> NS ipaserver2.mpls.local. >>>>> _kerberos TXT MPLS.LOCAL >>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>> SRV 0 100 389 ipaserver2 >>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>> SRV 0 100 123 ipaserver2 >>>>> ipaclient A 172.16.112.9 >>>>> ipaclient2 A 172.16.112.145 >>>>> ipaserver A 172.16.112.5 >>>>> ipaserver2 A 172.16.112.8 >>>>> zenoss A 172.16.112.6 >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>> I noticed that there is no domain line in the resolv.conf on the >>>> client. >>>> AFAIU in this case it would determine the domain by the gethostname and >>>> in case of network being down it will fail over to the hosts file. >>>> I wonder what is in your /etc/hosts? >>>> Dose it have just a short host name? >>> >>> [root at ipaclient ~]# more /etc/hosts >>> 127.0.0.1 localhost.localdomain localhost >>> ::1 localhost6.localdomain6 localhost6 >>> >>> >>> Add domain mpls.local to /etc/resolv.conf >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaclient ~]# nslookup ipaserver2 >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver2.mpls.local >>> Address: 172.16.112.8 >>> >>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>> Server: 172.16.112.5 >>> Address: 172.16.112.5#53 >>> >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >> >> I'd start with the sssd logs. Is it seeing the main server go offline >> and not switching to the second one? Or is it going into offline mode? >> >> Do you have _srv_ or both servers listed in ipa_server in >> /etc/sssd/sssd.conf? >> >> rob >> > Rob, may be I am missing something but how SSSD is related in this case? > The test is done using kinit not SSSD. > > It would actually be an interesting test to try the same via SSSD for > example do su to mike instead of kinit and see what would happen (watch > SSSD logs with high debug level, 8 for example). > If that works it would probably mean that kinit does not fail over > properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. > SSSD controls the Kerberos locator. If SSSD isn't detecting that the KDC is down then it is going to point the user to a non-working server. rob From jhrozek at redhat.com Mon Sep 10 13:20:51 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Sep 2012 15:20:51 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504DE637.4010803@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> Message-ID: <20120910132051.GL28901@zeppelin.brq.redhat.com> On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > >On 09/07/2012 04:50 PM, Rob Crittenden wrote: > >>Michael Mercier wrote: > >>> > >>>On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: > >>> > >>>>On 09/07/2012 12:42 PM, Michael Mercier wrote: > >>>>>On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > >>>>> > >>>>>>On 09/06/2012 10:40 AM, Michael Mercier wrote: > >>>>>>>Hello, > >>>>>>> > >>>>>>>I have experienced some odd connectivity issues using MMR with > >>>>>>>FreeIPA (all systems CentOS 6.3). I have 2 ipa servers > >>>>>>>(ipaserver / ipaserver2) setup using MMR. > >>>>>>> > >>>>>>>[root at ipaserver ~]#ipa-replica-manage list > >>>>>>>ipaserver.mpls.local: master > >>>>>>>ipaserver2.mpls.local: master > >>>>>>>[root at ipaserver ~]# rpm -qa|grep ipa > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > >>>>>>> > >>>>>>> > >>>>>>>[root at ipaserver2 ~]#ipa-replica-manage list > >>>>>>>ipaserver.mpls.local: master > >>>>>>>ipaserver2.mpls.local: master > >>>>>>>[root at ipaserver2 ~]# rpm -qa|grep ipa > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>>>> > >>>>>>> > >>>>>>>[mike at ipaclient ~]$ rpm -qa|grep ipa > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > >>>>>>> > >>>>>>> > >>>>>>>I have a webserver (zenoss) using kerberos authentication. > >>>>>>> > >>>>>>>[root at zenoss ~]# rpm -qa|grep ipa > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > >>>>>>> > >>>>>>> > >>>>>>> SSLRequireSSL > >>>>>>> AuthType Kerberos > >>>>>>> AuthName "Kerberos Login" > >>>>>>> > >>>>>>> KrbMethodK5Passwd Off > >>>>>>> KrbAuthRealms MPLS.LOCAL > >>>>>>> KrbSaveCredentials on > >>>>>>> KrbServiceName HTTP > >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab > >>>>>>> > >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local > >>>>>>>ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" > >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e > >>>>>>> require ldap-group > >>>>>>>cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>With both ipaserver and ipaserver2 'up', if I connect to > >>>>>>>https://zenoss.mpls.local from ipaclient using firefox, I am > >>>>>>>successfully connected. If on ipaserver I do a 'ifdown eth0' and > >>>>>>>attempt another connection, it fails. I have also noticed the > >>>>>>>following: > >>>>>>> > >>>>>>>1. I am unable to use the ipaserver2 management interface when > >>>>>>>ipaserver is unavailable. > >>>>>>>2. It takes a longer period of time to do a kinit > >>>>>>> > >>>>>>>If the I then perform: > >>>>>>>[root at ipaserver ~]#ifup eth0 > >>>>>>> > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > >>>>>>> > >>>>>>>[mike at ipaclient ~]$kinit > >>>>>>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while > >>>>>>>getting initial credentials > >>>>>>> > >>>>>>>[root at ipaserver2 ~]#ifup eth0 > >>>>>>> > >>>>>>>[mike at ipaclient ~]$ kinit > >>>>>>>Password for mike at MPLS.LOCAL: > >>>>>>>[mike at ipaclient ~]$ > >>>>>>> > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > >>>>>>> > >>>>>>>.. wait number of minutes > >>>>>>> > >>>>>>>ipaclient screen locks - type password - after a short delay (~7 > >>>>>>>seconds) screen unlock compeletes > >>>>>>> > >>>>>>>[mike at ipaclient ~]$kinit > >>>>>>>Password for mike at MPLS.LOCAL: > >>>>>>>[mike at ipaclient ~]$ > >>>>>>> > >>>>>>>Any ideas? > >>>>>>> > >>>>>>>Thanks, > >>>>>>>Mike > >>>>>>This seems to be some DNS problem. > >>>>>>You client does not see the second replica and might have some name > >>>>>>resolution timeouts. > >>>>>> > >>>>>>Please check your dns setup and krb5.conf on the client. > >>>>>> > >>>>>>To help more we need more details about you client configuration > >>>>>>DNS and > >>>>>>kerberos. > >>>>>Hi, > >>>>> > >>>>>Additional information... > >>>>> > >>>>>[root at zenoss ~]#more /etc/resolv.conf > >>>>>search mpls.local > >>>>>domain mpls.local > >>>>>nameserver 172.16.112.5 > >>>>>nameserver 172.16.112.8 > >>>>> > >>>>>[root at zenoss ~]# more /etc/krb5.conf > >>>>>#File modified by ipa-client-install > >>>>> > >>>>>[libdefaults] > >>>>> default_realm = MPLS.LOCAL > >>>>> dns_lookup_realm = true > >>>>> dns_lookup_kdc = true > >>>>> rdns = false > >>>>> ticket_lifetime = 24h > >>>>> forwardable = yes > >>>>> > >>>>>[realms] > >>>>> MPLS.LOCAL = { > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>>>> } > >>>>> > >>>>>[domain_realm] > >>>>> .mpls.local = MPLS.LOCAL > >>>>> mpls.local = MPLS.LOCAL > >>>>> > >>>>>[root at ipaclient ~]# more /etc/resolv.conf > >>>>># Generated by NetworkManager > >>>>>search mpls.local > >>>>>nameserver 172.16.112.5 > >>>>>nameserver 172.16.112.8 > >>>>> > >>>>>[root at ipaclient ~]# more /etc/krb5.conf > >>>>>#File modified by ipa-client-install > >>>>> > >>>>>[libdefaults] > >>>>> default_realm = MPLS.LOCAL > >>>>> dns_lookup_realm = true > >>>>> dns_lookup_kdc = true > >>>>> rdns = false > >>>>> ticket_lifetime = 24h > >>>>> forwardable = yes > >>>>> > >>>>>[realms] > >>>>> MPLS.LOCAL = { > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>>>> } > >>>>> > >>>>>[domain_realm] > >>>>> .mpls.local = MPLS.LOCAL > >>>>> mpls.local = MPLS.LOCAL > >>>>> > >>>>>[root at ipaclient ~]# nslookup ipaserver > >>>>>Server: 172.16.112.5 > >>>>>Address: 172.16.112.5#53 > >>>>> > >>>>>Name: ipaserver.mpls.local > >>>>>Address: 172.16.112.5 > >>>>> > >>>>>[root at ipaserver ~]#ifdown eth0 > >>>>> > >>>>>[root at ipaclient ~]# nslookup ipaserver > >>>>>Server: 172.16.112.8 > >>>>>Address: 172.16.112.8#53 > >>>>> > >>>>>Name: ipaserver.mpls.local > >>>>>Address: 172.16.112.5 > >>>>> > >>>>>[root at ipaclient ~]# nslookup ipaserver2 > >>>>>Server: 172.16.112.8 > >>>>>Address: 172.16.112.8#53 > >>>>> > >>>>>Name: ipaserver2.mpls.local > >>>>>Address: 172.16.112.8 > >>>>> > >>>>>Copy/paste from the DNS page on ipaserver/ipaserver2 > >>>>> > >>>>>@ NS ipaserver.mpls.local. > >>>>> NS ipaserver2.mpls.local. > >>>>>_kerberos TXT MPLS.LOCAL > >>>>>_kerberos-master._tcp SRV 0 100 88 ipaserver > >>>>> SRV 0 100 88 ipaserver2 > >>>>>_kerberos-master._udp SRV 0 100 88 ipaserver > >>>>> SRV 0 100 88 ipaserver2 > >>>>>_kerberos._tcp SRV 0 100 88 ipaserver > >>>>> SRV 0 100 88 ipaserver2 > >>>>>_kerberos._udp SRV 0 100 88 ipaserver > >>>>> SRV 0 100 88 ipaserver2 > >>>>>_kpasswd._tcp SRV 0 100 464 ipaserver > >>>>> SRV 0 100 464 ipaserver2 > >>>>>_kpasswd._udp SRV 0 100 464 ipaserver > >>>>> SRV 0 100 464 ipaserver2 > >>>>>_ldap._tcp SRV 0 100 389 ipaserver > >>>>> SRV 0 100 389 ipaserver2 > >>>>>_ntp._udp SRV 0 100 123 ipaserver > >>>>> SRV 0 100 123 ipaserver2 > >>>>>ipaclient A 172.16.112.9 > >>>>>ipaclient2 A 172.16.112.145 > >>>>>ipaserver A 172.16.112.5 > >>>>>ipaserver2 A 172.16.112.8 > >>>>>zenoss A 172.16.112.6 > >>>>> > >>>>>Thanks, > >>>>>Mike > >>>>> > >>>>I noticed that there is no domain line in the resolv.conf on the > >>>>client. > >>>>AFAIU in this case it would determine the domain by the gethostname and > >>>>in case of network being down it will fail over to the hosts file. > >>>>I wonder what is in your /etc/hosts? > >>>>Dose it have just a short host name? > >>> > >>>[root at ipaclient ~]# more /etc/hosts > >>>127.0.0.1 localhost.localdomain localhost > >>>::1 localhost6.localdomain6 localhost6 > >>> > >>> > >>>Add domain mpls.local to /etc/resolv.conf > >>> > >>>[root at ipaserver ~]#ifdown eth0 > >>> > >>>[root at ipaclient ~]# kinit mike > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > >>>initial credentials > >>>[root at ipaclient ~]# nslookup ipaserver > >>>Server: 172.16.112.8 > >>>Address: 172.16.112.8#53 > >>> > >>>Name: ipaserver.mpls.local > >>>Address: 172.16.112.5 > >>> > >>>[root at ipaclient ~]# nslookup ipaserver2 > >>>Server: 172.16.112.8 > >>>Address: 172.16.112.8#53 > >>> > >>>Name: ipaserver2.mpls.local > >>>Address: 172.16.112.8 > >>> > >>>add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts > >>> > >>>[root at ipaserver ~]#ifup eth0 > >>> > >>>[root at ipaclient ~]# kinit mike > >>>Password for mike at MPLS.LOCAL: > >>> > >>>[root at ipaserver ~]#ifdown eth0 > >>> > >>>[root at ipaclient ~]# kinit mike > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > >>>initial credentials > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp > >>>Server: 172.16.112.8 > >>>Address: 172.16.112.8#53 > >>> > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > >>>ipaserver2.mpls.local. > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > >>>ipaserver.mpls.local. > >>> > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp > >>>Server: 172.16.112.5 > >>>Address: 172.16.112.5#53 > >>> > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > >>>ipaserver.mpls.local. > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > >>>ipaserver2.mpls.local. > >>> > >>> > >>>[root at ipaclient ~]# kinit mike > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > >>>initial credentials > >>> > >>>[root at ipaserver ~]#ifup eth0 > >>> > >>>[root at ipaclient ~]# kinit mike > >>>Password for mike at MPLS.LOCAL: > >> > >>I'd start with the sssd logs. Is it seeing the main server go offline > >>and not switching to the second one? Or is it going into offline mode? > >> > >>Do you have _srv_ or both servers listed in ipa_server in > >>/etc/sssd/sssd.conf? > >> > >>rob > >> > >Rob, may be I am missing something but how SSSD is related in this case? > >The test is done using kinit not SSSD. > > > >It would actually be an interesting test to try the same via SSSD for > >example do su to mike instead of kinit and see what would happen (watch > >SSSD logs with high debug level, 8 for example). > >If that works it would probably mean that kinit does not fail over > >properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. > > > > SSSD controls the Kerberos locator. If SSSD isn't detecting that the > KDC is down then it is going to point the user to a non-working > server. > > rob The SSSD only creates the file used by the locator when the first auth request comes in trough the SSSD (in the case of IPA backed even an identity lookup would do because it's GSSAPI-encrypted). Bottom line, just logging in as root and performing kinit is not enough, kinit completely bypasses the SSSD and talks to the Kerberos server directly. From dpal at redhat.com Mon Sep 10 14:01:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 10:01:01 -0400 Subject: [Freeipa-users] Prompting for expired passwords on AIX In-Reply-To: References: Message-ID: <504DF29D.2050008@redhat.com> On 08/09/2012 05:28 PM, KodaK wrote: > I've kerberized a bunch of AIX machines, and I noticed when I was > starting out that AIX allows people to connect that have expired > passwords, and does not prompt for changes. > > 1) does anyone know what I need to do on AIX to make this happen (I > don't hold out much hope for this.) > > 2) alternately, does anyone know what I'd have to do on Linux to > change this behavior (maybe from that I can find something on AIX.) > > I plan on opening a ticket with IBM too, but I wanted to see if anyone > has run into this before. > > Thanks! > Was this issue ever resolved? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Sep 10 14:07:26 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 10 Sep 2012 10:07:26 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <20120910132051.GL28901@zeppelin.brq.redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> <20120910132051.GL28901@zeppelin.brq.redhat.com> Message-ID: <1347286046.1150.7325.camel@willson.li.ssimo.org> On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote: > On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: > > Dmitri Pal wrote: > > >On 09/07/2012 04:50 PM, Rob Crittenden wrote: > > >>Michael Mercier wrote: > > >>> > > >>>On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: > > >>> > > >>>>On 09/07/2012 12:42 PM, Michael Mercier wrote: > > >>>>>On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > > >>>>> > > >>>>>>On 09/06/2012 10:40 AM, Michael Mercier wrote: > > >>>>>>>Hello, > > >>>>>>> > > >>>>>>>I have experienced some odd connectivity issues using MMR with > > >>>>>>>FreeIPA (all systems CentOS 6.3). I have 2 ipa servers > > >>>>>>>(ipaserver / ipaserver2) setup using MMR. > > >>>>>>> > > >>>>>>>[root at ipaserver ~]#ipa-replica-manage list > > >>>>>>>ipaserver.mpls.local: master > > >>>>>>>ipaserver2.mpls.local: master > > >>>>>>>[root at ipaserver ~]# rpm -qa|grep ipa > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > >>>>>>> > > >>>>>>> > > >>>>>>>[root at ipaserver2 ~]#ipa-replica-manage list > > >>>>>>>ipaserver.mpls.local: master > > >>>>>>>ipaserver2.mpls.local: master > > >>>>>>>[root at ipaserver2 ~]# rpm -qa|grep ipa > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>>>>>> > > >>>>>>> > > >>>>>>>[mike at ipaclient ~]$ rpm -qa|grep ipa > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > >>>>>>> > > >>>>>>> > > >>>>>>>I have a webserver (zenoss) using kerberos authentication. > > >>>>>>> > > >>>>>>>[root at zenoss ~]# rpm -qa|grep ipa > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > >>>>>>> > > >>>>>>> > > >>>>>>> SSLRequireSSL > > >>>>>>> AuthType Kerberos > > >>>>>>> AuthName "Kerberos Login" > > >>>>>>> > > >>>>>>> KrbMethodK5Passwd Off > > >>>>>>> KrbAuthRealms MPLS.LOCAL > > >>>>>>> KrbSaveCredentials on > > >>>>>>> KrbServiceName HTTP > > >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab > > >>>>>>> > > >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local > > >>>>>>>ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" > > >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e > > >>>>>>> require ldap-group > > >>>>>>>cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>With both ipaserver and ipaserver2 'up', if I connect to > > >>>>>>>https://zenoss.mpls.local from ipaclient using firefox, I am > > >>>>>>>successfully connected. If on ipaserver I do a 'ifdown eth0' and > > >>>>>>>attempt another connection, it fails. I have also noticed the > > >>>>>>>following: > > >>>>>>> > > >>>>>>>1. I am unable to use the ipaserver2 management interface when > > >>>>>>>ipaserver is unavailable. > > >>>>>>>2. It takes a longer period of time to do a kinit > > >>>>>>> > > >>>>>>>If the I then perform: > > >>>>>>>[root at ipaserver ~]#ifup eth0 > > >>>>>>> > > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > > >>>>>>> > > >>>>>>>[mike at ipaclient ~]$kinit > > >>>>>>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while > > >>>>>>>getting initial credentials > > >>>>>>> > > >>>>>>>[root at ipaserver2 ~]#ifup eth0 > > >>>>>>> > > >>>>>>>[mike at ipaclient ~]$ kinit > > >>>>>>>Password for mike at MPLS.LOCAL: > > >>>>>>>[mike at ipaclient ~]$ > > >>>>>>> > > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > > >>>>>>> > > >>>>>>>.. wait number of minutes > > >>>>>>> > > >>>>>>>ipaclient screen locks - type password - after a short delay (~7 > > >>>>>>>seconds) screen unlock compeletes > > >>>>>>> > > >>>>>>>[mike at ipaclient ~]$kinit > > >>>>>>>Password for mike at MPLS.LOCAL: > > >>>>>>>[mike at ipaclient ~]$ > > >>>>>>> > > >>>>>>>Any ideas? > > >>>>>>> > > >>>>>>>Thanks, > > >>>>>>>Mike > > >>>>>>This seems to be some DNS problem. > > >>>>>>You client does not see the second replica and might have some name > > >>>>>>resolution timeouts. > > >>>>>> > > >>>>>>Please check your dns setup and krb5.conf on the client. > > >>>>>> > > >>>>>>To help more we need more details about you client configuration > > >>>>>>DNS and > > >>>>>>kerberos. > > >>>>>Hi, > > >>>>> > > >>>>>Additional information... > > >>>>> > > >>>>>[root at zenoss ~]#more /etc/resolv.conf > > >>>>>search mpls.local > > >>>>>domain mpls.local > > >>>>>nameserver 172.16.112.5 > > >>>>>nameserver 172.16.112.8 > > >>>>> > > >>>>>[root at zenoss ~]# more /etc/krb5.conf > > >>>>>#File modified by ipa-client-install > > >>>>> > > >>>>>[libdefaults] > > >>>>> default_realm = MPLS.LOCAL > > >>>>> dns_lookup_realm = true > > >>>>> dns_lookup_kdc = true > > >>>>> rdns = false > > >>>>> ticket_lifetime = 24h > > >>>>> forwardable = yes > > >>>>> > > >>>>>[realms] > > >>>>> MPLS.LOCAL = { > > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > > >>>>> } > > >>>>> > > >>>>>[domain_realm] > > >>>>> .mpls.local = MPLS.LOCAL > > >>>>> mpls.local = MPLS.LOCAL > > >>>>> > > >>>>>[root at ipaclient ~]# more /etc/resolv.conf > > >>>>># Generated by NetworkManager > > >>>>>search mpls.local > > >>>>>nameserver 172.16.112.5 > > >>>>>nameserver 172.16.112.8 > > >>>>> > > >>>>>[root at ipaclient ~]# more /etc/krb5.conf > > >>>>>#File modified by ipa-client-install > > >>>>> > > >>>>>[libdefaults] > > >>>>> default_realm = MPLS.LOCAL > > >>>>> dns_lookup_realm = true > > >>>>> dns_lookup_kdc = true > > >>>>> rdns = false > > >>>>> ticket_lifetime = 24h > > >>>>> forwardable = yes > > >>>>> > > >>>>>[realms] > > >>>>> MPLS.LOCAL = { > > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > > >>>>> } > > >>>>> > > >>>>>[domain_realm] > > >>>>> .mpls.local = MPLS.LOCAL > > >>>>> mpls.local = MPLS.LOCAL > > >>>>> > > >>>>>[root at ipaclient ~]# nslookup ipaserver > > >>>>>Server: 172.16.112.5 > > >>>>>Address: 172.16.112.5#53 > > >>>>> > > >>>>>Name: ipaserver.mpls.local > > >>>>>Address: 172.16.112.5 > > >>>>> > > >>>>>[root at ipaserver ~]#ifdown eth0 > > >>>>> > > >>>>>[root at ipaclient ~]# nslookup ipaserver > > >>>>>Server: 172.16.112.8 > > >>>>>Address: 172.16.112.8#53 > > >>>>> > > >>>>>Name: ipaserver.mpls.local > > >>>>>Address: 172.16.112.5 > > >>>>> > > >>>>>[root at ipaclient ~]# nslookup ipaserver2 > > >>>>>Server: 172.16.112.8 > > >>>>>Address: 172.16.112.8#53 > > >>>>> > > >>>>>Name: ipaserver2.mpls.local > > >>>>>Address: 172.16.112.8 > > >>>>> > > >>>>>Copy/paste from the DNS page on ipaserver/ipaserver2 > > >>>>> > > >>>>>@ NS ipaserver.mpls.local. > > >>>>> NS ipaserver2.mpls.local. > > >>>>>_kerberos TXT MPLS.LOCAL > > >>>>>_kerberos-master._tcp SRV 0 100 88 ipaserver > > >>>>> SRV 0 100 88 ipaserver2 > > >>>>>_kerberos-master._udp SRV 0 100 88 ipaserver > > >>>>> SRV 0 100 88 ipaserver2 > > >>>>>_kerberos._tcp SRV 0 100 88 ipaserver > > >>>>> SRV 0 100 88 ipaserver2 > > >>>>>_kerberos._udp SRV 0 100 88 ipaserver > > >>>>> SRV 0 100 88 ipaserver2 > > >>>>>_kpasswd._tcp SRV 0 100 464 ipaserver > > >>>>> SRV 0 100 464 ipaserver2 > > >>>>>_kpasswd._udp SRV 0 100 464 ipaserver > > >>>>> SRV 0 100 464 ipaserver2 > > >>>>>_ldap._tcp SRV 0 100 389 ipaserver > > >>>>> SRV 0 100 389 ipaserver2 > > >>>>>_ntp._udp SRV 0 100 123 ipaserver > > >>>>> SRV 0 100 123 ipaserver2 > > >>>>>ipaclient A 172.16.112.9 > > >>>>>ipaclient2 A 172.16.112.145 > > >>>>>ipaserver A 172.16.112.5 > > >>>>>ipaserver2 A 172.16.112.8 > > >>>>>zenoss A 172.16.112.6 > > >>>>> > > >>>>>Thanks, > > >>>>>Mike > > >>>>> > > >>>>I noticed that there is no domain line in the resolv.conf on the > > >>>>client. > > >>>>AFAIU in this case it would determine the domain by the gethostname and > > >>>>in case of network being down it will fail over to the hosts file. > > >>>>I wonder what is in your /etc/hosts? > > >>>>Dose it have just a short host name? > > >>> > > >>>[root at ipaclient ~]# more /etc/hosts > > >>>127.0.0.1 localhost.localdomain localhost > > >>>::1 localhost6.localdomain6 localhost6 > > >>> > > >>> > > >>>Add domain mpls.local to /etc/resolv.conf > > >>> > > >>>[root at ipaserver ~]#ifdown eth0 > > >>> > > >>>[root at ipaclient ~]# kinit mike > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > >>>initial credentials > > >>>[root at ipaclient ~]# nslookup ipaserver > > >>>Server: 172.16.112.8 > > >>>Address: 172.16.112.8#53 > > >>> > > >>>Name: ipaserver.mpls.local > > >>>Address: 172.16.112.5 > > >>> > > >>>[root at ipaclient ~]# nslookup ipaserver2 > > >>>Server: 172.16.112.8 > > >>>Address: 172.16.112.8#53 > > >>> > > >>>Name: ipaserver2.mpls.local > > >>>Address: 172.16.112.8 > > >>> > > >>>add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts > > >>> > > >>>[root at ipaserver ~]#ifup eth0 > > >>> > > >>>[root at ipaclient ~]# kinit mike > > >>>Password for mike at MPLS.LOCAL: > > >>> > > >>>[root at ipaserver ~]#ifdown eth0 > > >>> > > >>>[root at ipaclient ~]# kinit mike > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > >>>initial credentials > > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp > > >>>Server: 172.16.112.8 > > >>>Address: 172.16.112.8#53 > > >>> > > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > > >>>ipaserver2.mpls.local. > > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > > >>>ipaserver.mpls.local. > > >>> > > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp > > >>>Server: 172.16.112.5 > > >>>Address: 172.16.112.5#53 > > >>> > > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > > >>>ipaserver.mpls.local. > > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > > >>>ipaserver2.mpls.local. > > >>> > > >>> > > >>>[root at ipaclient ~]# kinit mike > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > >>>initial credentials > > >>> > > >>>[root at ipaserver ~]#ifup eth0 > > >>> > > >>>[root at ipaclient ~]# kinit mike > > >>>Password for mike at MPLS.LOCAL: > > >> > > >>I'd start with the sssd logs. Is it seeing the main server go offline > > >>and not switching to the second one? Or is it going into offline mode? > > >> > > >>Do you have _srv_ or both servers listed in ipa_server in > > >>/etc/sssd/sssd.conf? > > >> > > >>rob > > >> > > >Rob, may be I am missing something but how SSSD is related in this case? > > >The test is done using kinit not SSSD. > > > > > >It would actually be an interesting test to try the same via SSSD for > > >example do su to mike instead of kinit and see what would happen (watch > > >SSSD logs with high debug level, 8 for example). > > >If that works it would probably mean that kinit does not fail over > > >properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. > > > > > > > SSSD controls the Kerberos locator. If SSSD isn't detecting that the > > KDC is down then it is going to point the user to a non-working > > server. > > > > rob > > The SSSD only creates the file used by the locator when the first auth > request comes in trough the SSSD (in the case of IPA backed even an > identity lookup would do because it's GSSAPI-encrypted). > > Bottom line, just logging in as root and performing kinit is not enough, > kinit completely bypasses the SSSD and talks to the Kerberos server > directly. We have been discussing with Stephen about changing how the locator plugin works. Currently it is completely passive, ie it only reads a file and acts on it. We discussed about making the locator plugin able to 'ping' sssd and ask it to refresh the status of the file. However this is trickier than it sounds because we do not want to contact sssd every single time DNS resolution is needed, so we may have to put expiration timestamps or similar. We also need to properly back off if sssd is not responding and so on. Requires some careful design to avoid turning it into a worst case for every resolution instead of an annoyances only once in a while. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Sep 10 14:36:51 2012 From: sbose at redhat.com (Sumit Bose) Date: Mon, 10 Sep 2012 16:36:51 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <1347286046.1150.7325.camel@willson.li.ssimo.org> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> <20120910132051.GL28901@zeppelin.brq.redhat.com> <1347286046.1150.7325.camel@willson.li.ssimo.org> Message-ID: <20120910143651.GJ30746@localhost.localdomain> On Mon, Sep 10, 2012 at 10:07:26AM -0400, Simo Sorce wrote: > On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote: > > On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: > > > Dmitri Pal wrote: > > > >On 09/07/2012 04:50 PM, Rob Crittenden wrote: > > > >>Michael Mercier wrote: > > > >>> > > > >>>On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: > > > >>> > > > >>>>On 09/07/2012 12:42 PM, Michael Mercier wrote: > > > >>>>>On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > > > >>>>> > > > >>>>>>On 09/06/2012 10:40 AM, Michael Mercier wrote: > > > >>>>>>>Hello, > > > >>>>>>> > > > >>>>>>>I have experienced some odd connectivity issues using MMR with > > > >>>>>>>FreeIPA (all systems CentOS 6.3). I have 2 ipa servers > > > >>>>>>>(ipaserver / ipaserver2) setup using MMR. > > > >>>>>>> > > > >>>>>>>[root at ipaserver ~]#ipa-replica-manage list > > > >>>>>>>ipaserver.mpls.local: master > > > >>>>>>>ipaserver2.mpls.local: master > > > >>>>>>>[root at ipaserver ~]# rpm -qa|grep ipa > > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>[root at ipaserver2 ~]#ipa-replica-manage list > > > >>>>>>>ipaserver.mpls.local: master > > > >>>>>>>ipaserver2.mpls.local: master > > > >>>>>>>[root at ipaserver2 ~]# rpm -qa|grep ipa > > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-server-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-server-selinux-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-pki-common-theme-9.0.3-7.el6.noarch > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>[mike at ipaclient ~]$ rpm -qa|grep ipa > > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>I have a webserver (zenoss) using kerberos authentication. > > > >>>>>>> > > > >>>>>>>[root at zenoss ~]# rpm -qa|grep ipa > > > >>>>>>>libipa_hbac-1.8.0-32.el6.x86_64 > > > >>>>>>>libipa_hbac-python-1.8.0-32.el6.x86_64 > > > >>>>>>>ipa-python-2.2.0-16.el6.x86_64 > > > >>>>>>>ipa-client-2.2.0-16.el6.x86_64 > > > >>>>>>>python-iniparse-0.3.1-2.1.el6.noarch > > > >>>>>>>ipa-admintools-2.2.0-16.el6.x86_64 > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> SSLRequireSSL > > > >>>>>>> AuthType Kerberos > > > >>>>>>> AuthName "Kerberos Login" > > > >>>>>>> > > > >>>>>>> KrbMethodK5Passwd Off > > > >>>>>>> KrbAuthRealms MPLS.LOCAL > > > >>>>>>> KrbSaveCredentials on > > > >>>>>>> KrbServiceName HTTP > > > >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab > > > >>>>>>> > > > >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local > > > >>>>>>>ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" > > > >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e > > > >>>>>>> require ldap-group > > > >>>>>>>cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>With both ipaserver and ipaserver2 'up', if I connect to > > > >>>>>>>https://zenoss.mpls.local from ipaclient using firefox, I am > > > >>>>>>>successfully connected. If on ipaserver I do a 'ifdown eth0' and > > > >>>>>>>attempt another connection, it fails. I have also noticed the > > > >>>>>>>following: > > > >>>>>>> > > > >>>>>>>1. I am unable to use the ipaserver2 management interface when > > > >>>>>>>ipaserver is unavailable. > > > >>>>>>>2. It takes a longer period of time to do a kinit > > > >>>>>>> > > > >>>>>>>If the I then perform: > > > >>>>>>>[root at ipaserver ~]#ifup eth0 > > > >>>>>>> > > > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > > > >>>>>>> > > > >>>>>>>[mike at ipaclient ~]$kinit > > > >>>>>>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while > > > >>>>>>>getting initial credentials > > > >>>>>>> > > > >>>>>>>[root at ipaserver2 ~]#ifup eth0 > > > >>>>>>> > > > >>>>>>>[mike at ipaclient ~]$ kinit > > > >>>>>>>Password for mike at MPLS.LOCAL: > > > >>>>>>>[mike at ipaclient ~]$ > > > >>>>>>> > > > >>>>>>>[root at ipaserver2 ~]#ifdown eth0 > > > >>>>>>> > > > >>>>>>>.. wait number of minutes > > > >>>>>>> > > > >>>>>>>ipaclient screen locks - type password - after a short delay (~7 > > > >>>>>>>seconds) screen unlock compeletes > > > >>>>>>> > > > >>>>>>>[mike at ipaclient ~]$kinit > > > >>>>>>>Password for mike at MPLS.LOCAL: > > > >>>>>>>[mike at ipaclient ~]$ > > > >>>>>>> > > > >>>>>>>Any ideas? > > > >>>>>>> > > > >>>>>>>Thanks, > > > >>>>>>>Mike > > > >>>>>>This seems to be some DNS problem. > > > >>>>>>You client does not see the second replica and might have some name > > > >>>>>>resolution timeouts. > > > >>>>>> > > > >>>>>>Please check your dns setup and krb5.conf on the client. > > > >>>>>> > > > >>>>>>To help more we need more details about you client configuration > > > >>>>>>DNS and > > > >>>>>>kerberos. > > > >>>>>Hi, > > > >>>>> > > > >>>>>Additional information... > > > >>>>> > > > >>>>>[root at zenoss ~]#more /etc/resolv.conf > > > >>>>>search mpls.local > > > >>>>>domain mpls.local > > > >>>>>nameserver 172.16.112.5 > > > >>>>>nameserver 172.16.112.8 > > > >>>>> > > > >>>>>[root at zenoss ~]# more /etc/krb5.conf > > > >>>>>#File modified by ipa-client-install > > > >>>>> > > > >>>>>[libdefaults] > > > >>>>> default_realm = MPLS.LOCAL > > > >>>>> dns_lookup_realm = true > > > >>>>> dns_lookup_kdc = true > > > >>>>> rdns = false > > > >>>>> ticket_lifetime = 24h > > > >>>>> forwardable = yes > > > >>>>> > > > >>>>>[realms] > > > >>>>> MPLS.LOCAL = { > > > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > > > >>>>> } > > > >>>>> > > > >>>>>[domain_realm] > > > >>>>> .mpls.local = MPLS.LOCAL > > > >>>>> mpls.local = MPLS.LOCAL > > > >>>>> > > > >>>>>[root at ipaclient ~]# more /etc/resolv.conf > > > >>>>># Generated by NetworkManager > > > >>>>>search mpls.local > > > >>>>>nameserver 172.16.112.5 > > > >>>>>nameserver 172.16.112.8 > > > >>>>> > > > >>>>>[root at ipaclient ~]# more /etc/krb5.conf > > > >>>>>#File modified by ipa-client-install > > > >>>>> > > > >>>>>[libdefaults] > > > >>>>> default_realm = MPLS.LOCAL > > > >>>>> dns_lookup_realm = true > > > >>>>> dns_lookup_kdc = true > > > >>>>> rdns = false > > > >>>>> ticket_lifetime = 24h > > > >>>>> forwardable = yes > > > >>>>> > > > >>>>>[realms] > > > >>>>> MPLS.LOCAL = { > > > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > > > >>>>> } > > > >>>>> > > > >>>>>[domain_realm] > > > >>>>> .mpls.local = MPLS.LOCAL > > > >>>>> mpls.local = MPLS.LOCAL > > > >>>>> > > > >>>>>[root at ipaclient ~]# nslookup ipaserver > > > >>>>>Server: 172.16.112.5 > > > >>>>>Address: 172.16.112.5#53 > > > >>>>> > > > >>>>>Name: ipaserver.mpls.local > > > >>>>>Address: 172.16.112.5 > > > >>>>> > > > >>>>>[root at ipaserver ~]#ifdown eth0 > > > >>>>> > > > >>>>>[root at ipaclient ~]# nslookup ipaserver > > > >>>>>Server: 172.16.112.8 > > > >>>>>Address: 172.16.112.8#53 > > > >>>>> > > > >>>>>Name: ipaserver.mpls.local > > > >>>>>Address: 172.16.112.5 > > > >>>>> > > > >>>>>[root at ipaclient ~]# nslookup ipaserver2 > > > >>>>>Server: 172.16.112.8 > > > >>>>>Address: 172.16.112.8#53 > > > >>>>> > > > >>>>>Name: ipaserver2.mpls.local > > > >>>>>Address: 172.16.112.8 > > > >>>>> > > > >>>>>Copy/paste from the DNS page on ipaserver/ipaserver2 > > > >>>>> > > > >>>>>@ NS ipaserver.mpls.local. > > > >>>>> NS ipaserver2.mpls.local. > > > >>>>>_kerberos TXT MPLS.LOCAL > > > >>>>>_kerberos-master._tcp SRV 0 100 88 ipaserver > > > >>>>> SRV 0 100 88 ipaserver2 > > > >>>>>_kerberos-master._udp SRV 0 100 88 ipaserver > > > >>>>> SRV 0 100 88 ipaserver2 > > > >>>>>_kerberos._tcp SRV 0 100 88 ipaserver > > > >>>>> SRV 0 100 88 ipaserver2 > > > >>>>>_kerberos._udp SRV 0 100 88 ipaserver > > > >>>>> SRV 0 100 88 ipaserver2 > > > >>>>>_kpasswd._tcp SRV 0 100 464 ipaserver > > > >>>>> SRV 0 100 464 ipaserver2 > > > >>>>>_kpasswd._udp SRV 0 100 464 ipaserver > > > >>>>> SRV 0 100 464 ipaserver2 > > > >>>>>_ldap._tcp SRV 0 100 389 ipaserver > > > >>>>> SRV 0 100 389 ipaserver2 > > > >>>>>_ntp._udp SRV 0 100 123 ipaserver > > > >>>>> SRV 0 100 123 ipaserver2 > > > >>>>>ipaclient A 172.16.112.9 > > > >>>>>ipaclient2 A 172.16.112.145 > > > >>>>>ipaserver A 172.16.112.5 > > > >>>>>ipaserver2 A 172.16.112.8 > > > >>>>>zenoss A 172.16.112.6 > > > >>>>> > > > >>>>>Thanks, > > > >>>>>Mike > > > >>>>> > > > >>>>I noticed that there is no domain line in the resolv.conf on the > > > >>>>client. > > > >>>>AFAIU in this case it would determine the domain by the gethostname and > > > >>>>in case of network being down it will fail over to the hosts file. > > > >>>>I wonder what is in your /etc/hosts? > > > >>>>Dose it have just a short host name? > > > >>> > > > >>>[root at ipaclient ~]# more /etc/hosts > > > >>>127.0.0.1 localhost.localdomain localhost > > > >>>::1 localhost6.localdomain6 localhost6 > > > >>> > > > >>> > > > >>>Add domain mpls.local to /etc/resolv.conf > > > >>> > > > >>>[root at ipaserver ~]#ifdown eth0 > > > >>> > > > >>>[root at ipaclient ~]# kinit mike > > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > > >>>initial credentials > > > >>>[root at ipaclient ~]# nslookup ipaserver > > > >>>Server: 172.16.112.8 > > > >>>Address: 172.16.112.8#53 > > > >>> > > > >>>Name: ipaserver.mpls.local > > > >>>Address: 172.16.112.5 > > > >>> > > > >>>[root at ipaclient ~]# nslookup ipaserver2 > > > >>>Server: 172.16.112.8 > > > >>>Address: 172.16.112.8#53 > > > >>> > > > >>>Name: ipaserver2.mpls.local > > > >>>Address: 172.16.112.8 > > > >>> > > > >>>add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts > > > >>> > > > >>>[root at ipaserver ~]#ifup eth0 > > > >>> > > > >>>[root at ipaclient ~]# kinit mike > > > >>>Password for mike at MPLS.LOCAL: > > > >>> > > > >>>[root at ipaserver ~]#ifdown eth0 > > > >>> > > > >>>[root at ipaclient ~]# kinit mike > > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > > >>>initial credentials > > > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp > > > >>>Server: 172.16.112.8 > > > >>>Address: 172.16.112.8#53 > > > >>> > > > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > > > >>>ipaserver2.mpls.local. > > > >>>_kerberos-master._tcp.mpls.local service = 0 100 88 > > > >>>ipaserver.mpls.local. > > > >>> > > > >>>[root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp > > > >>>Server: 172.16.112.5 > > > >>>Address: 172.16.112.5#53 > > > >>> > > > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > > > >>>ipaserver.mpls.local. > > > >>>_kerberos-master._udp.mpls.local service = 0 100 88 > > > >>>ipaserver2.mpls.local. > > > >>> > > > >>> > > > >>>[root at ipaclient ~]# kinit mike > > > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting > > > >>>initial credentials > > > >>> > > > >>>[root at ipaserver ~]#ifup eth0 > > > >>> > > > >>>[root at ipaclient ~]# kinit mike > > > >>>Password for mike at MPLS.LOCAL: > > > >> > > > >>I'd start with the sssd logs. Is it seeing the main server go offline > > > >>and not switching to the second one? Or is it going into offline mode? > > > >> > > > >>Do you have _srv_ or both servers listed in ipa_server in > > > >>/etc/sssd/sssd.conf? > > > >> > > > >>rob > > > >> > > > >Rob, may be I am missing something but how SSSD is related in this case? > > > >The test is done using kinit not SSSD. > > > > > > > >It would actually be an interesting test to try the same via SSSD for > > > >example do su to mike instead of kinit and see what would happen (watch > > > >SSSD logs with high debug level, 8 for example). > > > >If that works it would probably mean that kinit does not fail over > > > >properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. > > > > > > > > > > SSSD controls the Kerberos locator. If SSSD isn't detecting that the > > > KDC is down then it is going to point the user to a non-working > > > server. > > > > > > rob > > > > The SSSD only creates the file used by the locator when the first auth > > request comes in trough the SSSD (in the case of IPA backed even an > > identity lookup would do because it's GSSAPI-encrypted). > > > > Bottom line, just logging in as root and performing kinit is not enough, > > kinit completely bypasses the SSSD and talks to the Kerberos server > > directly. > > We have been discussing with Stephen about changing how the locator > plugin works. > Currently it is completely passive, ie it only reads a file and acts on > it. > > We discussed about making the locator plugin able to 'ping' sssd and > ask it to refresh the status of the file. > However this is trickier than it sounds because we do not want to > contact sssd every single time DNS resolution is needed, so we may have > to put expiration timestamps or similar. We also need to properly back > off if sssd is not responding and so on. What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. bye, Sumit > > Requires some careful design to avoid turning it into a worst case for > every resolution instead of an annoyances only once in a while. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Mon Sep 10 15:02:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Sep 2012 11:02:44 -0400 Subject: [Freeipa-users] Announcing FreeIPA v3.0.0 beta 3 Message-ID: <504E0114.9090901@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 3. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available only for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeipa-devel.repo . To install in Fedora 17 the updates repo repository needs to be enabled as well. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights since 3.0.0 beta 2 == * Cooperate with new 389-ds-base winsync POSIX plugin so that AD POSIX attribute can be synced with IPA. * Improvements to schema upgrade process. * Prevent last admin from being disabled. * Exclude some attributes from replication. * Notify success on add, delete and update in UI. * Set the e-mail attribute on new users by default. * Rename range commands to idrange, * Improvements to idrange command-line. * SSH public key format has been changed to OpenSSH-style public keys. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog == Alexander Bokovoy (4): * Recover from invalid cached kerberos credentials in ipasam * Fix ipasam ipaNThash magic regen to actually fetch updated password * Add ACI to allow regenerating ipaNTHash from ipasam * Ask for admin password in ipa-adtrust-install Jan Cholasta (1): * Use OpenSSH-style public keys as the preferred format of SSH public keys. John Dennis (4): * DN objects hash differently depending on case * ipactl exception not handled well * ipa user-find --manager does not find matches * prevent last admin from being disabled Martin Kosek (12): * Read DM password from option in external CA install * Fix client-only build * Fix managedBy label for DNS zone * Update Contributors.txt file * Make replica install more robust * Add safe updates for objectClasses * Allow localhost in zone ACIs * Transfer long numbers over XMLRPC * Fix DNS SOA serial parameters boundaries * Add range safety check for range_mod and range_del * Update DNS zone allow-query validation test * Cast DNS SOA serial maximum boundary to long Petr Viktorin (3): * Internationalization for public errors * Run ntpdate in verbose mode, not debug (i.e. no-op) mode * Add nsds5ReplicaStripAttrs to replica agreements Petr Vobornik (15): * Range Web UI * Revert change causing failure in test automation * Fix issue which broke setup of Web UI unit tests * Successful action notification * Password policy paging with proper sorting * Fixed search in HBAC test * Permissions: select only applicable options on type change * Notify success on add, delete and update * Fixed metadata serialization of Numbers and DNs * Added decimal checks to metadata validator * Generated metadata for testing updated * Fixed problem while deleting entry with unsaved changes * Allow localhost in zone ACIs - Web UI * Update of confirmation of actions * Reflect API change of SSH store in Web UI Rob Crittenden (8): * Don't generate password history error if history is set to 0. * Restrict the SELinux user map user MLS value to 0-1023 * Support the new Winsync POSIX API. * Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning. * Add version to replica prepare file, prevent installing to older version * Set the e-mail attribute using the default domain name by default * Fix some restart script issues found with certificate renewal. * Become IPA v3 beta 3 (3.0.0.pre3) Sumit Bose (27): * Use libsamba-security instead of libsecurity * ipadb_iterate(): handle match_entry == NULL * ipasam: cleanup explicit dependencies to samba libs * Make encode_ntlm_keys() public * ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so * ipasam: remove sid_peek_rid() * ipasam: replace strnequal() * ipasam: remove strlower_m() * ipasam: remove talloc_asprintf_strupper_m() * ipasam: replace sid_copy() * ipasam: replace sid_compose() * ipasam: Replace is_null_sid() * ipasam: Replace dom_sid_compare_domain() * ipasam: Replace sid_check_is_our_sam() * ipasam: Replace sid_peek_check_rid() * ipasam: Replace global_sid_Builtin * ipasam: add libsss_idmap context and replace string_to_sid() * ipasam: replace get_global_sam_sid() * ipasam: remove fetch_ldap_pw() * ipasam: replace trim_char() with trim_string() * Rename range CLI to idrange * IDRange CLI: allow to work without arguments * IDRange CLI: Add documentation * Do not create trust if murmur hash is not available and base-id not given * Trust CLI: Return more details when searching trusts * Trust CLI: return more details of added trust * Trust CLI: mark trust-mod for future use Tomas Babej (5): * Adds dependency on samba4-winbind. * Improves deletion of PTR records in ipa host-del * Fixes different behaviour of permission-mod and show. * Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb * Sort policies numerically in pwpolicy-find From simo at redhat.com Mon Sep 10 15:09:03 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 10 Sep 2012 11:09:03 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <20120910143651.GJ30746@localhost.localdomain> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> <20120910132051.GL28901@zeppelin.brq.redhat.com> <1347286046.1150.7325.camel@willson.li.ssimo.org> <20120910143651.GJ30746@localhost.localdomain> Message-ID: <1347289743.1150.7389.camel@willson.li.ssimo.org> On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: > What about defining a task in the SSSD krb5 provider instead of > pinging > it from the locator plugin. The task can run at a configurable > interval > or never and checks if the current KDC is available. If not it tries > the > next until it goes offline if no reachable KDC can be found and > updates > or deletes the info file for the locator plugin.. > > This leave us with the question how to ping a KDC properly, but this > we > have to find out for either case. > I am not a fan of generating load for the KDC unnecessarily. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Sep 10 15:11:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Sep 2012 11:11:06 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <1347289743.1150.7389.camel@willson.li.ssimo.org> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> <20120910132051.GL28901@zeppelin.brq.redhat.com> <1347286046.1150.7325.camel@willson.li.ssimo.org> <20120910143651.GJ30746@localhost.localdomain> <1347289743.1150.7389.camel@willson.li.ssimo.org> Message-ID: <504E030A.7000503@redhat.com> Simo Sorce wrote: > On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: >> What about defining a task in the SSSD krb5 provider instead of >> pinging >> it from the locator plugin. The task can run at a configurable >> interval >> or never and checks if the current KDC is available. If not it tries >> the >> next until it goes offline if no reachable KDC can be found and >> updates >> or deletes the info file for the locator plugin.. >> >> This leave us with the question how to ping a KDC properly, but this >> we >> have to find out for either case. >> > I am not a fan of generating load for the KDC unnecessarily. > > Simo. > I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. rob From simo at redhat.com Mon Sep 10 15:43:16 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 10 Sep 2012 11:43:16 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504E030A.7000503@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DE637.4010803@redhat.com> <20120910132051.GL28901@zeppelin.brq.redhat.com> <1347286046.1150.7325.camel@willson.li.ssimo.org> <20120910143651.GJ30746@localhost.localdomain> <1347289743.1150.7389.camel@willson.li.ssimo.org> <504E030A.7000503@redhat.com> Message-ID: <1347291796.1150.7427.camel@willson.li.ssimo.org> On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: > >> What about defining a task in the SSSD krb5 provider instead of > >> pinging > >> it from the locator plugin. The task can run at a configurable > >> interval > >> or never and checks if the current KDC is available. If not it tries > >> the > >> next until it goes offline if no reachable KDC can be found and > >> updates > >> or deletes the info file for the locator plugin.. > >> > >> This leave us with the question how to ping a KDC properly, but this > >> we > >> have to find out for either case. > >> > > I am not a fan of generating load for the KDC unnecessarily. > > > > Simo. > > > > I tend to agree but this can be a real pain to debug because depending > on the current state of sssd you have to either check krb5.conf or the > sssd locator to see what KDC is configured. [moving to freeipa-devel] Yes but the solution is to do on-demand requests when something doesn't work. Because otherwise you still get the odd failure. Assume you check in 5 min intervals, and the KDC goes off 1 sec after the check, for 5 minutes you still have a wrong KDC in the locator and still get failures. So you loaded the KDC with ~300 request per day per client, and you still have high odds that on failure your locator file will still be 'wrong'. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Sep 10 19:59:14 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 10 Sep 2012 21:59:14 +0200 Subject: [Freeipa-users] Adding indexes for the automounter - odd results Message-ID: <504E4692.4090408@nixtra.com> Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing "ls /prog." Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey="nagios" Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" scope=2 filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" attrs="automountKey automountInformation" [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: user at IX.TEST.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=co nfig cn: automountmapname objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq And then I ran at these commands: # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory Manager" -w - -n userroot -t automountmapname:eq -v # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory Manager" -w - -n userroot -t automountkey:eq -v What is going on? Regards, Siggi From sigbjorn at nixtra.com Mon Sep 10 20:06:38 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 10 Sep 2012 22:06:38 +0200 Subject: [Freeipa-users] KRB5 keytab not always created or updated on RHEL 5 Message-ID: <504E484E.3080605@nixtra.com> Hi, We are using pam_ldap + pam_krb5 on our RHEL 5 workstations. Sometimes when the user logs in, or unlocks his workstation the users kerberos keytab is not created or updated. Often, just locking the screen with the screensaver and unlocking again creates or updates the keytab file. I've had a look at /var/log/secure without getting any smarter. Does anyone have a suggestion to what might be going on here? Regards, Siggi From rmeggins at redhat.com Mon Sep 10 20:36:55 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Sep 2012 14:36:55 -0600 Subject: [Freeipa-users] Adding indexes for the automounter - odd results In-Reply-To: <504E4692.4090408@nixtra.com> References: <504E4692.4090408@nixtra.com> Message-ID: <504E4F67.9090504@redhat.com> On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: > Hi, > > I added indexes for automountKey, and automountmapname yesterday in > my test environment to see if that would speed the automounters up a > bit, and now the automounters does not always work. They manage to > look up the map, but not the keys in the map. > > Restarting the automounter sometimes work for some maps, but then the > other maps stop working. > > Below is an example from the messages file when doing doing "ls /prog." > > Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): > looking up nagios > Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server > uri ldap://ipa01.ix.test.com:389 > Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): > auth_required: 2, sasl_mech GSSAPI > Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting > sasl bind with mechanism GSSAPI > Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with > context (nil), id 16385. > Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with > context (nil), id 16385. > Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with > mechanism GSSAPI succeeded > Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): > autofs_sasl_bind returned 0 > Sep 10 19:55:22 mordor automount[3041]: connected to uri > ldap://ipa01.ix.test.com:389 > Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): > searching for > "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" > under > "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" > Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): > getting first entry for automountKey="nagios" > Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got > answer, but no entry for > (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) > Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 > Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios > Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 > Sep 10 19:55:22 mordor automount[3041]: > handle_packet_missing_indirect: token 799, name os, request pid 3233 > > > > All folders return like this: > > ls: cannot access /prog/nagios: No such file or directory > > > > The 389-ds access log looks like this: > > [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" > [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH > base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" > scope=2 > filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" > attrs="automountKey automountInformation" > [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 > nentries=0 etime=0 > [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND > [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 > > > Running the query manually return: > > ~$ ldapsearch -YGSSAPI -b > automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com > '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' > > SASL/GSSAPI authentication started > SASL username: user at IX.TEST.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base > > with scope subtree > # filter: > (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) > # requesting: ALL > # > > # search result > search: 4 > result: 0 Success > > # numResponses: 1 > > > > Running this search without any filter returns: > $ ldapsearch -YGSSAPI -b > automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com > > > > # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, > svg1, automount, ix.test.com > dn: description=utils -vers\3D3\2Csec\3Dsys > filer01:/volumes/p00/prog/util > s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com > description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils > automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils > automountKey: utils > objectClass: automount > objectClass: top > > > > The two indexes I created are these: > > # automountkey, index, userRoot, ldbm database, plugins, config > dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm > database,cn=plugins,cn=config > cn: automountkey > objectClass: top > objectClass: nsIndex > nsSystemIndex: false > nsIndexType: eq > > # automountmapname, index, userRoot, ldbm database, plugins, config > dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm > database,cn=plugins,cn=co > nfig > cn: automountmapname > objectClass: top > objectClass: nsIndex > nsSystemIndex: false > nsIndexType: eq > > And then I ran at these commands: > # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory > Manager" -w - -n userroot -t automountmapname:eq -v > # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory > Manager" -w - -n userroot -t automountkey:eq -v > > What is going on? ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot dbscan -f /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountmapname.db* dbscan -f /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountkey.db* > > > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Mon Sep 10 21:01:52 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 10 Sep 2012 23:01:52 +0200 Subject: [Freeipa-users] Adding indexes for the automounter - odd results In-Reply-To: <504E4F67.9090504@redhat.com> References: <504E4692.4090408@nixtra.com> <504E4F67.9090504@redhat.com> Message-ID: <504E5540.3010300@nixtra.com> On 09/10/2012 10:36 PM, Rich Megginson wrote: > On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: >> Hi, >> >> I added indexes for automountKey, and automountmapname yesterday in >> my test environment to see if that would speed the automounters up a >> bit, and now the automounters does not always work. They manage to >> look up the map, but not the keys in the map. >> >> Restarting the automounter sometimes work for some maps, but then the >> other maps stop working. >> >> Below is an example from the messages file when doing doing "ls /prog." >> >> Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): >> looking up nagios >> Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server >> uri ldap://ipa01.ix.test.com:389 >> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >> auth_required: 2, sasl_mech GSSAPI >> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting >> sasl bind with mechanism GSSAPI >> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >> context (nil), id 16385. >> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >> context (nil), id 16385. >> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind >> with mechanism GSSAPI succeeded >> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >> autofs_sasl_bind returned 0 >> Sep 10 19:55:22 mordor automount[3041]: connected to uri >> ldap://ipa01.ix.test.com:389 >> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >> searching for >> "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" >> under >> "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >> getting first entry for automountKey="nagios" >> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got >> answer, but no entry for >> (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) >> Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 >> Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios >> Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 >> Sep 10 19:55:22 mordor automount[3041]: >> handle_packet_missing_indirect: token 799, name os, request pid 3233 >> >> >> >> All folders return like this: >> >> ls: cannot access /prog/nagios: No such file or directory >> >> >> >> The 389-ds access log looks like this: >> >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH >> base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >> scope=2 >> filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" >> attrs="automountKey automountInformation" >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND >> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 >> >> >> Running the query manually return: >> >> ~$ ldapsearch -YGSSAPI -b >> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >> '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' >> >> SASL/GSSAPI authentication started >> SASL username: user at IX.TEST.COM >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base >> with >> scope subtree >> # filter: >> (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) >> # requesting: ALL >> # >> >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 1 >> >> >> >> Running this search without any filter returns: >> $ ldapsearch -YGSSAPI -b >> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >> >> >> >> # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, >> auto_prog, >> svg1, automount, ix.test.com >> dn: description=utils -vers\3D3\2Csec\3Dsys >> filer01:/volumes/p00/prog/util >> s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >> description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils >> automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils >> automountKey: utils >> objectClass: automount >> objectClass: top >> >> >> >> The two indexes I created are these: >> >> # automountkey, index, userRoot, ldbm database, plugins, config >> dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm >> database,cn=plugins,cn=config >> cn: automountkey >> objectClass: top >> objectClass: nsIndex >> nsSystemIndex: false >> nsIndexType: eq >> >> # automountmapname, index, userRoot, ldbm database, plugins, config >> dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm >> database,cn=plugins,cn=co >> nfig >> cn: automountmapname >> objectClass: top >> objectClass: nsIndex >> nsSystemIndex: false >> nsIndexType: eq >> >> And then I ran at these commands: >> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >> Manager" -w - -n userroot -t automountmapname:eq -v >> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >> Manager" -w - -n userroot -t automountkey:eq -v >> >> What is going on? > ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot > dbscan -f > /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountmapname.db* > dbscan -f /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountkey.db* I just ran these commands before you sent your email: # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory Manager" -w - -n userroot -t automountmapname -v # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory Manager" -w - -n userroot -t automountkey -v But only on one IPA server. This might explain why the automounter was working every now and then as I am using the SRV records for the automounter to discover the LDAP server hostname. The commands you sent show everything as being OK now. ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot -rw------- 1 dirsrv dirsrv 16384 Sep 10 21:57 automountkey.db4 -rw------- 1 dirsrv dirsrv 16384 Sep 9 22:07 automountmapname.db4 The dbscan commands lists all the automount maps and keys as: =auto.direct =auto.master and: =utils Did an error occur when I initially created the indexes? Was it incorrect to specify ":eq" ? Regards, Siggi From Steven.Jones at vuw.ac.nz Mon Sep 10 21:16:17 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 10 Sep 2012 21:16:17 +0000 Subject: [Freeipa-users] slow ssh Message-ID: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Mon Sep 10 21:27:44 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Sep 2012 15:27:44 -0600 Subject: [Freeipa-users] Adding indexes for the automounter - odd results In-Reply-To: <504E5540.3010300@nixtra.com> References: <504E4692.4090408@nixtra.com> <504E4F67.9090504@redhat.com> <504E5540.3010300@nixtra.com> Message-ID: <504E5B50.6070607@redhat.com> On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: > On 09/10/2012 10:36 PM, Rich Megginson wrote: >> On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: >>> Hi, >>> >>> I added indexes for automountKey, and automountmapname yesterday in >>> my test environment to see if that would speed the automounters up a >>> bit, and now the automounters does not always work. They manage to >>> look up the map, but not the keys in the map. >>> >>> Restarting the automounter sometimes work for some maps, but then >>> the other maps stop working. >>> >>> Below is an example from the messages file when doing doing "ls /prog." >>> >>> Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): >>> looking up nagios >>> Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying >>> server uri ldap://ipa01.ix.test.com:389 >>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>> auth_required: 2, sasl_mech GSSAPI >>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting >>> sasl bind with mechanism GSSAPI >>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>> context (nil), id 16385. >>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>> context (nil), id 16385. >>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind >>> with mechanism GSSAPI succeeded >>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>> autofs_sasl_bind returned 0 >>> Sep 10 19:55:22 mordor automount[3041]: connected to uri >>> ldap://ipa01.ix.test.com:389 >>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>> searching for >>> "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" >>> under >>> "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>> getting first entry for automountKey="nagios" >>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>> got answer, but no entry for >>> (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) >>> Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = >>> 798 >>> Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios >>> Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 >>> Sep 10 19:55:22 mordor automount[3041]: >>> handle_packet_missing_indirect: token 799, name os, request pid 3233 >>> >>> >>> >>> All folders return like this: >>> >>> ls: cannot access /prog/nagios: No such file or directory >>> >>> >>> >>> The 389-ds access log looks like this: >>> >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH >>> base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>> scope=2 >>> filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" >>> attrs="automountKey automountInformation" >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND >>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 >>> >>> >>> Running the query manually return: >>> >>> ~$ ldapsearch -YGSSAPI -b >>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>> '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' >>> >>> SASL/GSSAPI authentication started >>> SASL username: user at IX.TEST.COM >>> SASL SSF: 56 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base >>> >>> with scope subtree >>> # filter: >>> (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> >>> >>> Running this search without any filter returns: >>> $ ldapsearch -YGSSAPI -b >>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>> >>> >>> >>> # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, >>> auto_prog, >>> svg1, automount, ix.test.com >>> dn: description=utils -vers\3D3\2Csec\3Dsys >>> filer01:/volumes/p00/prog/util >>> s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>> description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>> automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>> automountKey: utils >>> objectClass: automount >>> objectClass: top >>> >>> >>> >>> The two indexes I created are these: >>> >>> # automountkey, index, userRoot, ldbm database, plugins, config >>> dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm >>> database,cn=plugins,cn=config >>> cn: automountkey >>> objectClass: top >>> objectClass: nsIndex >>> nsSystemIndex: false >>> nsIndexType: eq >>> >>> # automountmapname, index, userRoot, ldbm database, plugins, config >>> dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm >>> database,cn=plugins,cn=co >>> nfig >>> cn: automountmapname >>> objectClass: top >>> objectClass: nsIndex >>> nsSystemIndex: false >>> nsIndexType: eq >>> >>> And then I ran at these commands: >>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>> Manager" -w - -n userroot -t automountmapname:eq -v >>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>> Manager" -w - -n userroot -t automountkey:eq -v >>> >>> What is going on? >> ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot >> dbscan -f >> /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountmapname.db* >> dbscan -f /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountkey.db* > > I just ran these commands before you sent your email: > # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory > Manager" -w - -n userroot -t automountmapname -v > # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory > Manager" -w - -n userroot -t automountkey -v > > But only on one IPA server. This might explain why the automounter was > working every now and then as I am using the SRV records for the > automounter to discover the LDAP server hostname. > > The commands you sent show everything as being OK now. > ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot > -rw------- 1 dirsrv dirsrv 16384 Sep 10 21:57 automountkey.db4 > -rw------- 1 dirsrv dirsrv 16384 Sep 9 22:07 automountmapname.db4 > > The dbscan commands lists all the automount maps and keys as: > > =auto.direct > =auto.master > > > and: > > =utils > > > Did an error occur when I initially created the indexes? Was it > incorrect to specify ":eq" ? Looks like there is a bug in db2index_add_indexed_attr - it should split the comma delimited list of index types after the ":" into separate values of the nsIndexType attribute. If you don't specify the ":type,type" then it uses the defaults that you have configured. > > > Regards, > Siggi > > > > > From dpal at redhat.com Mon Sep 10 22:07:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 18:07:57 -0400 Subject: [Freeipa-users] Do you use logrotate? Message-ID: <504E64BD.30705@redhat.com> Hello, Does anyone use logrotate? If so can you share you configuration and recommendations with us? Is there anything that one should make sure while using logrotate with IPA? For example if the ownership of the log files changes due to wrong logrotate configuration the dis srv might not start. Have you seen something like this? Have you seen something else that would be valuable for others to consider when configuring logrotate with IPA? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Sep 10 22:11:13 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Sep 2012 18:11:13 -0400 Subject: [Freeipa-users] slow ssh In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <504E6581.4090705@redhat.com> Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Run in verbose mode to see what it's doing, ssh -vv. It may be trying several auth mechanisms which can be slow. rob From jreg2k at gmail.com Mon Sep 10 22:12:31 2012 From: jreg2k at gmail.com (James James) Date: Tue, 11 Sep 2012 00:12:31 +0200 Subject: [Freeipa-users] Question about migration and scripts variables In-Reply-To: <50323413.4090906@redhat.com> References: <50323413.4090906@redhat.com> Message-ID: Back from hollidays... I have just trying "--user-ignore-attribute=uidnumber,gidnumber", the server says that the posixAccount attribute requires uid and gid number. I will find another solution to solve my problem. James 2012/8/20 Rob Crittenden > James James wrote: > >> Hi, >> >> my first question is about the migrate process. Is it possible to >> renumber the users during the migrate process (ipa migrate-ds) in a way >> that all imported users will have a new UID ? >> > > I haven't tested this but you might try --user-ignore-attribute=** > uidnumber,gidnumber. > > > my second question is about ipalib. I wanted to make a hook on the user >> creation. The hook works fine. I just want to know if there is a way to >> have the value of variables like the username, the name of the creator, >> the e-mail of the creator and stuff like that. >> > > The current user is available via: principal = getattr(context, > 'principal') > > Using this you can look up that user: > > (binddn, bindattrs) = find_entry_by_attr("**krbprincipalname", principal, > "krbPrincipalAux") > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Mon Sep 10 22:12:44 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 10 Sep 2012 17:12:44 -0500 Subject: [Freeipa-users] slow ssh In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? "Slow" SSH is (in my experience, anyway) usually a DNS problem. Are you using IPA for DNS, or external? Either way, is reverse DNS working? I had an issue recently with users complaining about slow logins, but it turned out that bind on my primary IPA box died (I have no idea how.) Since resolv.conf goes in order, it would hit the primary, time out, then fail over to the other DNS servers. Once I restarted bind everything was fine again. I'm still investigating what happened, but there's only so much time in a day. As for auth mechanisms -- those are defined in your sshd_config, but why would you want to turn that off? That's the whole point of IPA. I'm probably misunderstanding something, though. :) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From dpal at redhat.com Mon Sep 10 22:12:58 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 18:12:58 -0400 Subject: [Freeipa-users] slow ssh In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <504E65EA.60901@redhat.com> On 09/10/2012 05:16 PM, Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? > Is it the problem on the SSH client or on the SSH server? Can you provide ssh configuration file(s) and sssd.conf? What version do you use (ssh and sssd)? Could it be that you tried the tech preview ipa-client SSH integration feature when installed ipa-client? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 10 22:16:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 18:16:10 -0400 Subject: [Freeipa-users] Adding indexes for the automounter - odd results In-Reply-To: <504E5B50.6070607@redhat.com> References: <504E4692.4090408@nixtra.com> <504E4F67.9090504@redhat.com> <504E5540.3010300@nixtra.com> <504E5B50.6070607@redhat.com> Message-ID: <504E66AA.3080002@redhat.com> On 09/10/2012 05:27 PM, Rich Megginson wrote: > On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: >> On 09/10/2012 10:36 PM, Rich Megginson wrote: >>> On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I added indexes for automountKey, and automountmapname yesterday in >>>> my test environment to see if that would speed the automounters up >>>> a bit, and now the automounters does not always work. They manage >>>> to look up the map, but not the keys in the map. >>>> >>>> Restarting the automounter sometimes work for some maps, but then >>>> the other maps stop working. >>>> >>>> Below is an example from the messages file when doing doing "ls >>>> /prog." >>>> >>>> Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): >>>> looking up nagios >>>> Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying >>>> server uri ldap://ipa01.ix.test.com:389 >>>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>>> auth_required: 2, sasl_mech GSSAPI >>>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting >>>> sasl bind with mechanism GSSAPI >>>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>>> context (nil), id 16385. >>>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>>> context (nil), id 16385. >>>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind >>>> with mechanism GSSAPI succeeded >>>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>>> autofs_sasl_bind returned 0 >>>> Sep 10 19:55:22 mordor automount[3041]: connected to uri >>>> ldap://ipa01.ix.test.com:389 >>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>> searching for >>>> "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" >>>> under >>>> "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>> getting first entry for automountKey="nagios" >>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>> got answer, but no entry for >>>> (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) >>>> Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token >>>> = 798 >>>> Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios >>>> Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 >>>> Sep 10 19:55:22 mordor automount[3041]: >>>> handle_packet_missing_indirect: token 799, name os, request pid 3233 >>>> >>>> >>>> >>>> All folders return like this: >>>> >>>> ls: cannot access /prog/nagios: No such file or directory >>>> >>>> >>>> >>>> The 389-ds access log looks like this: >>>> >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl >>>> version=3 mech=GSSAPI >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 >>>> nentries=0 etime=0, SASL bind in progress >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl >>>> version=3 mech=GSSAPI >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 >>>> nentries=0 etime=0 >>>> dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH >>>> base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>>> scope=2 >>>> filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" >>>> attrs="automountKey automountInformation" >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND >>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 >>>> >>>> >>>> Running the query manually return: >>>> >>>> ~$ ldapsearch -YGSSAPI -b >>>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' >>>> >>>> SASL/GSSAPI authentication started >>>> SASL username: user at IX.TEST.COM >>>> SASL SSF: 56 >>>> SASL data security layer installed. >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base >>>> >>>> with scope subtree >>>> # filter: >>>> (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) >>>> # requesting: ALL >>>> # >>>> >>>> # search result >>>> search: 4 >>>> result: 0 Success >>>> >>>> # numResponses: 1 >>>> >>>> >>>> >>>> Running this search without any filter returns: >>>> $ ldapsearch -YGSSAPI -b >>>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>>> >>>> >>>> >>>> # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, >>>> auto_prog, >>>> svg1, automount, ix.test.com >>>> dn: description=utils -vers\3D3\2Csec\3Dsys >>>> filer01:/volumes/p00/prog/util >>>> s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>>> >>>> description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>>> automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>>> automountKey: utils >>>> objectClass: automount >>>> objectClass: top >>>> >>>> >>>> >>>> The two indexes I created are these: >>>> >>>> # automountkey, index, userRoot, ldbm database, plugins, config >>>> dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm >>>> database,cn=plugins,cn=config >>>> cn: automountkey >>>> objectClass: top >>>> objectClass: nsIndex >>>> nsSystemIndex: false >>>> nsIndexType: eq >>>> >>>> # automountmapname, index, userRoot, ldbm database, plugins, config >>>> dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm >>>> database,cn=plugins,cn=co >>>> nfig >>>> cn: automountmapname >>>> objectClass: top >>>> objectClass: nsIndex >>>> nsSystemIndex: false >>>> nsIndexType: eq >>>> >>>> And then I ran at these commands: >>>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>>> Manager" -w - -n userroot -t automountmapname:eq -v >>>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>>> Manager" -w - -n userroot -t automountkey:eq -v >>>> >>>> What is going on? >>> ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot >>> dbscan -f >>> /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountmapname.db* >>> dbscan -f >>> /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountkey.db* >> >> I just ran these commands before you sent your email: >> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >> Manager" -w - -n userroot -t automountmapname -v >> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >> Manager" -w - -n userroot -t automountkey -v >> >> But only on one IPA server. This might explain why the automounter >> was working every now and then as I am using the SRV records for the >> automounter to discover the LDAP server hostname. >> >> The commands you sent show everything as being OK now. >> ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot >> -rw------- 1 dirsrv dirsrv 16384 Sep 10 21:57 automountkey.db4 >> -rw------- 1 dirsrv dirsrv 16384 Sep 9 22:07 automountmapname.db4 >> >> The dbscan commands lists all the automount maps and keys as: >> >> =auto.direct >> =auto.master >> >> >> and: >> >> =utils >> >> >> Did an error occur when I initially created the indexes? Was it >> incorrect to specify ":eq" ? > Looks like there is a bug in db2index_add_indexed_attr - it should > split the comma delimited list of index types after the ":" into > separate values of the nsIndexType attribute. > > If you don't specify the ":type,type" then it uses the defaults that > you have configured. Rich should we rise a DS ticket here? >> >> >> Regards, >> Siggi >> >> >> >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From david at bjorkevik.se Mon Sep 10 22:16:09 2012 From: david at bjorkevik.se (=?ISO-8859-1?Q?David_Bj=F6rkevik?=) Date: Tue, 11 Sep 2012 00:16:09 +0200 Subject: [Freeipa-users] slow ssh In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <504E66A9.4070401@bjorkevik.se> [email re-sent to list] Hi Steven, Try ssh -o GSSAPIAuthentication=no your.host.name If that doesn't change anything, try adding -v to the command line and see where the delay is happening. /David On 2012-09-10 23:16, Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From jreg2k at gmail.com Mon Sep 10 22:18:52 2012 From: jreg2k at gmail.com (James James) Date: Tue, 11 Sep 2012 00:18:52 +0200 Subject: [Freeipa-users] Subject for certificate request in ipa-server-install Message-ID: Hi Everybody, I want to change the defaut Certifcate Authority automatically added want you want to make a certificate request. There were a thread about something like ( https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html) that but I don't know if there is the quick and nice solution. James -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 10 22:21:46 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Sep 2012 16:21:46 -0600 Subject: [Freeipa-users] Adding indexes for the automounter - odd results In-Reply-To: <504E66AA.3080002@redhat.com> References: <504E4692.4090408@nixtra.com> <504E4F67.9090504@redhat.com> <504E5540.3010300@nixtra.com> <504E5B50.6070607@redhat.com> <504E66AA.3080002@redhat.com> Message-ID: <504E67FA.40000@redhat.com> On 09/10/2012 04:16 PM, Dmitri Pal wrote: > On 09/10/2012 05:27 PM, Rich Megginson wrote: >> On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: >>> On 09/10/2012 10:36 PM, Rich Megginson wrote: >>>> On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> I added indexes for automountKey, and automountmapname yesterday in >>>>> my test environment to see if that would speed the automounters up >>>>> a bit, and now the automounters does not always work. They manage >>>>> to look up the map, but not the keys in the map. >>>>> >>>>> Restarting the automounter sometimes work for some maps, but then >>>>> the other maps stop working. >>>>> >>>>> Below is an example from the messages file when doing doing "ls >>>>> /prog." >>>>> >>>>> Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): >>>>> looking up nagios >>>>> Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying >>>>> server uri ldap://ipa01.ix.test.com:389 >>>>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>>>> auth_required: 2, sasl_mech GSSAPI >>>>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting >>>>> sasl bind with mechanism GSSAPI >>>>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>>>> context (nil), id 16385. >>>>> Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with >>>>> context (nil), id 16385. >>>>> Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind >>>>> with mechanism GSSAPI succeeded >>>>> Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): >>>>> autofs_sasl_bind returned 0 >>>>> Sep 10 19:55:22 mordor automount[3041]: connected to uri >>>>> ldap://ipa01.ix.test.com:389 >>>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>>> searching for >>>>> "(&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A)))" >>>>> under >>>>> "automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>>> getting first entry for automountKey="nagios" >>>>> Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): >>>>> got answer, but no entry for >>>>> (&(objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) >>>>> Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token >>>>> = 798 >>>>> Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios >>>>> Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 >>>>> Sep 10 19:55:22 mordor automount[3041]: >>>>> handle_packet_missing_indirect: token 799, name os, request pid 3233 >>>>> >>>>> >>>>> >>>>> All folders return like this: >>>>> >>>>> ls: cannot access /prog/nagios: No such file or directory >>>>> >>>>> >>>>> >>>>> The 389-ds access log looks like this: >>>>> >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 >>>>> nentries=0 etime=0, SASL bind in progress >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 >>>>> dn="fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com" >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH >>>>> base="automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com" >>>>> scope=2 >>>>> filter="(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))" >>>>> attrs="automountKey automountInformation" >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND >>>>> [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 >>>>> >>>>> >>>>> Running the query manually return: >>>>> >>>>> ~$ ldapsearch -YGSSAPI -b >>>>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '(&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' >>>>> >>>>> SASL/GSSAPI authentication started >>>>> SASL username: user at IX.TEST.COM >>>>> SASL SSF: 56 >>>>> SASL data security layer installed. >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base >>>>> >>>>> with scope subtree >>>>> # filter: >>>>> (&(objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # search result >>>>> search: 4 >>>>> result: 0 Success >>>>> >>>>> # numResponses: 1 >>>>> >>>>> >>>>> >>>>> Running this search without any filter returns: >>>>> $ ldapsearch -YGSSAPI -b >>>>> automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>>>> >>>>> >>>>> >>>>> # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, >>>>> auto_prog, >>>>> svg1, automount, ix.test.com >>>>> dn: description=utils -vers\3D3\2Csec\3Dsys >>>>> filer01:/volumes/p00/prog/util >>>>> s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com >>>>> >>>>> description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>>>> automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils >>>>> automountKey: utils >>>>> objectClass: automount >>>>> objectClass: top >>>>> >>>>> >>>>> >>>>> The two indexes I created are these: >>>>> >>>>> # automountkey, index, userRoot, ldbm database, plugins, config >>>>> dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm >>>>> database,cn=plugins,cn=config >>>>> cn: automountkey >>>>> objectClass: top >>>>> objectClass: nsIndex >>>>> nsSystemIndex: false >>>>> nsIndexType: eq >>>>> >>>>> # automountmapname, index, userRoot, ldbm database, plugins, config >>>>> dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm >>>>> database,cn=plugins,cn=co >>>>> nfig >>>>> cn: automountmapname >>>>> objectClass: top >>>>> objectClass: nsIndex >>>>> nsSystemIndex: false >>>>> nsIndexType: eq >>>>> >>>>> And then I ran at these commands: >>>>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>>>> Manager" -w - -n userroot -t automountmapname:eq -v >>>>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>>>> Manager" -w - -n userroot -t automountkey:eq -v >>>>> >>>>> What is going on? >>>> ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot >>>> dbscan -f >>>> /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountmapname.db* >>>> dbscan -f >>>> /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot/automountkey.db* >>> I just ran these commands before you sent your email: >>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>> Manager" -w - -n userroot -t automountmapname -v >>> # /var/lib/dirsrv/scripts-IX-TEST-COM/db2index.pl -D "cn=Directory >>> Manager" -w - -n userroot -t automountkey -v >>> >>> But only on one IPA server. This might explain why the automounter >>> was working every now and then as I am using the SRV records for the >>> automounter to discover the LDAP server hostname. >>> >>> The commands you sent show everything as being OK now. >>> ls -al /var/lib/dirsrv/slapd-IX-TEST-COM/db/userRoot >>> -rw------- 1 dirsrv dirsrv 16384 Sep 10 21:57 automountkey.db4 >>> -rw------- 1 dirsrv dirsrv 16384 Sep 9 22:07 automountmapname.db4 >>> >>> The dbscan commands lists all the automount maps and keys as: >>> >>> =auto.direct >>> =auto.master >>> >>> >>> and: >>> >>> =utils >>> >>> >>> Did an error occur when I initially created the indexes? Was it >>> incorrect to specify ":eq" ? >> Looks like there is a bug in db2index_add_indexed_attr - it should >> split the comma delimited list of index types after the ":" into >> separate values of the nsIndexType attribute. >> >> If you don't specify the ":type,type" then it uses the defaults that >> you have configured. > Rich should we rise a DS ticket here? Yes. https://fedorahosted.org/389/ticket/453 >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Mon Sep 10 22:32:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 10 Sep 2012 22:32:08 +0000 Subject: [Freeipa-users] slow ssh In-Reply-To: <504E65EA.60901@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CDB7DD4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <504E65EA.60901@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CDB7E77@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, It seems to be in my test environment so its probably not a full DNS setup is some of the problem. I didnt select the preview but Ive seen ssh logins that happen without a password so I assume that's at least partially why. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 11 September 2012 10:12 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] slow ssh On 09/10/2012 05:16 PM, Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? > Is it the problem on the SSH client or on the SSH server? Can you provide ssh configuration file(s) and sssd.conf? What version do you use (ssh and sssd)? Could it be that you tried the tech preview ipa-client SSH integration feature when installed ipa-client? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Mon Sep 10 22:43:07 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Sep 2012 18:43:07 -0400 Subject: [Freeipa-users] Subject for certificate request in ipa-server-install In-Reply-To: References: Message-ID: <504E6CFB.9090604@redhat.com> On 09/10/2012 06:18 PM, James James wrote: > Hi Everybody, > > I want to change the defaut Certifcate Authority automatically added > want you want to make a certificate request. > > There were a thread about something like > (https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html) > that but I don't know if there is the quick and nice solution. > > James > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Ticket is still not addressed https://fedorahosted.org/freeipa/ticket/2614 You are welcome to provide patches to help with this effort. However may be there is a way to change some value in the CA configuration manually which I am not aware of to put the CA name you want. Worth asking people on #dogtag-pki -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Mon Sep 10 23:16:34 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 10 Sep 2012 19:16:34 -0400 Subject: [Freeipa-users] KRB5 keytab not always created or updated on RHEL 5 In-Reply-To: <504E484E.3080605@nixtra.com> References: <504E484E.3080605@nixtra.com> Message-ID: <20120910231634.GF8154@redhat.com> On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote: > Hi, > > We are using pam_ldap + pam_krb5 on our RHEL 5 workstations. > Sometimes when the user logs in, or unlocks his workstation the > users kerberos keytab is not created or updated. You mean credential caches rather than keytabs, right? How are pam_ldap and pam_krb5 combined in your configuration? Is pam_ldap being used for account management, or is it also being used to check passwords? If pam_krb5 isn't verifying the password, it won't obtain credentials which it can use to populate a credential cache when the user's session is opened, so it won't try to create one. > Often, just locking the screen with the screensaver and unlocking > again creates or updates the keytab file. > > I've had a look at /var/log/secure without getting any smarter. What gets logged to /var/log/secure when things aren't working right? Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam" subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save messages with priority=debug) and share the debug messages you get when things aren't working? Nalin From sigbjorn at nixtra.com Tue Sep 11 08:04:21 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 11 Sep 2012 10:04:21 +0200 (CEST) Subject: [Freeipa-users] KRB5 keytab not always created or updated on RHEL 5 In-Reply-To: <20120910231634.GF8154@redhat.com> References: <504E484E.3080605@nixtra.com> <20120910231634.GF8154@redhat.com> Message-ID: <24637.213.225.75.97.1347350661.squirrel@www.nixtra.com> On Tue, September 11, 2012 01:16, Nalin Dahyabhai wrote: > On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations. >> Sometimes when the user logs in, or unlocks his workstation the >> users kerberos keytab is not created or updated. > > You mean credential caches rather than keytabs, right? > Yes. > > How are pam_ldap and pam_krb5 combined in your configuration? > Sorry, my bad. We do not use pam_ldap, only pam_krb5. > > Is pam_ldap being used for account management, or is it also being used > to check passwords? If pam_krb5 isn't verifying the password, it won't obtain credentials which it > can use to populate a credential cache when the user's session is opened, so it won't try to > create one. > >> Often, just locking the screen with the screensaver and unlocking >> again creates or updates the keytab file. >> >> I've had a look at /var/log/secure without getting any smarter. >> > > What gets logged to /var/log/secure when things aren't working right? > Sep 10 08:48:44 ws kcheckpass: pam_unix(kscreensaver:auth): authentication failure; logname=username uid=12345 euid=12345 tty=:0 ruser= rhost= user=username Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: error reading keytab 'FILE:/etc/krb5.keytab' Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: TGT verified Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: authentication succeeds for 'username' (username at REALM) > > Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam" > subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save messages with > priority=debug) and share the debug messages you get when things aren't working? > Ok, sure. There is some time in between these reports so it might take a while to gather the results. Regards, Siggi From chorn at fluxcoil.net Tue Sep 11 12:18:16 2012 From: chorn at fluxcoil.net (Christian Horn) Date: Tue, 11 Sep 2012 14:18:16 +0200 Subject: [Freeipa-users] Do you use logrotate? In-Reply-To: <504E64BD.30705@redhat.com> References: <504E64BD.30705@redhat.com> Message-ID: <20120911121816.GA10234@fluxcoil.net> Hi, On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote: > > Does anyone use logrotate? Not yet, indeed good idea. > Have you seen something else that would be valuable for others to > consider when configuring logrotate with IPA? IPA has many services writing to independent files. Having these logs collected in a central place seems to be a common desire. For DNS syslog is used and can directly log to a remote location. For the other services the best idea so far seems to be to have a cronjob which uses rsync/ssh to centrally store the logs. This can be implemented without much further thought. If logrotate is used on the IPA servers, but also longer logs should be kept on the central server, further thoughts would be needed here.. Thats the only relevant thing coming to mind for the topic. Christian From dpal at redhat.com Tue Sep 11 14:36:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 11 Sep 2012 10:36:34 -0400 Subject: [Freeipa-users] Do you use logrotate? In-Reply-To: <20120911121816.GA10234@fluxcoil.net> References: <504E64BD.30705@redhat.com> <20120911121816.GA10234@fluxcoil.net> Message-ID: <504F4C72.3030204@redhat.com> On 09/11/2012 08:18 AM, Christian Horn wrote: > Hi, > > On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote: >> Does anyone use logrotate? > Not yet, indeed good idea. > > >> Have you seen something else that would be valuable for others to >> consider when configuring logrotate with IPA? > IPA has many services writing to independent files. Having these > logs collected in a central place seems to be a common desire. > For DNS syslog is used and can directly log to a remote location. > > For the other services the best idea so far seems to be to have > a cronjob which uses rsync/ssh to centrally store the logs. > > This can be implemented without much further thought. > If logrotate is used on the IPA servers, but also longer logs > should be kept on the central server, further thoughts would > be needed here.. > > > Thats the only relevant thing coming to mind for the topic. > Christian > Collecting log centrally is a separate topic. I want to focus on the logrotate configuration and potential issues people might have or have had in the past related to logrotate causing IPA to fail. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Sep 11 14:41:22 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Sep 2012 10:41:22 -0400 Subject: [Freeipa-users] Do you use logrotate? In-Reply-To: <504F4C72.3030204@redhat.com> References: <504E64BD.30705@redhat.com> <20120911121816.GA10234@fluxcoil.net> <504F4C72.3030204@redhat.com> Message-ID: <504F4D92.2040009@redhat.com> Dmitri Pal wrote: > On 09/11/2012 08:18 AM, Christian Horn wrote: >> Hi, >> >> On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote: >>> Does anyone use logrotate? >> Not yet, indeed good idea. >> >> >>> Have you seen something else that would be valuable for others to >>> consider when configuring logrotate with IPA? >> IPA has many services writing to independent files. Having these >> logs collected in a central place seems to be a common desire. >> For DNS syslog is used and can directly log to a remote location. >> >> For the other services the best idea so far seems to be to have >> a cronjob which uses rsync/ssh to centrally store the logs. >> >> This can be implemented without much further thought. >> If logrotate is used on the IPA servers, but also longer logs >> should be kept on the central server, further thoughts would >> be needed here.. >> >> >> Thats the only relevant thing coming to mind for the topic. >> Christian >> > > Collecting log centrally is a separate topic. > I want to focus on the logrotate configuration and potential issues > people might have or have had in the past related to logrotate causing > IPA to fail. logrotate is being used by every IPA user today unless they have configured it to NOT be used. There are default logrotate rules for named, httpd, tomcat6, sssd and krb5kdc. 389-ds-base does its own log rotation AFAIU. rob From dpal at redhat.com Tue Sep 11 17:03:30 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 11 Sep 2012 13:03:30 -0400 Subject: [Freeipa-users] Do you use logrotate? In-Reply-To: <504F4D92.2040009@redhat.com> References: <504E64BD.30705@redhat.com> <20120911121816.GA10234@fluxcoil.net> <504F4C72.3030204@redhat.com> <504F4D92.2040009@redhat.com> Message-ID: <504F6EE2.50208@redhat.com> On 09/11/2012 10:41 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 09/11/2012 08:18 AM, Christian Horn wrote: >>> Hi, >>> >>> On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote: >>>> Does anyone use logrotate? >>> Not yet, indeed good idea. >>> >>> >>>> Have you seen something else that would be valuable for others to >>>> consider when configuring logrotate with IPA? >>> IPA has many services writing to independent files. Having these >>> logs collected in a central place seems to be a common desire. >>> For DNS syslog is used and can directly log to a remote location. >>> >>> For the other services the best idea so far seems to be to have >>> a cronjob which uses rsync/ssh to centrally store the logs. >>> >>> This can be implemented without much further thought. >>> If logrotate is used on the IPA servers, but also longer logs >>> should be kept on the central server, further thoughts would >>> be needed here.. >>> >>> >>> Thats the only relevant thing coming to mind for the topic. >>> Christian >>> >> >> Collecting log centrally is a separate topic. >> I want to focus on the logrotate configuration and potential issues >> people might have or have had in the past related to logrotate causing >> IPA to fail. > > logrotate is being used by every IPA user today unless they have > configured it to NOT be used. There are default logrotate rules for > named, httpd, tomcat6, sssd and krb5kdc. 389-ds-base does its own log > rotation AFAIU. > > rob So how it happened that someone configured logrotate to run as a different user and caused DS instance not to start? I want to understand what we can do to prevent such situations. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marcello.giannoni at ucla.edu Wed Sep 12 06:52:33 2012 From: marcello.giannoni at ucla.edu (Marcello Giannoni UCLA) Date: Tue, 11 Sep 2012 23:52:33 -0700 Subject: [Freeipa-users] distribution mailing list Message-ID: <10C7DBFD-1EF3-4E72-AB8F-A49388111D22@ucla.edu> Hi I'm currently using the free-ipa server on red hat enterprise 6.2. Someone asked me to implement a distribution list on the system. I would like to set up free-ipa in a way that I can create expandable groups that when I connect trough an email client and I type the group defined in the ipa-server the group will expand all the email of user subscribed to that particular group. Do I have to change the dif.ldif schema in order to achieve this ? I have heard that someone resolved this problem using the objectClass=groupOfNames but I couldn't find any explanation on how to implement this. I don't know if the problem lies on the type of group to use or the base search on the ldap client, I need some clue on how to do this. I hope someone can spread some light on this Thank you in advance Marcello From dpal at redhat.com Wed Sep 12 11:44:53 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Sep 2012 07:44:53 -0400 Subject: [Freeipa-users] distribution mailing list In-Reply-To: <10C7DBFD-1EF3-4E72-AB8F-A49388111D22@ucla.edu> References: <10C7DBFD-1EF3-4E72-AB8F-A49388111D22@ucla.edu> Message-ID: <505075B5.9010503@redhat.com> On 09/12/2012 02:52 AM, Marcello Giannoni UCLA wrote: > Hi I'm currently using the free-ipa server on red hat enterprise 6.2. > Someone asked me to implement a distribution list on the system. > I would like to set up free-ipa in a way that I can create expandable groups that when I connect trough an email client and I type the group defined in the ipa-server the group will expand all the email of user subscribed to that particular group. > > Do I have to change the dif.ldif schema in order to achieve this ? > I have heard that someone resolved this problem using the objectClass=groupOfNames but I couldn't find any explanation on how to implement this. > > I don't know if the problem lies on the type of group to use or the base search on the ldap client, I need some clue on how to do this. > > I hope someone can spread some light on this > I am not sure but suspect that you need a filter for the mail client to expand the list of users. The attribute that would help with that is "member". It is a multi value attribute of the group object that contains the list of all the users that are directly or indirectly (via nested groups) are members of the specific group. If you need more than user DNs but user entries then you might want to go the other way around. Use the entered group to search for all the users who's memberOf attribute contains given group. > Thank you in advance > Marcello > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marcello.giannoni at ucla.edu Wed Sep 12 18:06:27 2012 From: marcello.giannoni at ucla.edu (Marcello Giannoni UCLA) Date: Wed, 12 Sep 2012 11:06:27 -0700 Subject: [Freeipa-users] distribution mailing list In-Reply-To: <505075B5.9010503@redhat.com> References: <10C7DBFD-1EF3-4E72-AB8F-A49388111D22@ucla.edu> <505075B5.9010503@redhat.com> Message-ID: <22EF7881-7467-401F-A121-E6D52C897B40@ucla.edu> Hi Dimitri Thank you for the suggestions I'll try your solution with the member attribute and see how it goes. Thank you for your prompt answer Marcello On Sep 12, 2012, at 4:44 AM, Dmitri Pal wrote: > On 09/12/2012 02:52 AM, Marcello Giannoni UCLA wrote: >> Hi I'm currently using the free-ipa server on red hat enterprise 6.2. >> Someone asked me to implement a distribution list on the system. >> I would like to set up free-ipa in a way that I can create expandable groups that when I connect trough an email client and I type the group defined in the ipa-server the group will expand all the email of user subscribed to that particular group. >> >> Do I have to change the dif.ldif schema in order to achieve this ? >> I have heard that someone resolved this problem using the objectClass=groupOfNames but I couldn't find any explanation on how to implement this. >> >> I don't know if the problem lies on the type of group to use or the base search on the ldap client, I need some clue on how to do this. >> >> I hope someone can spread some light on this >> > > I am not sure but suspect that you need a filter for the mail client to > expand the list of users. > The attribute that would help with that is "member". It is a multi value > attribute of the group object that contains the list of all the users > that are directly or indirectly (via nested groups) are members of the > specific group. > > If you need more than user DNs but user entries then you might want to > go the other way around. > Use the entered group to search for all the users who's memberOf > attribute contains given group. > >> Thank you in advance >> Marcello >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From george_he7 at yahoo.com Wed Sep 12 18:26:15 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 12 Sep 2012 11:26:15 -0700 (PDT) Subject: [Freeipa-users] Stale NFS file handle Message-ID: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hello, My ipa server and my nfs server are the same machine running centos 6.3. The server was accidentally down and rebooted. But then I got "authentication failsure" on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got "Stale NFS file handle". Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Wed Sep 12 18:43:33 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 12 Sep 2012 20:43:33 +0200 Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: On Wed, Sep 12, 2012 at 8:26 PM, george he wrote: > Hello, > My ipa server and my nfs server are the same machine running centos 6.3. > try to separate those roles if you can. You can use vm's, it'll work great. > The server was accidentally down and rebooted. > But then I got "authentication failsure" on some clients when tried to log > on through gdm, and blue screen (no desktop, no panels) on some others. > On some clients that I was on before the server was downthe, I got "Stale > NFS file handle". > Yet on some other clients, everything is fine. All clients are running > centos 6.3, too. > Is there a way (e.g. restarting some services) to get the above problems > away instead of rebooting the clients? > you could try umounting the stale mount points in the clients with the -l switch (lazy). It works most of the time, sometimes rebooting or resetting is necessary. Do not change dir to the mount point because then your client will not respond :-) -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Wed Sep 12 19:53:59 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 12 Sep 2012 21:53:59 +0200 Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <5050E857.6060009@nixtra.com> On 09/12/2012 08:26 PM, george he wrote: > Hello, > My ipa server and my nfs server are the same machine running centos 6.3. > The server was accidentally down and rebooted. > But then I got "authentication failsure" on some clients when tried to > log on through gdm, and blue screen (no desktop, no panels) on some > others. > On some clients that I was on before the server was downthe, I got > "Stale NFS file handle". > Yet on some other clients, everything is fine. All clients are running > centos 6.3, too. > Is there a way (e.g. restarting some services) to get the above > problems away instead of rebooting the clients? > Thanks, > George > Just wait and it reconnects a while after the nfs server becomes available again. How long have you waited before rebooting? Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Wed Sep 12 20:44:37 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 12 Sep 2012 13:44:37 -0700 (PDT) Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: <5050E857.6060009@nixtra.com> References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> <5050E857.6060009@nixtra.com> Message-ID: <1347482677.46482.YahooMailNeo@web120002.mail.ne1.yahoo.com> I think it's about half an hour. Any ideas about the authentication failsure thing? Thanks, George >________________________________ > From: Sigbjorn Lie >To: freeipa-users at redhat.com >Sent: Wednesday, September 12, 2012 3:53 PM >Subject: Re: [Freeipa-users] Stale NFS file handle > > >On 09/12/2012 08:26 PM, george he wrote: > >Hello, >>My ipa server and my nfs server are the same machine running centos 6.3. >>The server was accidentally down and rebooted. >>But then I got "authentication failsure" on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. >>On some clients that I was on before the server was downthe, I got "Stale NFS file handle". >>Yet on some other clients, everything is fine. All clients are running centos 6.3, too. >> >>Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? >> >>Thanks, >>George >> >Just wait and it reconnects a while after the nfs server becomes available again. > >How long have you waited before rebooting? > > >Regards, >Siggi > > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Wed Sep 12 20:46:14 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 12 Sep 2012 13:46:14 -0700 (PDT) Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1347482774.9801.YahooMailNeo@web120001.mail.ne1.yahoo.com> I tried umount but without -l, it said drive busy. Next time I will try with -l. Thanks, George >________________________________ > From: Natxo Asenjo >To: "freeipa-users at redhat.com" >Sent: Wednesday, September 12, 2012 2:43 PM >Subject: Re: [Freeipa-users] Stale NFS file handle > > >On Wed, Sep 12, 2012 at 8:26 PM, george he wrote: > >Hello, >>My ipa server and my nfs server are the same machine running centos 6.3. > >try to separate those roles if you can. You can use vm's, it'll work great. >? > >The server was accidentally down and rebooted. >>But then I got "authentication failsure" on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. >>On some clients that I was on before the server was downthe, I got "Stale NFS file handle". >>Yet on some other clients, everything is fine. All clients are running centos 6.3, too. >> >>Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? >> > >you could try umounting the stale mount points in the clients with the -l switch (lazy). It works most of the time, sometimes rebooting or resetting is necessary. Do not change dir to the mount point because then your client will not respond :-) > >-- >natxo > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Wed Sep 12 21:27:49 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 12 Sep 2012 23:27:49 +0200 Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: <1347482677.46482.YahooMailNeo@web120002.mail.ne1.yahoo.com> References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> <5050E857.6060009@nixtra.com> <1347482677.46482.YahooMailNeo@web120002.mail.ne1.yahoo.com> Message-ID: <5050FE55.8040208@nixtra.com> What nfs version are you using? And if 4, do you use kerberos? We are using mostly nfs 3 still, and those nfs mounts just reconnect by themselves up to a few minutes after the nfs server is back online. Regards, Siggi On 09/12/2012 10:44 PM, george he wrote: > I think it's about half an hour. > Any ideas about the authentication failsure thing? > Thanks, > George > > ------------------------------------------------------------------------ > *From:* Sigbjorn Lie > *To:* freeipa-users at redhat.com > *Sent:* Wednesday, September 12, 2012 3:53 PM > *Subject:* Re: [Freeipa-users] Stale NFS file handle > > On 09/12/2012 08:26 PM, george he wrote: >> Hello, >> My ipa server and my nfs server are the same machine running >> centos 6.3. >> The server was accidentally down and rebooted. >> But then I got "authentication failsure" on some clients when >> tried to log on through gdm, and blue screen (no desktop, no >> panels) on some others. >> On some clients that I was on before the server was downthe, I >> got "Stale NFS file handle". >> Yet on some other clients, everything is fine. All clients are >> running centos 6.3, too. >> Is there a way (e.g. restarting some services) to get the above >> problems away instead of rebooting the clients? >> Thanks, >> George >> > > Just wait and it reconnects a while after the nfs server becomes > available again. > > How long have you waited before rebooting? > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 13 04:56:18 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 04:56:18 +0000 Subject: [Freeipa-users] winsync agreement Message-ID: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Sep 13 07:18:38 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 13 Sep 2012 09:18:38 +0200 Subject: [Freeipa-users] Stale NFS file handle In-Reply-To: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1347474375.2523.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <505188CE.3030909@s3group.cz> You can get authentication failure if the user's home is on a NFS which is failing to re-mount. The stale NFS handle usually means the NFS server changed fsid of the exported volume after its reboot. This usually happens if you are exporting a LVM partition via NFS. The workaround is to specify fsid of the exported volume manually in /etc/exports HTH, Ondrej On 09/12/2012 08:26 PM, george he wrote: > Hello, > My ipa server and my nfs server are the same machine running centos 6.3. > The server was accidentally down and rebooted. > But then I got "authentication failsure" on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some > others. > On some clients that I was on before the server was downthe, I got "Stale NFS file handle". > Yet on some other clients, everything is fine. All clients are running centos 6.3, too. > Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? > Thanks, > George > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From baptiste.agasse at lyra-network.com Thu Sep 13 09:58:43 2012 From: baptiste.agasse at lyra-network.com (Baptiste AGASSE) Date: Thu, 13 Sep 2012 11:58:43 +0200 (CEST) Subject: [Freeipa-users] IPA 2.2 and windows clients with MIT kerberos distribution In-Reply-To: <1137885184.2231.1347528070397.JavaMail.root@sirismail.lyra-network.com> Message-ID: <1212766854.2281.1347530323074.JavaMail.root@sirismail.lyra-network.com> Hi all, Some days ago i've said on freeipa IRC channel that the documentation on freeipa + apache + SNI (located here http://freeipa.org/page/Apache_SNI_With_Kerberos) was wrong. I've set up a apache server with SNI and tested sso with mit kerberos on windows 7 64bits + firefox . On my windows 7 client, sso don't work if i set "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName, but works if Krb5KeyTab and KrbServiceName are those of real host. This behavior is reversed with fedora 17 + firefox client: sso works only if "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName are those of the "dummyhost". So, the conclusion is: the documentation is good for linux clients (at least on fedora 17 + firefox), but not for windows clients I think it will be good to have the same behavior on linux and windows client because it will be painful in cross platform environments if it stay as this. rcrit said on IRC that you are working on v3 at this time, it will be good to know if the v3.0 have the same behavior, but i don't have resources at this time to setup another test environment with v3 beta. Detailed test configuration: (see attached apache config extract for virtualhost configuration) IPA server: OS: CentOS 6.3 IPA: ipa-server.x86_64 2.2.0-16.el6 389 ds: 389-ds-base.x86_64 1.2.10.2-20.el6_3 IPA Realm: EXAMPLE.COM Apache SNI server: OS: CentOS 6.3 real hostname: projects.foo.example.com dummy host 1: svn.example.com dummy host 2: redmine.example.com [...] Windows client: OS: Windows 7 64Bits. Browser: Firefox 15.0.1, 14.0.x (32bits) MIT Kerberos dist: 3.2.2 (32bits) (http://web.mit.edu/kerberos/dist/) GNU/Linux client: OS: Fedora 17 x86_64 Browser: Firefox 15 (latest provided by fedora) Kerberos: (latest provided by fedora) Have a nice day. Regards. Baptiste. -------------- next part -------------- A non-text attachment was scrubbed... Name: works_with_linux_clients.conf Type: application/octet-stream Size: 774 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: works_with_windows7_clients.conf Type: application/octet-stream Size: 773 bytes Desc: not available URL: From rcritten at redhat.com Thu Sep 13 12:30:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Sep 2012 08:30:21 -0400 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <5051D1DD.8080509@redhat.com> Steven Jones wrote: > I just setup a winsync agreement expect its wiped any IPA user that also > exists in AD. > > Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 rob From listas.correo at yahoo.es Thu Sep 13 13:01:53 2012 From: listas.correo at yahoo.es (mailing lists) Date: Thu, 13 Sep 2012 14:01:53 +0100 (BST) Subject: [Freeipa-users] Questions about FreeIPA vs 389DS Message-ID: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> Hello all, ?It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts. I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned), the upcoming "IPAv3 Trust" feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications...... I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance. So how others are solving this paradox? they run? 389DS with (fractional) replication towards (or from) FreeIPA 389DS? they add custom schemas to FreeIPA 389DS? the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...? what about upgrades after this modifications were done? From David.Fitzgerald at millersville.edu Thu Sep 13 13:54:04 2012 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Thu, 13 Sep 2012 09:54:04 -0400 Subject: [Freeipa-users] clients very slow Message-ID: <73D5696F6096F9478FA4CA43E2FD99B9B958FFC8@mail6.millersville.edu> Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Thanks! Dave +++++++++++++++++++++++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Thu Sep 13 13:55:50 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 13 Sep 2012 15:55:50 +0200 (CEST) Subject: [Freeipa-users] IPA Automount cross-location support Message-ID: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> Hi, I opened a request a while ago for Automount cross-location support. https://bugzilla.redhat.com/show_bug.cgi?id=768177 https://fedorahosted.org/freeipa/ticket/1699# I see from the comments that it's uncertain how this can be implemented. Could the Virtual Views in 389-ds be used to implement this the cross location maps? I'm picturing the ability to add a "virtual" automount map to an automount location, where you select an existing map from one of the other automount locations to display. All changes to the map will be done in the original map in it's orignal automount location, but it will be displayed in both automount locations. Any thoughts to that solution? Regards, Siggi From ondrejv at s3group.cz Thu Sep 13 14:12:45 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 13 Sep 2012 16:12:45 +0200 Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> Message-ID: <5051E9DD.60704@s3group.cz> I guess the easiest implementation would be using pre-defined variable in automount map names. The variable would be then defined by an automount process using the -D parameter. The other option (maybe easier) would be to ask sssd developers to add another option to sssd - say: ldap_autofs_search_base so you could specify a different search base for every site.... Ondrej On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: > Hi, > > > I opened a request a while ago for Automount cross-location support. > https://bugzilla.redhat.com/show_bug.cgi?id=768177 > https://fedorahosted.org/freeipa/ticket/1699# > > I see from the comments that it's uncertain how this can be implemented. > > Could the Virtual Views in 389-ds be used to implement this the cross location maps? > > I'm picturing the ability to add a "virtual" automount map to an automount location, where you > select an existing map from one of the other automount locations to display. > > All changes to the map will be done in the original map in it's orignal automount location, but it > will be displayed in both automount locations. > > Any thoughts to that solution? > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Sep 13 14:24:25 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 13 Sep 2012 16:24:25 +0200 Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <5051E9DD.60704@s3group.cz> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> <5051E9DD.60704@s3group.cz> Message-ID: <5051EC99.1020803@s3group.cz> Sorry, the parameter mentioned below has already been implemented :-) On 09/13/2012 04:12 PM, Ondrej Valousek wrote: > I guess the easiest implementation would be using pre-defined variable in automount map names. > The variable would be then defined by an automount process using the -D parameter. > > The other option (maybe easier) would be to ask sssd developers to add another option to sssd - say: > > ldap_autofs_search_base > > so you could specify a different search base for every site.... > Ondrej > > On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: >> Hi, >> >> >> I opened a request a while ago for Automount cross-location support. >> https://bugzilla.redhat.com/show_bug.cgi?id=768177 >> https://fedorahosted.org/freeipa/ticket/1699# >> >> I see from the comments that it's uncertain how this can be implemented. >> >> Could the Virtual Views in 389-ds be used to implement this the cross location maps? >> >> I'm picturing the ability to add a "virtual" automount map to an automount location, where you >> select an existing map from one of the other automount locations to display. >> >> All changes to the map will be done in the original map in it's orignal automount location, but it >> will be displayed in both automount locations. >> >> Any thoughts to that solution? >> >> >> Regards, >> Siggi >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 13 14:46:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Sep 2012 10:46:24 -0400 Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <5051EC99.1020803@s3group.cz> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> <5051E9DD.60704@s3group.cz> <5051EC99.1020803@s3group.cz> Message-ID: <5051F1C0.30504@redhat.com> Ondrej Valousek wrote: > Sorry, the parameter mentioned below has already been implemented :-) He wants to be able to share a common set of maps between locations rather than having to duplicate them across each location. We're limited by the LDAP clients at this point because they just query a basedn and can't really do anything complex. Using a virtual view is one of the options we've considered, but honestly we haven't spent a lot of time looking into this yet. The problem with trying to virtually add things to a location is it could get very complex very quickly and either hamper performance, debugging, or both very quickly. regards rob From sigbjorn at nixtra.com Thu Sep 13 14:49:31 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 13 Sep 2012 16:49:31 +0200 (CEST) Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <5051EC99.1020803@s3group.cz> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> <5051E9DD.60704@s3group.cz> <5051EC99.1020803@s3group.cz> Message-ID: <13416.62.148.39.180.1347547771.squirrel@www.nixtra.com> Hi, That still only supports one automount location. Currently, a map has to be redefined in every automount location if the same map is to be used for several locations. My request is to be able to share maps between the automount locations, as well as having the per location maps available today. Regards, Siggi On Thu, September 13, 2012 16:24, Ondrej Valousek wrote: > Sorry, the parameter mentioned below has already been implemented :-) > > > On 09/13/2012 04:12 PM, Ondrej Valousek wrote: > >> I guess the easiest implementation would be using pre-defined variable in automount map names. >> The variable would be then defined by an automount process using the -D parameter. >> >> >> The other option (maybe easier) would be to ask sssd developers to add another option to sssd - >> say: >> >> >> ldap_autofs_search_base >> >> so you could specify a different search base for every site.... Ondrej >> >> >> On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> >>> I opened a request a while ago for Automount cross-location support. >>> https://bugzilla.redhat.com/show_bug.cgi?id=768177 >>> https://fedorahosted.org/freeipa/ticket/1699# >>> >>> >>> I see from the comments that it's uncertain how this can be implemented. >>> >>> >>> Could the Virtual Views in 389-ds be used to implement this the cross location maps? >>> >>> >>> I'm picturing the ability to add a "virtual" automount map to an automount location, where >>> you select an existing map from one of the other automount locations to display. >>> >>> All changes to the map will be done in the original map in it's orignal automount location, >>> but it will be displayed in both automount locations. >>> >>> Any thoughts to that solution? >>> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Sep 13 14:56:40 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 08:56:40 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <5051D1DD.8080509@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com> Message-ID: <5051F428.3060008@redhat.com> On 09/13/2012 06:30 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I just setup a winsync agreement expect its wiped any IPA user that also >> exists in AD. >> >> Is this expected? if so how do I stop it doing that? > > The 389-ds winsync plugin is deleting entries that appear to be out of > scope, > https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Thu Sep 13 14:58:02 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 13 Sep 2012 16:58:02 +0200 (CEST) Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <5051F1C0.30504@redhat.com> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> <5051E9DD.60704@s3group.cz> <5051EC99.1020803@s3group.cz> <5051F1C0.30504@redhat.com> Message-ID: <11273.62.148.39.180.1347548282.squirrel@www.nixtra.com> On Thu, September 13, 2012 16:46, Rob Crittenden wrote: > Ondrej Valousek wrote: > >> Sorry, the parameter mentioned below has already been implemented :-) >> > > He wants to be able to share a common set of maps between locations > rather than having to duplicate them across each location. > > We're limited by the LDAP clients at this point because they just query > a basedn and can't really do anything complex. > > Using a virtual view is one of the options we've considered, but > honestly we haven't spent a lot of time looking into this yet. The problem with trying to virtually > add things to a location is it could get very complex very quickly and either hamper performance, > debugging, or both very quickly. > I see. Is using virtual views in 389-ds considered slow? I suppose it depends some on how complex the filters behind the view is written... Regards, Siggi From rmeggins at redhat.com Thu Sep 13 14:57:31 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 08:57:31 -0600 Subject: [Freeipa-users] Questions about FreeIPA vs 389DS In-Reply-To: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> References: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> Message-ID: <5051F45B.9010802@redhat.com> On 09/13/2012 07:01 AM, mailing lists wrote: > Hello all, > > It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts. > > I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned), What version of 389-ds-base are you using? > the upcoming "IPAv3 Trust" feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications...... I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance. > > So how others are solving this paradox? > they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS? > they add custom schemas to FreeIPA 389DS? > the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...? > what about upgrades after this modifications were done? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu Sep 13 15:07:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Sep 2012 11:07:45 -0400 Subject: [Freeipa-users] IPA Automount cross-location support In-Reply-To: <11273.62.148.39.180.1347548282.squirrel@www.nixtra.com> References: <14300.62.148.39.180.1347544550.squirrel@www.nixtra.com> <5051E9DD.60704@s3group.cz> <5051EC99.1020803@s3group.cz> <5051F1C0.30504@redhat.com> <11273.62.148.39.180.1347548282.squirrel@www.nixtra.com> Message-ID: <5051F6C1.9050506@redhat.com> Sigbjorn Lie wrote: > > > > On Thu, September 13, 2012 16:46, Rob Crittenden wrote: >> Ondrej Valousek wrote: >> >>> Sorry, the parameter mentioned below has already been implemented :-) >>> >> >> He wants to be able to share a common set of maps between locations >> rather than having to duplicate them across each location. >> >> We're limited by the LDAP clients at this point because they just query >> a basedn and can't really do anything complex. >> >> Using a virtual view is one of the options we've considered, but >> honestly we haven't spent a lot of time looking into this yet. The problem with trying to virtually >> add things to a location is it could get very complex very quickly and either hamper performance, >> debugging, or both very quickly. >> > > I see. Is using virtual views in 389-ds considered slow? I suppose it depends some on how complex > the filters behind the view is written... Nothing is free but I'm not sure how much overhead comes with views. We'd be doing this on-the-fly combining any number of different maps into potentially multiple locations. It could be very complex and this makes my spider sense is tingle. rob From Steven.Jones at vuw.ac.nz Thu Sep 13 20:39:37 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 20:39:37 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <5051D1DD.8080509@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz>, <5051D1DD.8080509@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E405327A69C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, why are legit users including those in the admin group "out of scope"? and how do I put legit users in scope? and why doesnt the winsync doc section at least comment (obviously) that I have to change scopes? kind of bad news when I lose all my users....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 14 September 2012 12:30 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement Steven Jones wrote: > I just setup a winsync agreement expect its wiped any IPA user that also > exists in AD. > > Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 rob From Steven.Jones at vuw.ac.nz Thu Sep 13 20:53:46 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 20:53:46 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <5051F428.3060008@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>,<5051F428.3060008@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 14 September 2012 2:56 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 06:30 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I just setup a winsync agreement expect its wiped any IPA user that also >> exists in AD. >> >> Is this expected? if so how do I stop it doing that? > > The 389-ds winsync plugin is deleting entries that appear to be out of > scope, > https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 13 21:18:55 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 21:18:55 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com>, <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E405327E747@STAWINCOX10MBX1.staff.vuw.ac.nz> with win-subtree can i specify more than one cn? for instance, --win-subtree cn=Staff,$SUFFIX,cn=admins,$SUFFIX or can I say, cn=$SUFFIX ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 14 September 2012 8:53 a.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement Hi, Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 14 September 2012 2:56 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 06:30 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I just setup a winsync agreement expect its wiped any IPA user that also >> exists in AD. >> >> Is this expected? if so how do I stop it doing that? > > The 389-ds winsync plugin is deleting entries that appear to be out of > scope, > https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Sep 13 22:43:32 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Sep 2012 18:43:32 -0400 Subject: [Freeipa-users] Questions about FreeIPA vs 389DS In-Reply-To: <5051F45B.9010802@redhat.com> References: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> <5051F45B.9010802@redhat.com> Message-ID: <50526194.5080907@redhat.com> On 09/13/2012 10:57 AM, Rich Megginson wrote: > On 09/13/2012 07:01 AM, mailing lists wrote: >> Hello all, >> >> It is difficult for newcomers to cope with all this 389DS/FreeIPA >> stuff, after reading the project documentation and several mail >> messages in the archives I still have some unanswered questions so I >> would be very grateful if list members could answer the following >> doubts. >> >> I need use services in an Active Directory environment and the >> WinSync solution has important limitations, the MODRDN operation is >> not handled correctly losing the relation with AD objects (it delete >> and add the entry so a new SID and GUID is assigned), > > What version of 389-ds-base are you using? > >> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK >> no sinchronization is necessary, but by using IPA it seems very >> restrictive to support current applications which need a LDAP >> hierarchical tree, custom schema with custom objectclassess and >> attributes, custom ACLs for applications...... I know about Directory >> Server virtual views, but I'm worried about the consequences of low >> level manipulation of the FreeIPA Directory Server instance. >> >> So how others are solving this paradox? >> they run 389DS with (fractional) replication towards (or from) >> FreeIPA 389DS? >> they add custom schemas to FreeIPA 389DS? >> the do low level manipulation of FreeIPA 389DS for ACLs, plugin >> activation, ...? >> what about upgrades after this modifications were done? If you need this level of flexibility and customization 389 DS is probably better for you than IPA. It seems that you want to do a lot of "do it yourself" things. IPA is more about "use as is with minor tweaks so that you do not need to do it yourself". >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Sep 13 22:49:43 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Sep 2012 18:49:43 -0400 Subject: [Freeipa-users] clients very slow In-Reply-To: <73D5696F6096F9478FA4CA43E2FD99B9B958FFC8@mail6.millersville.edu> References: <73D5696F6096F9478FA4CA43E2FD99B9B958FFC8@mail6.millersville.edu> Message-ID: <50526307.1010305@redhat.com> On 09/13/2012 09:54 AM, David Fitzgerald wrote: > > Hello Everyone, > > > > I work at a small university and I deployed freeIPA on my Linux > network over the summer break with no (known) problems, and > everything worked as expected. However, now that the semester has > started and the Linux system is under a much higher load, I am > noticing that my client machines will randomly slow to a crawl. For > example, I have a lab of 25 machines. The students can log in ok, but > after a time, a few of the machines will freeze so that the users on > those machines cannot do anything. After a few minutes, the frozen > machines will unfreeze, but other machines will freeze up. I can't > see any pattern to what machines freeze up. I did not have this > problem when running NIS, so I suspect it is something in freeIPA but > I am not sure what to look for to solve the problem. Probably a > setting somewhere needs tweaked but I don't know. The server and > clients all run Scientific Linux 6.2. > > > > Can anyone help me troubleshoot this? > Do you use SSSD as a client or something else? If SSSD we would need the nsswitch, pam, krb5.conf, sssd.conf configuration files and SSSD logs set to debug_level=8 or 9. What operation they are freezing on? Is it login/authentication or just suddenly, which probably indicates identity lookup. So freezes might be related to the DNS or name resolution lookups that those machines do. They might be accessing a DNS server that is down or misconfigured before failing over to a correct one. So resolve.conf, /etc/hosts would be helpful. But you might need to check the DNS configuration yourself. HTH > > > > Thanks! > > > > Dave > > > > +++++++++++++++++++++++ > > David Fitzgerald > > Department of Earth Sciences > > Millersville University > > Millersville, PA 17551 > > > > Phone: 717-871-2394 > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 13 22:54:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 16:54:59 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405327A69C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz>, <5051D1DD.8080509@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327A69C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50526443.5080104@redhat.com> On 09/13/2012 02:39 PM, Steven Jones wrote: > Hi, > > why are legit users including those in the admin group "out of scope"? They are out of scope of the winsync agreement. Let's say you have in AD cn=Users,dc=example,dc=com cn=Adminusers,dc=example,dc=com and in IPA cn=users,cn=accounts,dc=example,dc=com and you set up your winsync agreement as nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA "flattens" hierarchies when it syncs users from AD to DS. Let's say you have cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith and uid=jsmith,cn=Users,dc=example,dc=com because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355 But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user? > > and how do I put legit users in scope? ? > > and why doesnt the winsync doc section at least comment (obviously) that I have to change scopes? "change scopes"? > kind of bad news when I lose all my users....... indeed > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 14 September 2012 12:30 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement > > Steven Jones wrote: >> I just setup a winsync agreement expect its wiped any IPA user that also >> exists in AD. >> >> Is this expected? if so how do I stop it doing that? > The 389-ds winsync plugin is deleting entries that appear to be out of > scope, > https://fedorahosted.org/freeipa/ticket/2927 > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Sep 13 22:55:43 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 16:55:43 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5052646F.2030404@redhat.com> On 09/13/2012 02:53 PM, Steven Jones wrote: > Hi, > > Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production tree" > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 14 September 2012 2:56 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement > > On 09/13/2012 06:30 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> I just setup a winsync agreement expect its wiped any IPA user that also >>> exists in AD. >>> >>> Is this expected? if so how do I stop it doing that? >> The 389-ds winsync plugin is deleting entries that appear to be out of >> scope, >> https://fedorahosted.org/freeipa/ticket/2927 > This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in > updates testing > https://fedorahosted.org/389/ticket/355 >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Sep 13 22:56:27 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 16:56:27 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405327E747@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com>, <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E405327E747@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5052649B.7040006@redhat.com> On 09/13/2012 03:18 PM, Steven Jones wrote: > with win-subtree > > can i specify more than one cn? > > for instance, > > --win-subtree cn=Staff,$SUFFIX,cn=admins,$SUFFIX > > or can I say, cn=$SUFFIX > > ? no > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 14 September 2012 8:53 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement > > Hi, > > Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 14 September 2012 2:56 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement > > On 09/13/2012 06:30 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> I just setup a winsync agreement expect its wiped any IPA user that also >>> exists in AD. >>> >>> Is this expected? if so how do I stop it doing that? >> The 389-ds winsync plugin is deleting entries that appear to be out of >> scope, >> https://fedorahosted.org/freeipa/ticket/2927 > This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in > updates testing > https://fedorahosted.org/389/ticket/355 >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 13 23:11:10 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 23:11:10 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <5052646F.2030404@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>,<5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, So I have 6.3 and just lost all my IPA users. So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. Luckily I hadnt disabled the admin account yet.....it was the only one left. I guess this stuff is a lot more complex than it looks. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><----- will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production tree" 8><---- From rmeggins at redhat.com Thu Sep 13 23:15:57 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 17:15:57 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5052692D.3000908@redhat.com> On 09/13/2012 05:11 PM, Steven Jones wrote: > Hi, > > So I have 6.3 and just lost all my IPA users. In production or in a test environment? > So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. Please explain "std AD". > Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. Let's say you have in AD cn=Users,dc=example,dc=com cn=Adminusers,dc=example,dc=com and in IPA cn=users,cn=accounts,dc=example,dc=com and you set up your winsync agreement as nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA "flattens" hierarchies when it syncs users from AD to DS. Let's say you have cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith and uid=jsmith,cn=Users,dc=example,dc=com because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355 But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user? > > Luckily I hadnt disabled the admin account yet.....it was the only one left. > > I guess this stuff is a lot more complex than it looks. > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > 8><----- > will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production > tree" > 8><---- From Steven.Jones at vuw.ac.nz Thu Sep 13 23:53:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2012 23:53:16 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <5052692D.3000908@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>,<5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz> ======= "Please explain "std AD"." ======= under 8.4.2 page 178 the option listed as, --win-subtree says the default is cn=Users,$SUFFIX. Which I am told is "standard" AD layout. I assume the $SUFFIX is staff.vuw.ac.nz in my case with IPA as ods.vuw.ac.nz. So I want to map cn=staff,dc=staff,dc=vuw,dc=ac,dc=nz to cn=users??,dc=ods,dc=vuw,dc=ac,dc=nz. at least I think so. So I take it I should set, --win-subtree cn=staff,$SUFFIX in the command line to make an agreement? So for the IPA admin group I dont want to sync the admins, they are not in cn=staff but in cn=staff_admins I want them not to sync but I also dont want them wiped out. Users are simply a user say steven with no privileges. An admin is admin-steven with more permissions so I have 2 logins and 2 passwords depending on the work, its our security policy. ========== "But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user?" ========== Probably because I dont have enough knowledge of IPA and even less of AD. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 14 September 2012 11:15 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 05:11 PM, Steven Jones wrote: > Hi, > > So I have 6.3 and just lost all my IPA users. In production or in a test environment? > So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. Please explain "std AD". > Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. Let's say you have in AD cn=Users,dc=example,dc=com cn=Adminusers,dc=example,dc=com and in IPA cn=users,cn=accounts,dc=example,dc=com and you set up your winsync agreement as nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA "flattens" hierarchies when it syncs users from AD to DS. Let's say you have cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith and uid=jsmith,cn=Users,dc=example,dc=com because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355 But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user? > > Luckily I hadnt disabled the admin account yet.....it was the only one left. > > I guess this stuff is a lot more complex than it looks. > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > 8><----- > will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production > tree" > 8><---- From rmeggins at redhat.com Fri Sep 14 00:00:54 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 18:00:54 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505273B6.1020006@redhat.com> On 09/13/2012 05:53 PM, Steven Jones wrote: > ======= > "Please explain "std AD"." > ======= > > under 8.4.2 page 178 the option listed as, > > --win-subtree says the default is cn=Users,$SUFFIX. > > Which I am told is "standard" AD layout. Yes. That is the default AD user container. > > I assume the $SUFFIX is staff.vuw.ac.nz in my case with IPA as ods.vuw.ac.nz. So I want to map cn=staff,dc=staff,dc=vuw,dc=ac,dc=nz to cn=users??,dc=ods,dc=vuw,dc=ac,dc=nz. I think it's cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz in IPA > > at least I think so. > > So I take it I should set, --win-subtree cn=staff,$SUFFIX in the command line to make an agreement? Yes. > > So for the IPA admin group I dont want to sync the admins, they are not in cn=staff but in cn=staff_admins I want them not to sync but I also dont want them wiped out. Are there corresponding users in IPA where the IPA uid is the same as the AD samaccountname of a user in the admin subtree? > > Users are simply a user say steven with no privileges. An admin is admin-steven with more permissions so I have 2 logins and 2 passwords depending on the work, its our security policy. > > ========== > "But why do you have users with the same userid in AD out of the scope of > the sync agreement with the same userid as an IPA user?" > ========== > > Probably because I dont have enough knowledge of IPA and even less of AD. What I mean is this - for example, you have cn=steven jones,cn=staff,$SUFFIX with samaccountname sjones cn=admin-steven,cn=staff,$SUFFIX with samaccountname admin-steven in AD and uid=sjones,cn=staff,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz uid=admin-steven,cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz So in the IPA user container, you have both users that you want to sync (in the windows subtree scope cn=staff,$SUFFIX), and users that you don't want to sync (in cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz)? If so, what you are seeing is that in IPA, uid=admin-steven is deleted, but not uid=sjones. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 14 September 2012 11:15 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement > > On 09/13/2012 05:11 PM, Steven Jones wrote: >> Hi, >> >> So I have 6.3 and just lost all my IPA users. > In production or in a test environment? >> So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. > Please explain "std AD". >> Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. > Let's say you have in AD > cn=Users,dc=example,dc=com > cn=Adminusers,dc=example,dc=com > > and in IPA > cn=users,cn=accounts,dc=example,dc=com > > and you set up your winsync agreement as > > nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com > > That is, you want users in cn=Users,dc=example,dc=com to be in sync with > cn=users,cn=accounts,dc=example,dc=com > > IPA uses a flat dit - users are grouped not by hierarchy but by > attributes, as opposed to AD which uses hierarchies for grouping. So > IPA "flattens" hierarchies when it syncs users from AD to DS. > > Let's say you have > cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith > and > uid=jsmith,cn=Users,dc=example,dc=com > > because of the way that winsync works, it will think because the AD > entry and the IPA have the same userid, they should be in sync - but > because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope > of cn=Users,dc=example,dc=com winsync will think that the user has moved > outside the scope of the agreement, and will delete the user. Obviously > it should not do that by default, hence > https://fedorahosted.org/389/ticket/355 > > But why do you have users with the same userid in AD out of the scope of > the sync agreement with the same userid as an IPA user? > > > >> Luckily I hadnt disabled the admin account yet.....it was the only one left. >> >> I guess this stuff is a lot more complex than it looks. >> >> :/ >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> 8><----- >> will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production >> tree" >> 8><---- > > From Steven.Jones at vuw.ac.nz Fri Sep 14 00:10:42 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2012 00:10:42 +0000 Subject: [Freeipa-users] winsync agreement In-Reply-To: <505273B6.1020006@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>,<5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505273B6.1020006@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> ===== Are there corresponding users in IPA where the IPA uid is the same as the AD samaccountname of a user in the admin subtree? ===== I think the answer to that is yes. "admin-steven" in IPA also exists in AD as "admin-steven". So if I had set the two to different names the one in IPA would not have been wiped in IPA. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Fri Sep 14 01:30:00 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Sep 2012 19:30:00 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505273B6.1020006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50528898.2010901@redhat.com> On 09/13/2012 06:10 PM, Steven Jones wrote: > ===== > Are there corresponding users in IPA where the IPA uid is the same as > the AD samaccountname of a user in the admin subtree? > ===== > > I think the answer to that is yes. > > "admin-steven" in IPA also exists in AD as "admin-steven". So if I had set the two to different names the one in IPA would not have been wiped in IPA. Correct. > > :/ > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > From jonathan at ou.edu Fri Sep 14 05:34:04 2012 From: jonathan at ou.edu (Mullen, Jonathan W.) Date: Fri, 14 Sep 2012 05:34:04 +0000 Subject: [Freeipa-users] Solaris 11 (OpenIndiana) PAM stack Password Change Message-ID: Hello All, I'm in the process of setting up a ZFS file server that authenticates against our freeipa infrastructure. I'm running into a few issues, and ALOT of confusion between discrepancies in the documentation. Specifically between (http://freeipa.com/page/ConfiguringSolarisClients) and (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html) userA is a freeipa user SSH with kerberos ticket already acquired: CLIENT:~ userA$ ssh server.domain -l userA Last login: Thu Sep 13 22:43:42 2012 from IP OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 -bash-4.0$ passwd passwd: Changing password for userA Enter existing login password: Unexpected failure. Password file/table unchanged. -bash-4.0$ su Password: # passwd userA Enter userA's password: passwd: userA does not exist. Permission denied # exit exit SSH With password login (notice the LACK of 'passwd: userA does not exist.' as apposed to with kerberos: CLIENT:~ userA$ ssh server.domain -l userA Password: Last login: Thu Sep 13 22:59:02 2012 from IP OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 -bash-4.0$ passwd passwd: Changing password for userA Enter existing login password: Unexpected failure. Password file/table unchanged. -bash-4.0$ Here is my pam.conf, you can see the comments showing the various configurations. The current one works the "best" in that BOTH "getent passwd" and "getent passwd userA". Some configurations only "getetn passwd userA" would work, and not "getent passwd". No My aim here is to get password changes working so I can capture smb passwords for SMB/CIFS. Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If so would you be so kind as to help me with some sample configs? # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 #login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 use_first_pass login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # GDM Autologin (explicit because of pam_allow). These need to be # here as there is no mechanism for packages to amend pam.conf as # they are installed. # gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # #passwd auth required pam_passwd_auth.so.1 passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # cups service (explicit because of non-usage of pam_roles.so.1) # cups account required pam_unix_account.so.1 # # GDM Autologin (explicit because of pam_allow) This needs to be here # as there is no mechanism for packages to amend pam.conf as they are # installed. # gdm-autologin account sufficient pam_allow.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # #other account requisite pam_roles.so.1 #other account optional pam_unix_account.so.1 #other account optional pam_krb5.so.1 debug other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy #other password sufficient pam_krb5.so.1 #other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # other password required pam_smb_passwd.so.1 nowarn Jonathan Mullen jonathan at ou.edu From listas.correo at yahoo.es Fri Sep 14 07:31:14 2012 From: listas.correo at yahoo.es (mailing lists) Date: Fri, 14 Sep 2012 08:31:14 +0100 (BST) Subject: [Freeipa-users] Questions about FreeIPA vs 389DS In-Reply-To: <5052CDAD.30009@eservicios.indra.es> References: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> <5051F45B.9010802@redhat.com> <50526194.5080907@redhat.com> <5052CDAD.30009@eservicios.indra.es> Message-ID: <1347607874.2007.YahooMailNeo@web171506.mail.ir2.yahoo.com> Hi, On 09/14/2012 12:43 AM, Dmitri Pal wrote: > On 09/13/2012 10:57 AM, Rich Megginson wrote: >> On 09/13/2012 07:01 AM, mailing lists wrote: >>> I need use services in an Active Directory environment and the >>> WinSync solution has important limitations, the MODRDN operation is >>> not handled correctly losing the relation with AD objects (it delete >>> and add the entry so a new SID and GUID is assigned), >> What version of 389-ds-base are you using? I did a test between W2008R2 and 389DS 1.2.10.2 and the result was that moving entries from the 389DS console, result in a delete/add operation in AD, so a new SID and GUID was generated, it broke the group membership and permissions of the AD entry and the relation between the 389DS entry and the AD entry also was broke. I think it is related to Error #3 in the RHDS documentation: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Troubleshooting.html >>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK >>> no sinchronization is necessary, but by using IPA it seems very >>> restrictive to support current applications which need a LDAP >>> hierarchical tree, custom schema with custom objectclassess and >>> attributes, custom ACLs for applications...... I know about Directory >>> Server virtual views, but I'm worried about the consequences of low >>> level manipulation of the FreeIPA Directory Server instance. >>> >>> So how others are solving this paradox? >>> they run? 389DS with (fractional) replication towards (or from) >>> FreeIPA 389DS? >>> they add custom schemas to FreeIPA 389DS? >>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin >>> activation, ...? >>> what about upgrades after this modifications were done? > If you need this level of flexibility and customization 389 DS is > probably better for you than IPA. > It seems that you want to do a lot of "do it yourself" things. IPA is > more about "use as is with minor tweaks so that you do not need to do it > yourself". I do not want "do it yourself" things if it isn't strictly necessary, but for the external aplications, the legacy ones, etc... it is necesary a minimum level de flexibility. My questions were about as other admins did to solve this inconvenient. Really anyone was in a similar situation? I wonder if it is possible configure 389DS with samba4 to create a forest trust with AD without FreeIPA .... From simo at redhat.com Fri Sep 14 12:26:00 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 14 Sep 2012 08:26:00 -0400 Subject: [Freeipa-users] Questions about FreeIPA vs 389DS In-Reply-To: <1347607874.2007.YahooMailNeo@web171506.mail.ir2.yahoo.com> References: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> <5051F45B.9010802@redhat.com> <50526194.5080907@redhat.com> <5052CDAD.30009@eservicios.indra.es> <1347607874.2007.YahooMailNeo@web171506.mail.ir2.yahoo.com> Message-ID: <1347625560.19861.30.camel@willson.li.ssimo.org> On Fri, 2012-09-14 at 08:31 +0100, mailing lists wrote: > >>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK > >>> no sinchronization is necessary, but by using IPA it seems very > >>> restrictive to support current applications which need a LDAP > >>> hierarchical tree, custom schema with custom objectclassess and > >>> attributes, custom ACLs for applications...... I know about Directory > >>> Server virtual views, but I'm worried about the consequences of low > >>> level manipulation of the FreeIPA Directory Server instance. > >>> > >>> So how others are solving this paradox? > >>> they run 389DS with (fractional) replication towards (or from) > >>> FreeIPA 389DS? > >>> they add custom schemas to FreeIPA 389DS? > >>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin > >>> activation, ...? > >>> what about upgrades after this modifications were done? > > If you need this level of flexibility and customization 389 DS is > > probably better for you than IPA. > > It seems that you want to do a lot of "do it yourself" things. IPA is > > more about "use as is with minor tweaks so that you do not need to do it > > yourself". > > I do not want "do it yourself" things if it isn't strictly necessary, > but for the external aplications, the legacy ones, etc... it is > necesary a minimum level de flexibility. My questions were about as > other admins did to solve this inconvenient. Really anyone was in a > similar situation? It is not clear to me what kind of flexibility you think you need. The user tree is flat, but you can create a custom subtree and use custom schema otherwise, just like with any LDAP server. I have yet to find an application that dictates a hierarchical tree for users. > I wonder if it is possible configure 389DS with samba4 to create a > forest trust with AD without FreeIPA .... No, samba4 DC does not support yet trust relationships. And Samba4 also only support using the embedded LDAP server, support for using third party directories has been dropped a long while ago. Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Fri Sep 14 14:30:11 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Sep 2012 08:30:11 -0600 Subject: [Freeipa-users] Questions about FreeIPA vs 389DS In-Reply-To: <1347607874.2007.YahooMailNeo@web171506.mail.ir2.yahoo.com> References: <1347541313.78158.YahooMailNeo@web171502.mail.ir2.yahoo.com> <5051F45B.9010802@redhat.com> <50526194.5080907@redhat.com> <5052CDAD.30009@eservicios.indra.es> <1347607874.2007.YahooMailNeo@web171506.mail.ir2.yahoo.com> Message-ID: <50533F73.8080509@redhat.com> On 09/14/2012 01:31 AM, mailing lists wrote: > Hi, > > > On 09/14/2012 12:43 AM, Dmitri Pal wrote: >> On 09/13/2012 10:57 AM, Rich Megginson wrote: >>> On 09/13/2012 07:01 AM, mailing lists wrote: >>>> I need use services in an Active Directory environment and the >>>> WinSync solution has important limitations, the MODRDN operation is >>>> not handled correctly losing the relation with AD objects (it delete >>>> and add the entry so a new SID and GUID is assigned), >>> What version of 389-ds-base are you using? > I did a test between W2008R2 and 389DS 1.2.10.2 and the result was that moving entries from the 389DS console, result in a delete/add operation in AD, so a new SID and GUID was generated, it broke the group membership and permissions of the AD entry and the relation between the 389DS entry and the AD entry also was broke. This is a problem with the 389 console. It doesn't support entry move or subtree rename. It is doing a delete/add. If you use ldapmodify with changetype: modrdn you should be able to see entry moves and subtree renames. > > I think it is related to Error #3 in the RHDS documentation: > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Troubleshooting.html > >>>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK >>>> no sinchronization is necessary, but by using IPA it seems very >>>> restrictive to support current applications which need a LDAP >>>> hierarchical tree, custom schema with custom objectclassess and >>>> attributes, custom ACLs for applications...... I know about Directory >>>> Server virtual views, but I'm worried about the consequences of low >>>> level manipulation of the FreeIPA Directory Server instance. >>>> >>>> So how others are solving this paradox? >>>> they run 389DS with (fractional) replication towards (or from) >>>> FreeIPA 389DS? >>>> they add custom schemas to FreeIPA 389DS? >>>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin >>>> activation, ...? >>>> what about upgrades after this modifications were done? >> If you need this level of flexibility and customization 389 DS is >> probably better for you than IPA. >> It seems that you want to do a lot of "do it yourself" things. IPA is >> more about "use as is with minor tweaks so that you do not need to do it >> yourself". > I do not want "do it yourself" things if it isn't strictly necessary, but for the external aplications, the legacy ones, etc... it is necesary a minimum level de flexibility. My questions were about as other admins did to solve this inconvenient. Really anyone was in a similar situation? > > I wonder if it is possible configure 389DS with samba4 to create a forest trust with AD without FreeIPA .... > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Fri Sep 14 15:20:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 11:20:52 -0400 Subject: [Freeipa-users] winsync agreement In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505273B6.1020006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50534B54.4080202@redhat.com> On 09/13/2012 08:10 PM, Steven Jones wrote: > ===== > Are there corresponding users in IPA where the IPA uid is the same as > the AD samaccountname of a user in the admin subtree? > ===== > > I think the answer to that is yes. > > "admin-steven" in IPA also exists in AD as "admin-steven". So if I had set the two to different names the one in IPA would not have been wiped in IPA. > > :/ So now that we understand the crux of the problem, Steven can you advise us on what we should have said and where (in docs or somewhere else) about this logic. Keep in mind that winsync is based on DS sync and we did not have this problem in DS in the past. With IPA we have a flat tree but same problem can be faced in pure 389 DS. I hope you realize that we did not do it on purpose. We definitely did not realize that anyone would be manually creating users with the same names. From the point of the sync algorithm it made sense to do what we have implemented as it seemed logical. JR faced this issue and filed a bug. We agreed with it but we still thought that it is a fairly corner case, this is why we did not file an errata or anything like. However this is not the point. Back to my question. How could we prevented this problem for you to make an informed decision and not do what you have done? Also realistically do you think it should be an errata? Doing an errata comes with a cost and the cost will be the features and bug fixes from the later version. Sometimes the errata is absolutely necessary but is it necessary now? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Fri Sep 14 15:47:55 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Sep 2012 09:47:55 -0600 Subject: [Freeipa-users] winsync agreement In-Reply-To: <50534B54.4080202@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E405263A8AB@STAWINCOX10MBX4.staff.vuw.ac.nz> <5051D1DD.8080509@redhat.com>, <5051F428.3060008@redhat.com> <833D8E48405E064EBC54C84EC6B36E405327C6DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052646F.2030404@redhat.com> <833D8E48405E064EBC54C84EC6B36E405328296C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5052692D.3000908@redhat.com> <833D8E48405E064EBC54C84EC6B36E40532849B8@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505273B6.1020006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053284A1A@STAWINCOX10MBX1.staff.vuw.ac.nz> <50534B54.4080202@redhat.com> Message-ID: <505351AB.6010701@redhat.com> On 09/14/2012 09:20 AM, Dmitri Pal wrote: > On 09/13/2012 08:10 PM, Steven Jones wrote: >> ===== >> Are there corresponding users in IPA where the IPA uid is the same as >> the AD samaccountname of a user in the admin subtree? >> ===== >> >> I think the answer to that is yes. >> >> "admin-steven" in IPA also exists in AD as "admin-steven". So if I had set the two to different names the one in IPA would not have been wiped in IPA. >> >> :/ > So now that we understand the crux of the problem, Steven can you advise > us on what we should have said and where (in docs or somewhere else) > about this logic. > Keep in mind that winsync is based on DS sync and we did not have this > problem in DS in the past. Right. It was a bug introduced into the winsync code around 1.2.9 or so, when we changed winsync to support entry move and subtree rename. We mistakenly thought that this particular section of code would only apply when an entry was moved from within the sync subtree to outside of the sync subtree, in which case it seemed logical at the time to delete the DS entry. The code has been changed in 1.2.11.14 to do one of 3 things in this case 1) do nothing 2) delete the entry 3) unsync the entry. > With IPA we have a flat tree but same problem can be faced in pure 389 DS. Yes. > > I hope you realize that we did not do it on purpose. We definitely did > not realize that anyone would be manually creating users with the same > names. From the point of the sync algorithm it made sense to do what we > have implemented as it seemed logical. JR faced this issue and filed a > bug. We agreed with it but we still thought that it is a fairly corner > case, this is why we did not file an errata or anything like. Right. This case is caused when you have in AD dn: cn=Steve Jones,cn=Users,dc=example,dc=com samaccountname: sjones and dn: cn=Steve Jones,cn=AdminUsers,dc=example,dc=com samaccountname: sjones We didn't think at the time that it made sense to do something like this, since the username is usually supposed to be unique within a domain - why would you have two user entries with the same username? > > However this is not the point. Back to my question. How could we > prevented this problem for you to make an informed decision and not do > what you have done? Also realistically do you think it should be an > errata? Doing an errata comes with a cost and the cost will be the > features and bug fixes from the later version. Sometimes the errata is > absolutely necessary but is it necessary now? > > > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From lyamanishi at sesda2.com Fri Sep 14 16:59:25 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Fri, 14 Sep 2012 12:59:25 -0400 Subject: [Freeipa-users] LDAP authentication in third-party apps and password policy Message-ID: <5053626D.1030305@sesda2.com> Are there any plans to enforce the password policy on LDAP binds? Mostly I'm interested in password expiration since I can right only Kerberos authentication fails with an expired password. I was able to find ticket #343 and an old freeipa-devel thread (http://www.redhat.com/archives/freeipa-devel/2011-January/msg00500.html) referencing some other features, but nothing on expiration. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From Dennis.Ott at mckesson.com Fri Sep 14 18:33:34 2012 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Fri, 14 Sep 2012 18:33:34 +0000 Subject: [Freeipa-users] Password Expiration Grace Limit Message-ID: There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect. I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. Does anyone have any insight as to how to do this? If not, is it planned for a future release? I suppose I could look at a script running daily that would lock the account if the user's password has expired in the last X hours, but I was hoping for something builtin. Any help is appreciated. Dennis -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyamanishi at sesda2.com Fri Sep 14 18:39:18 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Fri, 14 Sep 2012 14:39:18 -0400 Subject: [Freeipa-users] LDAP authentication in third-party apps and password policy In-Reply-To: <5053626D.1030305@sesda2.com> References: <5053626D.1030305@sesda2.com> Message-ID: <505379D6.4030709@sesda2.com> ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 09/14/2012 12:59 PM, Lucas Yamanishi wrote: > I'm interested in password expiration since I can right only Kerberos > authentication fails with an expired password. Typo fix: I'm interested in password expiration since I can right now authenticate via LDAP even if Kerberos authentication fails with an expired password. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From dpal at redhat.com Fri Sep 14 18:50:39 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 14:50:39 -0400 Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: References: Message-ID: <50537C7F.2000905@redhat.com> On 09/14/2012 02:33 PM, Ott, Dennis wrote: > > There seems to be nothing in the documentation about a user being able > to initiate a password change dialogue after their password has > expired, yet it seems that one is able to do just that. There is a > value in the ldap store, passwordGraceLimit, which is initialized to > zero. I have modified that value but it seems to have no effect. > > > > I would like to limit this ability to just a few days, or > alternatively, completely lock out the account once the password has > expired. > > > > Does anyone have any insight as to how to do this? If not, is it > planned for a future release? > > > > I suppose I could look at a script running daily that would lock the > account if the user's password has expired in the last X hours, but I > was hoping for something builtin. > > > > Any help is appreciated. > > > AFAIR this is the first request of this kind. We allow to change the password even after expiration. The main reason is that newly created accounts need to change passwords so they are marked as immediately expired. But it might take some time for user to actually log into the system for the first time this is why we never thought about the use case described. So I suspect we do not have any grace period enforced. It might be a bug. Simo, what do you think ? > > > Dennis > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 14 18:52:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Sep 2012 14:52:28 -0400 Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: References: Message-ID: <50537CEC.3030509@redhat.com> Ott, Dennis wrote: > There seems to be nothing in the documentation about a user being able > to initiate a password change dialogue after their password has expired, > yet it seems that one is able to do just that. There is a value in the > ldap store, passwordGraceLimit, which is initialized to zero. I have > modified that value but it seems to have no effect. This value is not used by IPA. I don't believe we have the ability to do this right now. As you suggest, some automation may be required to find expired passwords and lock them out. > I would like to limit this ability to just a few days, or alternatively, > completely lock out the account once the password has expired. This would be difficult because administratively-reset accounts have their passwords expired to force users to set a new one (so that only the end-user knows their password). This would effectively lock everyone out. > > Does anyone have any insight as to how to do this? If not, is it planned > for a future release? No plans for this AFAIK. Feel free to file an enhancement request ticket on our Trac site, https://fedorahosted.org/freeipa/ > I suppose I could look at a script running daily that would lock the > account if the user?s password has expired in the last X hours, but I > was hoping for something builtin. regards rob From simo at redhat.com Fri Sep 14 19:02:09 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 14 Sep 2012 15:02:09 -0400 Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: <50537C7F.2000905@redhat.com> References: <50537C7F.2000905@redhat.com> Message-ID: <1347649329.19861.46.camel@willson.li.ssimo.org> On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote: > On 09/14/2012 02:33 PM, Ott, Dennis wrote: > > There seems to be nothing in the documentation about a user being > > able to initiate a password change dialogue after their password has > > expired, yet it seems that one is able to do just that. There is a > > value in the ldap store, passwordGraceLimit, which is initialized to > > zero. I have modified that value but it seems to have no effect. > > > > > > > > I would like to limit this ability to just a few days, or > > alternatively, completely lock out the account once the password has > > expired. > > > > > > > > Does anyone have any insight as to how to do this? If not, is it > > planned for a future release? > > > > > > > > I suppose I could look at a script running daily that would lock the > > account if the user?s password has expired in the last X hours, but > > I was hoping for something builtin. > > > > > > > > Any help is appreciated. > > > > > > > > > AFAIR this is the first request of this kind. We allow to change the > password even after expiration. The main reason is that newly created > accounts need to change passwords so they are marked as immediately > expired. But it might take some time for user to actually log into the > system for the first time this is why we never thought about the use > case described. So I suspect we do not have any grace period enforced. > > It might be a bug. > > Simo, what do you think ? Sounds like material for a Feature Request. I think setting a grace period is a good idea, and have the nice side effect of automatically locking new accounts if the user never use them. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Sep 14 19:08:26 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 15:08:26 -0400 Subject: [Freeipa-users] LDAP authentication in third-party apps and password policy In-Reply-To: <505379D6.4030709@sesda2.com> References: <5053626D.1030305@sesda2.com> <505379D6.4030709@sesda2.com> Message-ID: <505380AA.5080702@redhat.com> On 09/14/2012 02:39 PM, Lucas Yamanishi wrote: > > > ----- > *question everything*learn something*answer nothing* > ------------ > Lucas Yamanishi > ------------------ > Systems Administrator, ADNET Systems, Inc. > NASA Space and Earth Science Data Analysis (606.9) > 7515 Mission Drive, Suite A100 > Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A > > On 09/14/2012 12:59 PM, Lucas Yamanishi wrote: >> I'm interested in password expiration since I can right only Kerberos >> authentication fails with an expired password. > > Typo fix: I'm interested in password expiration since I can right now > authenticate via LDAP even if Kerberos authentication fails with an > expired password. > I think you are asking about this. https://fedorahosted.org/freeipa/ticket/1539 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 14 19:09:14 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 15:09:14 -0400 Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: <50537CEC.3030509@redhat.com> References: <50537CEC.3030509@redhat.com> Message-ID: <505380DA.8020309@redhat.com> On 09/14/2012 02:52 PM, Rob Crittenden wrote: > Ott, Dennis wrote: >> There seems to be nothing in the documentation about a user being able >> to initiate a password change dialogue after their password has expired, >> yet it seems that one is able to do just that. There is a value in the >> ldap store, passwordGraceLimit, which is initialized to zero. I have >> modified that value but it seems to have no effect. > > This value is not used by IPA. > > I don't believe we have the ability to do this right now. As you > suggest, some automation may be required to find expired passwords and > lock them out. > >> I would like to limit this ability to just a few days, or alternatively, >> completely lock out the account once the password has expired. > > This would be difficult because administratively-reset accounts have > their passwords expired to force users to set a new one (so that only > the end-user knows their password). This would effectively lock > everyone out. > >> >> Does anyone have any insight as to how to do this? If not, is it planned >> for a future release? > > No plans for this AFAIK. Feel free to file an enhancement request > ticket on our Trac site, https://fedorahosted.org/freeipa/ > >> I suppose I could look at a script running daily that would lock the >> account if the user?s password has expired in the last X hours, but I >> was hoping for something builtin. > This is related https://fedorahosted.org/freeipa/ticket/1539 > regards > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 14 19:10:27 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 15:10:27 -0400 Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: <1347649329.19861.46.camel@willson.li.ssimo.org> References: <50537C7F.2000905@redhat.com> <1347649329.19861.46.camel@willson.li.ssimo.org> Message-ID: <50538123.2080907@redhat.com> On 09/14/2012 03:02 PM, Simo Sorce wrote: > On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote: >> On 09/14/2012 02:33 PM, Ott, Dennis wrote: >>> There seems to be nothing in the documentation about a user being >>> able to initiate a password change dialogue after their password has >>> expired, yet it seems that one is able to do just that. There is a >>> value in the ldap store, passwordGraceLimit, which is initialized to >>> zero. I have modified that value but it seems to have no effect. >>> >>> >>> >>> I would like to limit this ability to just a few days, or >>> alternatively, completely lock out the account once the password has >>> expired. >>> >>> >>> >>> Does anyone have any insight as to how to do this? If not, is it >>> planned for a future release? >>> >>> >>> >>> I suppose I could look at a script running daily that would lock the >>> account if the user?s password has expired in the last X hours, but >>> I was hoping for something builtin. >>> >>> >>> >>> Any help is appreciated. >>> >>> >>> >>> >> AFAIR this is the first request of this kind. We allow to change the >> password even after expiration. The main reason is that newly created >> accounts need to change passwords so they are marked as immediately >> expired. But it might take some time for user to actually log into the >> system for the first time this is why we never thought about the use >> case described. So I suspect we do not have any grace period enforced. >> >> It might be a bug. >> >> Simo, what do you think ? > Sounds like material for a Feature Request. > > I think setting a grace period is a good idea, and have the nice side > effect of automatically locking new accounts if the user never use them. > > Simo. > Dennis, Can you file a ticket please or add to if you think they are related https://fedorahosted.org/freeipa/ticket/1539 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lyamanishi at sesda2.com Fri Sep 14 19:13:46 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Fri, 14 Sep 2012 15:13:46 -0400 Subject: [Freeipa-users] LDAP authentication in third-party apps and password policy In-Reply-To: <505380AA.5080702@redhat.com> References: <5053626D.1030305@sesda2.com> <505379D6.4030709@sesda2.com> <505380AA.5080702@redhat.com> Message-ID: <505381EA.5090609@sesda2.com> Yes. Thank you. ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 09/14/2012 03:08 PM, Dmitri Pal wrote: > On 09/14/2012 02:39 PM, Lucas Yamanishi wrote: >> >> >> ----- >> *question everything*learn something*answer nothing* >> ------------ >> Lucas Yamanishi >> ------------------ >> Systems Administrator, ADNET Systems, Inc. >> NASA Space and Earth Science Data Analysis (606.9) >> 7515 Mission Drive, Suite A100 >> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A >> >> On 09/14/2012 12:59 PM, Lucas Yamanishi wrote: >>> I'm interested in password expiration since I can right only Kerberos >>> authentication fails with an expired password. >> >> Typo fix: I'm interested in password expiration since I can right now >> authenticate via LDAP even if Kerberos authentication fails with an >> expired password. >> > I think you are asking about this. > https://fedorahosted.org/freeipa/ticket/1539 > From dpal at redhat.com Fri Sep 14 19:42:41 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Sep 2012 15:42:41 -0400 Subject: [Freeipa-users] Solaris 11 (OpenIndiana) PAM stack Password Change In-Reply-To: References: Message-ID: <505388B1.1040701@redhat.com> On 09/14/2012 01:34 AM, Mullen, Jonathan W. wrote: > Hello All, > > I'm in the process of setting up a ZFS file server that authenticates against our freeipa infrastructure. I'm running into a few issues, and ALOT of confusion between discrepancies in the documentation. Specifically between (http://freeipa.com/page/ConfiguringSolarisClients) and (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html) Hope those comments help https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 > userA is a freeipa user > > SSH with kerberos ticket already acquired: > > CLIENT:~ userA$ ssh server.domain -l userA > Last login: Thu Sep 13 22:43:42 2012 from IP > OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 > -bash-4.0$ passwd > passwd: Changing password for userA > Enter existing login password: > Unexpected failure. Password file/table unchanged. > -bash-4.0$ su > Password: > # passwd userA > Enter userA's password: > passwd: userA does not exist. > Permission denied > # exit > exit > > SSH With password login (notice the LACK of 'passwd: userA does not exist.' as apposed to with kerberos: > > CLIENT:~ userA$ ssh server.domain -l userA > Password: > Last login: Thu Sep 13 22:59:02 2012 from IP > OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 > -bash-4.0$ passwd > passwd: Changing password for userA > Enter existing login password: > Unexpected failure. Password file/table unchanged. > -bash-4.0$ > > > Here is my pam.conf, you can see the comments showing the various configurations. The current one works the "best" in that BOTH "getent passwd" and "getent passwd userA". Some configurations only "getetn passwd userA" would work, and not "getent passwd". No > > My aim here is to get password changes working so I can capture smb passwords for SMB/CIFS. > > Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If so would you be so kind as to help me with some sample configs? > > > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > #login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 use_first_pass > login auth required pam_dial_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # > # GDM Autologin (explicit because of pam_allow). These need to be > # here as there is no mechanism for packages to amend pam.conf as > # they are installed. > # > gdm-autologin auth required pam_unix_cred.so.1 > gdm-autologin auth sufficient pam_allow.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > # > # passwd command (explicit because of a different authentication module) > # > #passwd auth required pam_passwd_auth.so.1 > passwd auth binding pam_passwd_auth.so.1 server_policy > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # cups service (explicit because of non-usage of pam_roles.so.1) > # > cups account required pam_unix_account.so.1 > # > # GDM Autologin (explicit because of pam_allow) This needs to be here > # as there is no mechanism for packages to amend pam.conf as they are > # installed. > # > gdm-autologin account sufficient pam_allow.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > #other account requisite pam_roles.so.1 > #other account optional pam_unix_account.so.1 > #other account optional pam_krb5.so.1 debug > other account requisite pam_roles.so.1 > other account binding pam_unix_account.so.1 server_policy > other account required pam_ldap.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 server_policy > #other password sufficient pam_krb5.so.1 > #other password required pam_authtok_store.so.1 > # > # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # > > other password required pam_smb_passwd.so.1 nowarn > > > Jonathan Mullen > jonathan at ou.edu > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Mon Sep 17 13:47:15 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 09:47:15 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results In-Reply-To: <504B5F62.10308@redhat.com> References: <504B5F62.10308@redhat.com> Message-ID: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: > On 08/31/2012 09:33 AM, Michael Mercier wrote: >> Hello, >> >> I seem to be having a problem with the HBAC test: >> >> Versions: >> [root at ipaserver ipatest]# rpm -qa|grep ^ipa >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> >> >> On the web console: >> >> Browse to HBAC TEST >> >> Who: mike >> Accessing: pix.beta.local >> Via service: tac_plus >> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) >> Rules: tacacs >> >> Run Test -> Access Granted with matched rules showing tacacs >> >> On the command line: >> >> ipa hbactest >> User name: mike >> Target Host: pix.beta.local >> Service: tac_plus >> --------------------- >> Access granted: False >> --------------------- >> Not matched rules: tacacs >> >> tacacs rule: >> General: Enabled >> Who: user group: ciscoadmin -> mike is a member >> accessing: cisco-devices -> pix.beta.local is a member >> Via Service: tac_plus >> From: any host >> >> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) >> >> Any ideas? >> >> Thanks, >> Mike >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > I do not know whether this issue was resolved. Hope it was on the IRC or > in some other way. > > The problem above is related to the "from host" I believe. > Please do not use the "from host". The whole concept is a bit broken and > not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. Thanks, Mike From mmercier at gmail.com Mon Sep 17 14:14:32 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 10:14:32 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504A5DFA.1040401@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> Message-ID: <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> >> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >> >>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>> >>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>> Hello, >>>>>> >>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>> >>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>> ipaserver.mpls.local: master >>>>>> ipaserver2.mpls.local: master >>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> >>>>>> >>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>> ipaserver.mpls.local: master >>>>>> ipaserver2.mpls.local: master >>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>> >>>>>> >>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> >>>>>> >>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>> >>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>> >>>>>> >>>>>> SSLRequireSSL >>>>>> AuthType Kerberos >>>>>> AuthName "Kerberos Login" >>>>>> >>>>>> KrbMethodK5Passwd Off >>>>>> KrbAuthRealms MPLS.LOCAL >>>>>> KrbSaveCredentials on >>>>>> KrbServiceName HTTP >>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>> >>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>> >>>>>> >>>>>> >>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>> >>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>> 2. It takes a longer period of time to do a kinit >>>>>> >>>>>> If the I then perform: >>>>>> [root at ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>> >>>>>> [mike at ipaclient ~]$kinit >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>> >>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>> >>>>>> [mike at ipaclient ~]$ kinit >>>>>> Password for mike at MPLS.LOCAL: >>>>>> [mike at ipaclient ~]$ >>>>>> >>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>> >>>>>> .. wait number of minutes >>>>>> >>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>> >>>>>> [mike at ipaclient ~]$kinit >>>>>> Password for mike at MPLS.LOCAL: >>>>>> [mike at ipaclient ~]$ >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Thanks, >>>>>> Mike >>>>> This seems to be some DNS problem. >>>>> You client does not see the second replica and might have some name >>>>> resolution timeouts. >>>>> >>>>> Please check your dns setup and krb5.conf on the client. >>>>> >>>>> To help more we need more details about you client configuration DNS and >>>>> kerberos. >>>> Hi, >>>> >>>> Additional information... >>>> >>>> [root at zenoss ~]#more /etc/resolv.conf >>>> search mpls.local >>>> domain mpls.local >>>> nameserver 172.16.112.5 >>>> nameserver 172.16.112.8 >>>> >>>> [root at zenoss ~]# more /etc/krb5.conf >>>> #File modified by ipa-client-install >>>> >>>> [libdefaults] >>>> default_realm = MPLS.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> MPLS.LOCAL = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> .mpls.local = MPLS.LOCAL >>>> mpls.local = MPLS.LOCAL >>>> >>>> [root at ipaclient ~]# more /etc/resolv.conf >>>> # Generated by NetworkManager >>>> search mpls.local >>>> nameserver 172.16.112.5 >>>> nameserver 172.16.112.8 >>>> >>>> [root at ipaclient ~]# more /etc/krb5.conf >>>> #File modified by ipa-client-install >>>> >>>> [libdefaults] >>>> default_realm = MPLS.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> MPLS.LOCAL = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> .mpls.local = MPLS.LOCAL >>>> mpls.local = MPLS.LOCAL >>>> >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.5 >>>> Address: 172.16.112.5#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver2 >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver2.mpls.local >>>> Address: 172.16.112.8 >>>> >>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>> >>>> @ NS ipaserver.mpls.local. >>>> NS ipaserver2.mpls.local. >>>> _kerberos TXT MPLS.LOCAL >>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kerberos._udp SRV 0 100 88 ipaserver >>>> SRV 0 100 88 ipaserver2 >>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>> SRV 0 100 464 ipaserver2 >>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>> SRV 0 100 464 ipaserver2 >>>> _ldap._tcp SRV 0 100 389 ipaserver >>>> SRV 0 100 389 ipaserver2 >>>> _ntp._udp SRV 0 100 123 ipaserver >>>> SRV 0 100 123 ipaserver2 >>>> ipaclient A 172.16.112.9 >>>> ipaclient2 A 172.16.112.145 >>>> ipaserver A 172.16.112.5 >>>> ipaserver2 A 172.16.112.8 >>>> zenoss A 172.16.112.6 >>>> >>>> Thanks, >>>> Mike >>>> >>> I noticed that there is no domain line in the resolv.conf on the client. >>> AFAIU in this case it would determine the domain by the gethostname and >>> in case of network being down it will fail over to the hosts file. >>> I wonder what is in your /etc/hosts? >>> Dose it have just a short host name? >> >> [root at ipaclient ~]# more /etc/hosts >> 127.0.0.1 localhost.localdomain localhost >> ::1 localhost6.localdomain6 localhost6 >> >> >> Add domain mpls.local to /etc/resolv.conf >> >> [root at ipaserver ~]#ifdown eth0 >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >> [root at ipaclient ~]# nslookup ipaserver >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver.mpls.local >> Address: 172.16.112.5 >> >> [root at ipaclient ~]# nslookup ipaserver2 >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> Name: ipaserver2.mpls.local >> Address: 172.16.112.8 >> >> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >> >> [root at ipaserver ~]#ifup eth0 >> >> [root at ipaclient ~]# kinit mike >> Password for mike at MPLS.LOCAL: >> >> [root at ipaserver ~]#ifdown eth0 >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >> Server: 172.16.112.8 >> Address: 172.16.112.8#53 >> >> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >> >> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >> Server: 172.16.112.5 >> Address: 172.16.112.5#53 >> >> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >> >> >> [root at ipaclient ~]# kinit mike >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >> >> [root at ipaserver ~]#ifup eth0 >> >> [root at ipaclient ~]# kinit mike >> Password for mike at MPLS.LOCAL: > > I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? > > Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? > Hello, [root at ipaclient ~]# more /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP domains = mpls.local [nss] [pam] # Example LDAP domain # [domain/LDAP] # id_provider = ldap # auth_provider = ldap # ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in # the "member" attribute. If you do not know this value, ask your LDAP # administrator. # ldap_schema = rfc2307 # ldap_uri = ldap://ldap.mydomain.org # ldap_search_base = dc=mydomain,dc=org # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. # enumerate = false # Allow offline logins by locally storing password hashes (default: false). # cache_credentials = true # An example Active Directory domain. Please note that this configuration # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis # compliant attribute names. To support UNIX clients with AD 2003 or older, # you must install Microsoft Services For Unix and map LDAP attributes onto # msSFU30* attribute names. # [domain/AD] # id_provider = ldap # auth_provider = krb5 # chpass_provider = krb5 # # ldap_uri = ldap://your.ad.example.com # ldap_search_base = dc=example,dc=com # ldap_schema = rfc2307bis # ldap_sasl_mech = GSSAPI # ldap_user_object_class = user # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory # ldap_user_principal = userPrincipalName # ldap_account_expire_policy = ad # ldap_force_upper_case_realm = true # # krb5_server = your.ad.example.com # krb5_realm = EXAMPLE.COM [domain/mpls.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mpls.local id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local ldap_tls_cacert = /etc/ipa/ca.crt NOTE: I manually added ipaserver2.mpls.local Where specifically should I add the debugging? I added debug_level = 5 to [sssd] [root at ipaserver ~]ifdown eth0 [root at ipaserver2 ~]ifup eth0 (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping > rob > From mmercier at gmail.com Mon Sep 17 14:19:08 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 10:19:08 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504B5E46.1020002@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> Message-ID: <53BB2249-1006-4C46-9D47-07AF1AA333C5@gmail.com> On 2012-09-08, at 11:03 AM, Dmitri Pal wrote: > On 09/07/2012 04:50 PM, Rob Crittenden wrote: >> Michael Mercier wrote: >>> >>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>> >>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>>> >>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> >>>>>>> >>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>> >>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> SSLRequireSSL >>>>>>> AuthType Kerberos >>>>>>> AuthName "Kerberos Login" >>>>>>> >>>>>>> KrbMethodK5Passwd Off >>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>> KrbSaveCredentials on >>>>>>> KrbServiceName HTTP >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>> >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>> require ldap-group >>>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>> >>>>>>> >>>>>>> >>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>> following: >>>>>>> >>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>> ipaserver is unavailable. >>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>> >>>>>>> If the I then perform: >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>>> getting initial credentials >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$ kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> .. wait number of minutes >>>>>>> >>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>> seconds) screen unlock compeletes >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>> This seems to be some DNS problem. >>>>>> You client does not see the second replica and might have some name >>>>>> resolution timeouts. >>>>>> >>>>>> Please check your dns setup and krb5.conf on the client. >>>>>> >>>>>> To help more we need more details about you client configuration >>>>>> DNS and >>>>>> kerberos. >>>>> Hi, >>>>> >>>>> Additional information... >>>>> >>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>> search mpls.local >>>>> domain mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>> # Generated by NetworkManager >>>>> search mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>> >>>>> @ NS ipaserver.mpls.local. >>>>> NS ipaserver2.mpls.local. >>>>> _kerberos TXT MPLS.LOCAL >>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>> SRV 0 100 389 ipaserver2 >>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>> SRV 0 100 123 ipaserver2 >>>>> ipaclient A 172.16.112.9 >>>>> ipaclient2 A 172.16.112.145 >>>>> ipaserver A 172.16.112.5 >>>>> ipaserver2 A 172.16.112.8 >>>>> zenoss A 172.16.112.6 >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>> I noticed that there is no domain line in the resolv.conf on the >>>> client. >>>> AFAIU in this case it would determine the domain by the gethostname and >>>> in case of network being down it will fail over to the hosts file. >>>> I wonder what is in your /etc/hosts? >>>> Dose it have just a short host name? >>> >>> [root at ipaclient ~]# more /etc/hosts >>> 127.0.0.1 localhost.localdomain localhost >>> ::1 localhost6.localdomain6 localhost6 >>> >>> >>> Add domain mpls.local to /etc/resolv.conf >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaclient ~]# nslookup ipaserver2 >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver2.mpls.local >>> Address: 172.16.112.8 >>> >>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>> Server: 172.16.112.5 >>> Address: 172.16.112.5#53 >>> >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver.mpls.local. >>> _kerberos-master._udp.mpls.local service = 0 100 88 >>> ipaserver2.mpls.local. >>> >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>> initial credentials >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >> >> I'd start with the sssd logs. Is it seeing the main server go offline >> and not switching to the second one? Or is it going into offline mode? >> >> Do you have _srv_ or both servers listed in ipa_server in >> /etc/sssd/sssd.conf? >> >> rob >> > Rob, may be I am missing something but how SSSD is related in this case? > The test is done using kinit not SSSD. > > It would actually be an interesting test to try the same via SSSD for > example do su to mike instead of kinit and see what would happen (watch > SSSD logs with high debug level, 8 for example). > If that works it would probably mean that kinit does not fail over > properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. Hello, [root at ipaclient ~]# su mike [mike at ipaclient root]$ exit exit [root at ipaserver ~]ifdown eth0 [root at ipaclient ~]# su mike [mike at ipaclient root]$ exit exit [root at ipaclient ~]# debug_level = 8 for [sssd] output while running above commands (Mon Sep 17 10:16:20 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:16:20 2012) [sssd] [sbus_add_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:20 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:16:20 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:20 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:20 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:16:20 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:20 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:16:29 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:16:29 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:29 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:29 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:16:30 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:16:30 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:30 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:16:30 2012) [sssd] [sbus_add_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:30 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:30 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:16:30 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:30 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:16:39 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:16:39 2012) [sssd] [sbus_add_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:39 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:39 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:16:40 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:16:40 2012) [sssd] [sbus_add_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:40 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:16:40 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:40 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:40 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:16:40 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:40 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Sep 17 10:16:49 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local (Mon Sep 17 10:16:49 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:49 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:49 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping (Mon Sep 17 10:16:50 2012) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Sep 17 10:16:50 2012) [sssd] [sbus_add_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:50 2012) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Sep 17 10:16:50 2012) [sssd] [sbus_add_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:50 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x15386a0 (Mon Sep 17 10:16:50 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Sep 17 10:16:50 2012) [sssd] [sbus_remove_timeout] (0x2000): 0x1539200 (Mon Sep 17 10:16:50 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping Thanks, Mike > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From mmercier at gmail.com Mon Sep 17 14:27:39 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 10:27:39 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <504DA634.8010903@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> Message-ID: On 2012-09-10, at 4:35 AM, Petr Spacek wrote: > On 09/08/2012 05:03 PM, Dmitri Pal wrote: >> On 09/07/2012 04:50 PM, Rob Crittenden wrote: >>> Michael Mercier wrote: >>>> >>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>> >>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>> >>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>>>> >>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>> ipaserver.mpls.local: master >>>>>>>> ipaserver2.mpls.local: master >>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>> ipaserver.mpls.local: master >>>>>>>> ipaserver2.mpls.local: master >>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>> >>>>>>>> >>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>> >>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> SSLRequireSSL >>>>>>>> AuthType Kerberos >>>>>>>> AuthName "Kerberos Login" >>>>>>>> >>>>>>>> KrbMethodK5Passwd Off >>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>> KrbSaveCredentials on >>>>>>>> KrbServiceName HTTP >>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>> >>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>> require ldap-group >>>>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>>> following: >>>>>>>> >>>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>>> ipaserver is unavailable. >>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>> >>>>>>>> If the I then perform: >>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>> >>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>>>> getting initial credentials >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>> >>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>> [mike at ipaclient ~]$ >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>> >>>>>>>> .. wait number of minutes >>>>>>>> >>>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>>> seconds) screen unlock compeletes >>>>>>>> >>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>> [mike at ipaclient ~]$ >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Mike >>>>>>> This seems to be some DNS problem. >>>>>>> You client does not see the second replica and might have some name >>>>>>> resolution timeouts. >>>>>>> >>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>> >>>>>>> To help more we need more details about you client configuration >>>>>>> DNS and >>>>>>> kerberos. >>>>>> Hi, >>>>>> >>>>>> Additional information... >>>>>> >>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>> search mpls.local >>>>>> domain mpls.local >>>>>> nameserver 172.16.112.5 >>>>>> nameserver 172.16.112.8 >>>>>> >>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>> #File modified by ipa-client-install >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = MPLS.LOCAL >>>>>> dns_lookup_realm = true >>>>>> dns_lookup_kdc = true >>>>>> rdns = false >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> [realms] >>>>>> MPLS.LOCAL = { >>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>> } >>>>>> >>>>>> [domain_realm] >>>>>> .mpls.local = MPLS.LOCAL >>>>>> mpls.local = MPLS.LOCAL >>>>>> >>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>> # Generated by NetworkManager >>>>>> search mpls.local >>>>>> nameserver 172.16.112.5 >>>>>> nameserver 172.16.112.8 >>>>>> >>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>> #File modified by ipa-client-install >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = MPLS.LOCAL >>>>>> dns_lookup_realm = true >>>>>> dns_lookup_kdc = true >>>>>> rdns = false >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> [realms] >>>>>> MPLS.LOCAL = { >>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>> } >>>>>> >>>>>> [domain_realm] >>>>>> .mpls.local = MPLS.LOCAL >>>>>> mpls.local = MPLS.LOCAL >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.5 >>>>>> Address: 172.16.112.5#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver2.mpls.local >>>>>> Address: 172.16.112.8 >>>>>> >>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>> >>>>>> @ NS ipaserver.mpls.local. >>>>>> NS ipaserver2.mpls.local. >>>>>> _kerberos TXT MPLS.LOCAL >>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>> SRV 0 100 464 ipaserver2 >>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>> SRV 0 100 464 ipaserver2 >>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>> SRV 0 100 389 ipaserver2 >>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>> SRV 0 100 123 ipaserver2 >>>>>> ipaclient A 172.16.112.9 >>>>>> ipaclient2 A 172.16.112.145 >>>>>> ipaserver A 172.16.112.5 >>>>>> ipaserver2 A 172.16.112.8 >>>>>> zenoss A 172.16.112.6 >>>>>> >>>>>> Thanks, >>>>>> Mike >>>>>> >>>>> I noticed that there is no domain line in the resolv.conf on the >>>>> client. >>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>> in case of network being down it will fail over to the hosts file. >>>>> I wonder what is in your /etc/hosts? >>>>> Dose it have just a short host name? >>>> >>>> [root at ipaclient ~]# more /etc/hosts >>>> 127.0.0.1 localhost.localdomain localhost >>>> ::1 localhost6.localdomain6 localhost6 >>>> >>>> >>>> Add domain mpls.local to /etc/resolv.conf >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>> initial credentials >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver2 >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver2.mpls.local >>>> Address: 172.16.112.8 >>>> >>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>> >>>> [root at ipaserver ~]#ifup eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> Password for mike at MPLS.LOCAL: >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>> initial credentials >>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>> ipaserver2.mpls.local. >>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>> ipaserver.mpls.local. >>>> >>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>> Server: 172.16.112.5 >>>> Address: 172.16.112.5#53 >>>> >>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>> ipaserver.mpls.local. >>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>> ipaserver2.mpls.local. >>>> >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>> initial credentials >>>> >>>> [root at ipaserver ~]#ifup eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> Password for mike at MPLS.LOCAL: >>> >>> I'd start with the sssd logs. Is it seeing the main server go offline >>> and not switching to the second one? Or is it going into offline mode? >>> >>> Do you have _srv_ or both servers listed in ipa_server in >>> /etc/sssd/sssd.conf? >>> >>> rob >>> >> Rob, may be I am missing something but how SSSD is related in this case? >> The test is done using kinit not SSSD. >> >> It would actually be an interesting test to try the same via SSSD for >> example do su to mike instead of kinit and see what would happen (watch >> SSSD logs with high debug level, 8 for example). >> If that works it would probably mean that kinit does not fail over >> properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. >> > > AFAIK there is "sssd_krb5_locator_plugin". This plugin changes Kerberos servers dynamically at library level, so kinit should select same server as SSSD. > > Manual page sssd_krb5_locator_plugin says: > If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value debug messages will be sent to stderr. > > You can execute > SSSD_KRB5_LOCATOR_DEBUG=1 kinit ... Hello, [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] reading kpasswd address failed, using kdc address. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[2] socktype[2] locate_service[2] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called Password for mike at MPLS.LOCAL: [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] reading kpasswd address failed, using kdc address. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[2] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] reading kpasswd address failed, using kdc address. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Thanks, Mike From dpal at redhat.com Mon Sep 17 14:28:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 10:28:18 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results In-Reply-To: References: <504B5F62.10308@redhat.com> Message-ID: <50573382.8080502@redhat.com> On 09/17/2012 09:47 AM, Michael Mercier wrote: > On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: > >> On 08/31/2012 09:33 AM, Michael Mercier wrote: >>> Hello, >>> >>> I seem to be having a problem with the HBAC test: >>> >>> Versions: >>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa >>> ipa-server-2.2.0-16.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> >>> >>> On the web console: >>> >>> Browse to HBAC TEST >>> >>> Who: mike >>> Accessing: pix.beta.local >>> Via service: tac_plus >>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) >>> Rules: tacacs >>> >>> Run Test -> Access Granted with matched rules showing tacacs >>> >>> On the command line: >>> >>> ipa hbactest >>> User name: mike >>> Target Host: pix.beta.local >>> Service: tac_plus >>> --------------------- >>> Access granted: False >>> --------------------- >>> Not matched rules: tacacs >>> >>> tacacs rule: >>> General: Enabled >>> Who: user group: ciscoadmin -> mike is a member >>> accessing: cisco-devices -> pix.beta.local is a member >>> Via Service: tac_plus >>> From: any host >>> >>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) >>> >>> Any ideas? >>> >>> Thanks, >>> Mike >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> I do not know whether this issue was resolved. Hope it was on the IRC or >> in some other way. >> >> The problem above is related to the "from host" I believe. >> Please do not use the "from host". The whole concept is a bit broken and >> not reliable. > I don't seem to be able to *not* select a 'from host' with the web console, I get: > > Input form contains invalid of missing values. > > Missing values: > Source host. You need to choose "all" option to ignore the values from this field. > > > Thanks, > Mike > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Sep 17 14:33:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 Sep 2012 10:33:29 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results In-Reply-To: References: <504B5F62.10308@redhat.com> Message-ID: <505734B9.5040801@redhat.com> Michael Mercier wrote: > On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: > >> On 08/31/2012 09:33 AM, Michael Mercier wrote: >>> Hello, >>> >>> I seem to be having a problem with the HBAC test: >>> >>> Versions: >>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa >>> ipa-server-2.2.0-16.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> >>> >>> On the web console: >>> >>> Browse to HBAC TEST >>> >>> Who: mike >>> Accessing: pix.beta.local >>> Via service: tac_plus >>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) >>> Rules: tacacs >>> >>> Run Test -> Access Granted with matched rules showing tacacs >>> >>> On the command line: >>> >>> ipa hbactest >>> User name: mike >>> Target Host: pix.beta.local >>> Service: tac_plus >>> --------------------- >>> Access granted: False >>> --------------------- >>> Not matched rules: tacacs >>> >>> tacacs rule: >>> General: Enabled >>> Who: user group: ciscoadmin -> mike is a member >>> accessing: cisco-devices -> pix.beta.local is a member >>> Via Service: tac_plus >>> From: any host >>> >>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) >>> >>> Any ideas? >>> >>> Thanks, >>> Mike >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> I do not know whether this issue was resolved. Hope it was on the IRC or >> in some other way. >> >> The problem above is related to the "from host" I believe. >> Please do not use the "from host". The whole concept is a bit broken and >> not reliable. > > I don't seem to be able to *not* select a 'from host' with the web console, I get: > > Input form contains invalid of missing values. > > Missing values: > Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob From mmercier at gmail.com Mon Sep 17 14:55:24 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 10:55:24 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results In-Reply-To: <505734B9.5040801@redhat.com> References: <504B5F62.10308@redhat.com> <505734B9.5040801@redhat.com> Message-ID: On 2012-09-17, at 10:33 AM, Rob Crittenden wrote: > Michael Mercier wrote: >> On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: >> >>> On 08/31/2012 09:33 AM, Michael Mercier wrote: >>>> Hello, >>>> >>>> I seem to be having a problem with the HBAC test: >>>> >>>> Versions: >>>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa >>>> ipa-server-2.2.0-16.el6.x86_64 >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> >>>> >>>> On the web console: >>>> >>>> Browse to HBAC TEST >>>> >>>> Who: mike >>>> Accessing: pix.beta.local >>>> Via service: tac_plus >>>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) >>>> Rules: tacacs >>>> >>>> Run Test -> Access Granted with matched rules showing tacacs >>>> >>>> On the command line: >>>> >>>> ipa hbactest >>>> User name: mike >>>> Target Host: pix.beta.local >>>> Service: tac_plus >>>> --------------------- >>>> Access granted: False >>>> --------------------- >>>> Not matched rules: tacacs >>>> >>>> tacacs rule: >>>> General: Enabled >>>> Who: user group: ciscoadmin -> mike is a member >>>> accessing: cisco-devices -> pix.beta.local is a member >>>> Via Service: tac_plus >>>> From: any host >>>> >>>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Mike >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> I do not know whether this issue was resolved. Hope it was on the IRC or >>> in some other way. >>> >>> The problem above is related to the "from host" I believe. >>> Please do not use the "from host". The whole concept is a bit broken and >>> not reliable. >> >> I don't seem to be able to *not* select a 'from host' with the web console, I get: >> >> Input form contains invalid of missing values. >> >> Missing values: >> Source host. > > I believe this value is ignored anyway. > > This is very strange as the same backend is used to evaluate both the web and cli rules. > > It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. > > If you want to give this a go, edit /etc/ipa/default.conf and add > > debug = True Hello, I setup default.conf with debug = True, and I am unable to reproduce the different results? Removed the debug statement and restart httpd, both interfaces produce the same result (success). Thanks, Mike > > and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. > > You probably don't want to leave this enabled for too long. > > rob > > > From george_he7 at yahoo.com Mon Sep 17 15:07:10 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 17 Sep 2012 08:07:10 -0700 (PDT) Subject: [Freeipa-users] NFS on Mac Message-ID: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 17 15:17:47 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 11:17:47 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> Message-ID: <50573F1B.7050100@redhat.com> On 09/17/2012 10:27 AM, Michael Mercier wrote: > On 2012-09-10, at 4:35 AM, Petr Spacek wrote: > >> On 09/08/2012 05:03 PM, Dmitri Pal wrote: >>> On 09/07/2012 04:50 PM, Rob Crittenden wrote: >>>> Michael Mercier wrote: >>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>> >>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers >>>>>>>>> (ipaserver / ipaserver2) setup using MMR. >>>>>>>>> >>>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>> >>>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> SSLRequireSSL >>>>>>>>> AuthType Kerberos >>>>>>>>> AuthName "Kerberos Login" >>>>>>>>> >>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>> KrbSaveCredentials on >>>>>>>>> KrbServiceName HTTP >>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>> >>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>> require ldap-group >>>>>>>>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>>>> following: >>>>>>>>> >>>>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>>>> ipaserver is unavailable. >>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>> >>>>>>>>> If the I then perform: >>>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while >>>>>>>>> getting initial credentials >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> .. wait number of minutes >>>>>>>>> >>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>>>> seconds) screen unlock compeletes >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Mike >>>>>>>> This seems to be some DNS problem. >>>>>>>> You client does not see the second replica and might have some name >>>>>>>> resolution timeouts. >>>>>>>> >>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>> >>>>>>>> To help more we need more details about you client configuration >>>>>>>> DNS and >>>>>>>> kerberos. >>>>>>> Hi, >>>>>>> >>>>>>> Additional information... >>>>>>> >>>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>>> search mpls.local >>>>>>> domain mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>>> # Generated by NetworkManager >>>>>>> search mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.5 >>>>>>> Address: 172.16.112.5#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver2.mpls.local >>>>>>> Address: 172.16.112.8 >>>>>>> >>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>> >>>>>>> @ NS ipaserver.mpls.local. >>>>>>> NS ipaserver2.mpls.local. >>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>> SRV 0 100 389 ipaserver2 >>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>> SRV 0 100 123 ipaserver2 >>>>>>> ipaclient A 172.16.112.9 >>>>>>> ipaclient2 A 172.16.112.145 >>>>>>> ipaserver A 172.16.112.5 >>>>>>> ipaserver2 A 172.16.112.8 >>>>>>> zenoss A 172.16.112.6 >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>>> >>>>>> I noticed that there is no domain line in the resolv.conf on the >>>>>> client. >>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>> in case of network being down it will fail over to the hosts file. >>>>>> I wonder what is in your /etc/hosts? >>>>>> Dose it have just a short host name? >>>>> [root at ipaclient ~]# more /etc/hosts >>>>> 127.0.0.1 localhost.localdomain localhost >>>>> ::1 localhost6.localdomain6 localhost6 >>>>> >>>>> >>>>> Add domain mpls.local to /etc/resolv.conf >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>> >>>>> [root at ipaserver ~]#ifup eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> Password for mike at MPLS.LOCAL: >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>>> ipaserver2.mpls.local. >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>>> ipaserver.mpls.local. >>>>> >>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>>> ipaserver.mpls.local. >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>>> ipaserver2.mpls.local. >>>>> >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> >>>>> [root at ipaserver ~]#ifup eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> Password for mike at MPLS.LOCAL: >>>> I'd start with the sssd logs. Is it seeing the main server go offline >>>> and not switching to the second one? Or is it going into offline mode? >>>> >>>> Do you have _srv_ or both servers listed in ipa_server in >>>> /etc/sssd/sssd.conf? >>>> >>>> rob >>>> >>> Rob, may be I am missing something but how SSSD is related in this case? >>> The test is done using kinit not SSSD. >>> >>> It would actually be an interesting test to try the same via SSSD for >>> example do su to mike instead of kinit and see what would happen (watch >>> SSSD logs with high debug level, 8 for example). >>> If that works it would probably mean that kinit does not fail over >>> properly. So this would be a Kerberos kinit bug not IPA/SSSD bug. >>> >> AFAIK there is "sssd_krb5_locator_plugin". This plugin changes Kerberos servers dynamically at library level, so kinit should select same server as SSSD. >> >> Manual page sssd_krb5_locator_plugin says: >> If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value debug messages will be sent to stderr. >> >> You can execute >> SSSD_KRB5_LOCATOR_DEBUG=1 kinit ... > Hello, > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] reading kpasswd address failed, using kdc address. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[2] socktype[2] locate_service[2] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike at MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] reading kpasswd address failed, using kdc address. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[2] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] reading kpasswd address failed, using kdc address. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[2] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > > [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > [sssd_krb5_locator] [172.16.112.8] used > [sssd_krb5_locator] sssd_krb5_locator_close called > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? > Thanks, > Mike > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Sep 17 15:20:13 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 11:20:13 -0400 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> Message-ID: <50573FAD.8030008@redhat.com> On 09/17/2012 11:07 AM, george he wrote: > Hello all, > I have IPA server and NFS server set up on a computer running centos 6.3. > Is there a way to set up a mac laptop to access the data on the NFS > server? > The laptop does not have a static IP. DNS is not configured with IPA. > If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ > Thanks, > George > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Mon Sep 17 15:23:51 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 17 Sep 2012 17:23:51 +0200 Subject: [Freeipa-users] Solaris 11 (OpenIndiana) PAM stack Password Change In-Reply-To: <505388B1.1040701@redhat.com> References: <505388B1.1040701@redhat.com> Message-ID: <50574086.3000302@nixtra.com> On 09/14/2012 09:42 PM, Dmitri Pal wrote: > On 09/14/2012 01:34 AM, Mullen, Jonathan W. wrote: >> Hello All, >> >> I'm in the process of setting up a ZFS file server that authenticates against our freeipa infrastructure. I'm running into a few issues, and ALOT of confusion between discrepancies in the documentation. Specifically between (http://freeipa.com/page/ConfiguringSolarisClients) and (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html) > Hope those comments help > > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > >> userA is a freeipa user >> >> SSH with kerberos ticket already acquired: >> >> CLIENT:~ userA$ ssh server.domain -l userA >> Last login: Thu Sep 13 22:43:42 2012 from IP >> OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 >> -bash-4.0$ passwd >> passwd: Changing password for userA >> Enter existing login password: >> Unexpected failure. Password file/table unchanged. >> -bash-4.0$ su >> Password: >> # passwd userA >> Enter userA's password: >> passwd: userA does not exist. >> Permission denied >> # exit >> exit >> >> SSH With password login (notice the LACK of 'passwd: userA does not exist.' as apposed to with kerberos: >> >> CLIENT:~ userA$ ssh server.domain -l userA >> Password: >> Last login: Thu Sep 13 22:59:02 2012 from IP >> OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 >> -bash-4.0$ passwd >> passwd: Changing password for userA >> Enter existing login password: >> Unexpected failure. Password file/table unchanged. >> -bash-4.0$ >> >> >> Here is my pam.conf, you can see the comments showing the various configurations. The current one works the "best" in that BOTH "getent passwd" and "getent passwd userA". Some configurations only "getetn passwd userA" would work, and not "getent passwd". No >> >> My aim here is to get password changes working so I can capture smb passwords for SMB/CIFS. >> >> Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If so would you be so kind as to help me with some sample configs? >> >> >> # Authentication management >> # >> # login service (explicit because of pam_dial_auth) >> # >> login auth requisite pam_authtok_get.so.1 >> login auth required pam_dhkeys.so.1 >> #login auth sufficient pam_krb5.so.1 try_first_pass >> login auth required pam_unix_cred.so.1 >> login auth required pam_unix_auth.so.1 use_first_pass >> login auth required pam_dial_auth.so.1 >> # >> # rlogin service (explicit because of pam_rhost_auth) >> # >> rlogin auth sufficient pam_rhosts_auth.so.1 >> rlogin auth requisite pam_authtok_get.so.1 >> rlogin auth required pam_dhkeys.so.1 >> rlogin auth required pam_unix_cred.so.1 >> rlogin auth required pam_unix_auth.so.1 >> # >> # Kerberized rlogin service >> # >> krlogin auth required pam_unix_cred.so.1 >> krlogin auth required pam_krb5.so.1 >> # >> # rsh service (explicit because of pam_rhost_auth, >> # and pam_unix_auth for meaningful pam_setcred) >> # >> rsh auth sufficient pam_rhosts_auth.so.1 >> rsh auth required pam_unix_cred.so.1 >> # >> # Kerberized rsh service >> # >> krsh auth required pam_unix_cred.so.1 >> krsh auth required pam_krb5.so.1 >> # >> # Kerberized telnet service >> # >> ktelnet auth required pam_unix_cred.so.1 >> ktelnet auth required pam_krb5.so.1 >> # >> # PPP service (explicit because of pam_dial_auth) >> # >> ppp auth requisite pam_authtok_get.so.1 >> ppp auth required pam_dhkeys.so.1 >> ppp auth required pam_unix_cred.so.1 >> ppp auth required pam_unix_auth.so.1 >> ppp auth required pam_dial_auth.so.1 >> # >> # GDM Autologin (explicit because of pam_allow). These need to be >> # here as there is no mechanism for packages to amend pam.conf as >> # they are installed. >> # >> gdm-autologin auth required pam_unix_cred.so.1 >> gdm-autologin auth sufficient pam_allow.so.1 >> # >> # Default definitions for Authentication management >> # Used when service name is not explicitly mentioned for authentication >> # >> other auth requisite pam_authtok_get.so.1 >> other auth required pam_dhkeys.so.1 >> other auth required pam_unix_cred.so.1 >> other auth sufficient pam_krb5.so.1 >> other auth required pam_unix_auth.so.1 >> # >> # passwd command (explicit because of a different authentication module) >> # >> #passwd auth required pam_passwd_auth.so.1 >> passwd auth binding pam_passwd_auth.so.1 server_policy >> passwd auth required pam_ldap.so.1 >> # >> # cron service (explicit because of non-usage of pam_roles.so.1) >> # >> cron account required pam_unix_account.so.1 >> # >> # cups service (explicit because of non-usage of pam_roles.so.1) >> # >> cups account required pam_unix_account.so.1 >> # >> # GDM Autologin (explicit because of pam_allow) This needs to be here >> # as there is no mechanism for packages to amend pam.conf as they are >> # installed. >> # >> gdm-autologin account sufficient pam_allow.so.1 >> # >> # Default definition for Account management >> # Used when service name is not explicitly mentioned for account management >> # >> #other account requisite pam_roles.so.1 >> #other account optional pam_unix_account.so.1 >> #other account optional pam_krb5.so.1 debug >> other account requisite pam_roles.so.1 >> other account binding pam_unix_account.so.1 server_policy >> other account required pam_ldap.so.1 >> # >> # Default definition for Session management >> # Used when service name is not explicitly mentioned for session management >> # >> other session required pam_unix_session.so.1 >> # >> # Default definition for Password management >> # Used when service name is not explicitly mentioned for password management >> # >> other password required pam_dhkeys.so.1 >> other password requisite pam_authtok_get.so.1 >> other password requisite pam_authtok_check.so.1 >> other password required pam_authtok_store.so.1 server_policy >> #other password sufficient pam_krb5.so.1 >> #other password required pam_authtok_store.so.1 >> # >> # Support for Kerberos V5 authentication and example configurations can >> # be found in the pam_krb5(5) man page under the "EXAMPLES" section. >> # >> >> other password required pam_smb_passwd.so.1 nowarn >> >> >> Jonathan Mullen >> jonathan at ou.edu >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hi, Did you get anywhere with this? Are you using Solaris 11 or OpenIndiana? At first glance it looks like you haven't configured pam for krb5 password management. Have a look at the pam.conf below and see if that will get you anywhere with password changes. Regards, Siggi # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 debug login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 debug other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 other session required pam_krb5.so.1 debug # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 # Password construction requirements apply to all users. # Remove force_check to have the traditional authorized administrator # bypass of construction requirements. other password sufficient pam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password required pam_authtok_store.so.1 # From dpal at redhat.com Mon Sep 17 15:27:28 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 11:27:28 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> Message-ID: <50574160.4080305@redhat.com> On 09/17/2012 10:14 AM, Michael Mercier wrote: > On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: > >> Michael Mercier wrote: >>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>> >>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>>> >>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>> ipaserver.mpls.local: master >>>>>>> ipaserver2.mpls.local: master >>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> >>>>>>> >>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>> >>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>> >>>>>>> >>>>>>> SSLRequireSSL >>>>>>> AuthType Kerberos >>>>>>> AuthName "Kerberos Login" >>>>>>> >>>>>>> KrbMethodK5Passwd Off >>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>> KrbSaveCredentials on >>>>>>> KrbServiceName HTTP >>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>> >>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>> >>>>>>> >>>>>>> >>>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>>> >>>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>> >>>>>>> If the I then perform: >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>> >>>>>>> [mike at ipaclient ~]$ kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>> >>>>>>> .. wait number of minutes >>>>>>> >>>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>>> >>>>>>> [mike at ipaclient ~]$kinit >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> [mike at ipaclient ~]$ >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>> This seems to be some DNS problem. >>>>>> You client does not see the second replica and might have some name >>>>>> resolution timeouts. >>>>>> >>>>>> Please check your dns setup and krb5.conf on the client. >>>>>> >>>>>> To help more we need more details about you client configuration DNS and >>>>>> kerberos. >>>>> Hi, >>>>> >>>>> Additional information... >>>>> >>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>> search mpls.local >>>>> domain mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>> # Generated by NetworkManager >>>>> search mpls.local >>>>> nameserver 172.16.112.5 >>>>> nameserver 172.16.112.8 >>>>> >>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>> #File modified by ipa-client-install >>>>> >>>>> [libdefaults] >>>>> default_realm = MPLS.LOCAL >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> [realms] >>>>> MPLS.LOCAL = { >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> [domain_realm] >>>>> .mpls.local = MPLS.LOCAL >>>>> mpls.local = MPLS.LOCAL >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>> >>>>> @ NS ipaserver.mpls.local. >>>>> NS ipaserver2.mpls.local. >>>>> _kerberos TXT MPLS.LOCAL >>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>> SRV 0 100 88 ipaserver2 >>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>> SRV 0 100 464 ipaserver2 >>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>> SRV 0 100 389 ipaserver2 >>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>> SRV 0 100 123 ipaserver2 >>>>> ipaclient A 172.16.112.9 >>>>> ipaclient2 A 172.16.112.145 >>>>> ipaserver A 172.16.112.5 >>>>> ipaserver2 A 172.16.112.8 >>>>> zenoss A 172.16.112.6 >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>> I noticed that there is no domain line in the resolv.conf on the client. >>>> AFAIU in this case it would determine the domain by the gethostname and >>>> in case of network being down it will fail over to the hosts file. >>>> I wonder what is in your /etc/hosts? >>>> Dose it have just a short host name? >>> [root at ipaclient ~]# more /etc/hosts >>> 127.0.0.1 localhost.localdomain localhost >>> ::1 localhost6.localdomain6 localhost6 >>> >>> >>> Add domain mpls.local to /etc/resolv.conf >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>> [root at ipaclient ~]# nslookup ipaserver >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver.mpls.local >>> Address: 172.16.112.5 >>> >>> [root at ipaclient ~]# nslookup ipaserver2 >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> Name: ipaserver2.mpls.local >>> Address: 172.16.112.8 >>> >>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >>> >>> [root at ipaserver ~]#ifdown eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>> Server: 172.16.112.8 >>> Address: 172.16.112.8#53 >>> >>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>> >>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>> Server: 172.16.112.5 >>> Address: 172.16.112.5#53 >>> >>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>> >>> >>> [root at ipaclient ~]# kinit mike >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>> >>> [root at ipaserver ~]#ifup eth0 >>> >>> [root at ipaclient ~]# kinit mike >>> Password for mike at MPLS.LOCAL: >> I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? >> >> Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? >> > Hello, > > [root at ipaclient ~]# more /etc/sssd/sssd.conf > [sssd] > config_file_version = 2 > services = nss, pam > # SSSD will not start if you do not configure any domains. > # Add new domain configurations as [domain/] sections, and > # then add the list of domains (in the order you want them to be > # queried) to the "domains" attribute below and uncomment it. > # domains = LDAP > > domains = mpls.local > [nss] > > [pam] > > # Example LDAP domain > # [domain/LDAP] > # id_provider = ldap > # auth_provider = ldap > # ldap_schema can be set to "rfc2307", which stores group member names in the > # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in > # the "member" attribute. If you do not know this value, ask your LDAP > # administrator. > # ldap_schema = rfc2307 > # ldap_uri = ldap://ldap.mydomain.org > # ldap_search_base = dc=mydomain,dc=org > # Note that enabling enumeration will have a moderate performance impact. > # Consequently, the default value for enumeration is FALSE. > # Refer to the sssd.conf man page for full details. > # enumerate = false > # Allow offline logins by locally storing password hashes (default: false). > # cache_credentials = true > > # An example Active Directory domain. Please note that this configuration > # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis > # compliant attribute names. To support UNIX clients with AD 2003 or older, > # you must install Microsoft Services For Unix and map LDAP attributes onto > # msSFU30* attribute names. > # [domain/AD] > # id_provider = ldap > # auth_provider = krb5 > # chpass_provider = krb5 > # > # ldap_uri = ldap://your.ad.example.com > # ldap_search_base = dc=example,dc=com > # ldap_schema = rfc2307bis > # ldap_sasl_mech = GSSAPI > # ldap_user_object_class = user > # ldap_group_object_class = group > # ldap_user_home_directory = unixHomeDirectory > # ldap_user_principal = userPrincipalName > # ldap_account_expire_policy = ad > # ldap_force_upper_case_realm = true > # > # krb5_server = your.ad.example.com > # krb5_realm = EXAMPLE.COM > [domain/mpls.local] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = mpls.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local Can you please for the sake of the test remove _srv_ from your configuration? There might be a bug in how we handle the case when the response from DNS lookup is not obtained or something like. It seems that it does not fail over properly. > ldap_tls_cacert = /etc/ipa/ca.crt > > NOTE: I manually added ipaserver2.mpls.local > > Where specifically should I add the debugging? > I added debug_level = 5 to [sssd] You can add it to the bottom. That should work. > [root at ipaserver ~]ifdown eth0 > > [root at ipaserver2 ~]ifup eth0 > > (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping > (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss > (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam > (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping > (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping > (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local > (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping > (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss > (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam > (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping > (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping > (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local > (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping > (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss > (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam > (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping > (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping > (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local > (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping > (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss > (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam > (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping > (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping > This is not the right log. The most informative one is called sssd_default.log. > >> rob >> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Mon Sep 17 18:18:38 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 14:18:38 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <50574160.4080305@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> <50574160.4080305@redhat.com> Message-ID: <5666AE1B-D603-4ACE-8B94-3AF4C9102DAB@gmail.com> On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: > On 09/17/2012 10:14 AM, Michael Mercier wrote: >> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >> >>> Michael Mercier wrote: >>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>> >>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>> >>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>>>> >>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>> ipaserver.mpls.local: master >>>>>>>> ipaserver2.mpls.local: master >>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>> ipaserver.mpls.local: master >>>>>>>> ipaserver2.mpls.local: master >>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>> >>>>>>>> >>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>> >>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>> >>>>>>>> >>>>>>>> SSLRequireSSL >>>>>>>> AuthType Kerberos >>>>>>>> AuthName "Kerberos Login" >>>>>>>> >>>>>>>> KrbMethodK5Passwd Off >>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>> KrbSaveCredentials on >>>>>>>> KrbServiceName HTTP >>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>> >>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>>>> >>>>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>> >>>>>>>> If the I then perform: >>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>> >>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>> >>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>> [mike at ipaclient ~]$ >>>>>>>> >>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>> >>>>>>>> .. wait number of minutes >>>>>>>> >>>>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>>>> >>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>> [mike at ipaclient ~]$ >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Mike >>>>>>> This seems to be some DNS problem. >>>>>>> You client does not see the second replica and might have some name >>>>>>> resolution timeouts. >>>>>>> >>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>> >>>>>>> To help more we need more details about you client configuration DNS and >>>>>>> kerberos. >>>>>> Hi, >>>>>> >>>>>> Additional information... >>>>>> >>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>> search mpls.local >>>>>> domain mpls.local >>>>>> nameserver 172.16.112.5 >>>>>> nameserver 172.16.112.8 >>>>>> >>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>> #File modified by ipa-client-install >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = MPLS.LOCAL >>>>>> dns_lookup_realm = true >>>>>> dns_lookup_kdc = true >>>>>> rdns = false >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> [realms] >>>>>> MPLS.LOCAL = { >>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>> } >>>>>> >>>>>> [domain_realm] >>>>>> .mpls.local = MPLS.LOCAL >>>>>> mpls.local = MPLS.LOCAL >>>>>> >>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>> # Generated by NetworkManager >>>>>> search mpls.local >>>>>> nameserver 172.16.112.5 >>>>>> nameserver 172.16.112.8 >>>>>> >>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>> #File modified by ipa-client-install >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = MPLS.LOCAL >>>>>> dns_lookup_realm = true >>>>>> dns_lookup_kdc = true >>>>>> rdns = false >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> [realms] >>>>>> MPLS.LOCAL = { >>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>> } >>>>>> >>>>>> [domain_realm] >>>>>> .mpls.local = MPLS.LOCAL >>>>>> mpls.local = MPLS.LOCAL >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.5 >>>>>> Address: 172.16.112.5#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver2.mpls.local >>>>>> Address: 172.16.112.8 >>>>>> >>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>> >>>>>> @ NS ipaserver.mpls.local. >>>>>> NS ipaserver2.mpls.local. >>>>>> _kerberos TXT MPLS.LOCAL >>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>> SRV 0 100 88 ipaserver2 >>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>> SRV 0 100 464 ipaserver2 >>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>> SRV 0 100 464 ipaserver2 >>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>> SRV 0 100 389 ipaserver2 >>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>> SRV 0 100 123 ipaserver2 >>>>>> ipaclient A 172.16.112.9 >>>>>> ipaclient2 A 172.16.112.145 >>>>>> ipaserver A 172.16.112.5 >>>>>> ipaserver2 A 172.16.112.8 >>>>>> zenoss A 172.16.112.6 >>>>>> >>>>>> Thanks, >>>>>> Mike >>>>>> >>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>> in case of network being down it will fail over to the hosts file. >>>>> I wonder what is in your /etc/hosts? >>>>> Dose it have just a short host name? >>>> [root at ipaclient ~]# more /etc/hosts >>>> 127.0.0.1 localhost.localdomain localhost >>>> ::1 localhost6.localdomain6 localhost6 >>>> >>>> >>>> Add domain mpls.local to /etc/resolv.conf >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>> [root at ipaclient ~]# nslookup ipaserver >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver.mpls.local >>>> Address: 172.16.112.5 >>>> >>>> [root at ipaclient ~]# nslookup ipaserver2 >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> Name: ipaserver2.mpls.local >>>> Address: 172.16.112.8 >>>> >>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>> >>>> [root at ipaserver ~]#ifup eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> Password for mike at MPLS.LOCAL: >>>> >>>> [root at ipaserver ~]#ifdown eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>> Server: 172.16.112.8 >>>> Address: 172.16.112.8#53 >>>> >>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>> >>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>> Server: 172.16.112.5 >>>> Address: 172.16.112.5#53 >>>> >>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>> >>>> >>>> [root at ipaclient ~]# kinit mike >>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>> >>>> [root at ipaserver ~]#ifup eth0 >>>> >>>> [root at ipaclient ~]# kinit mike >>>> Password for mike at MPLS.LOCAL: >>> I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? >>> >>> Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? >>> >> Hello, >> >> [root at ipaclient ~]# more /etc/sssd/sssd.conf >> [sssd] >> config_file_version = 2 >> services = nss, pam >> # SSSD will not start if you do not configure any domains. >> # Add new domain configurations as [domain/] sections, and >> # then add the list of domains (in the order you want them to be >> # queried) to the "domains" attribute below and uncomment it. >> # domains = LDAP >> >> domains = mpls.local >> [nss] >> >> [pam] >> >> # Example LDAP domain >> # [domain/LDAP] >> # id_provider = ldap >> # auth_provider = ldap >> # ldap_schema can be set to "rfc2307", which stores group member names in the >> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in >> # the "member" attribute. If you do not know this value, ask your LDAP >> # administrator. >> # ldap_schema = rfc2307 >> # ldap_uri = ldap://ldap.mydomain.org >> # ldap_search_base = dc=mydomain,dc=org >> # Note that enabling enumeration will have a moderate performance impact. >> # Consequently, the default value for enumeration is FALSE. >> # Refer to the sssd.conf man page for full details. >> # enumerate = false >> # Allow offline logins by locally storing password hashes (default: false). >> # cache_credentials = true >> >> # An example Active Directory domain. Please note that this configuration >> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >> # compliant attribute names. To support UNIX clients with AD 2003 or older, >> # you must install Microsoft Services For Unix and map LDAP attributes onto >> # msSFU30* attribute names. >> # [domain/AD] >> # id_provider = ldap >> # auth_provider = krb5 >> # chpass_provider = krb5 >> # >> # ldap_uri = ldap://your.ad.example.com >> # ldap_search_base = dc=example,dc=com >> # ldap_schema = rfc2307bis >> # ldap_sasl_mech = GSSAPI >> # ldap_user_object_class = user >> # ldap_group_object_class = group >> # ldap_user_home_directory = unixHomeDirectory >> # ldap_user_principal = userPrincipalName >> # ldap_account_expire_policy = ad >> # ldap_force_upper_case_realm = true >> # >> # krb5_server = your.ad.example.com >> # krb5_realm = EXAMPLE.COM >> [domain/mpls.local] >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = mpls.local >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local > > Can you please for the sake of the test remove _srv_ from your > configuration? > There might be a bug in how we handle the case when the response from > DNS lookup is not obtained or something like. > It seems that it does not fail over properly. > >> ldap_tls_cacert = /etc/ipa/ca.crt >> >> NOTE: I manually added ipaserver2.mpls.local >> >> Where specifically should I add the debugging? >> I added debug_level = 5 to [sssd] > > You can add it to the bottom. That should work. > >> [root at ipaserver ~]ifdown eth0 >> >> [root at ipaserver2 ~]ifup eth0 >> >> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >> > > This is not the right log. The most informative one is called > sssd_default.log. Hello, I did the following: add 'debug_level = 8' to section [domain/mpls.local] remove _srv_ from ipa_server = [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called Password for mike at MPLS.LOCAL: [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [root at ipaserver ~]ifdown eth0 [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called Password for mike at MPLS.LOCAL: [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [root at ipaserver ~]ifup eth0 [root at ipaserver2 ~]ifdown eth0 [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called Password for mike at MPLS.LOCAL: [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [root at ipaclient ~]# NOTES: 1. The final kinit although successful, took considerably longer to complete 2. I do not have a /var/log/sssd/sssd_default.log Thanks, Mike > >> >>> rob >>> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From george_he7 at yahoo.com Mon Sep 17 18:21:28 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 17 Sep 2012 11:21:28 -0700 (PDT) Subject: [Freeipa-users] NFS on Mac In-Reply-To: <50573FAD.8030008@redhat.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> Message-ID: <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com> sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George >________________________________ > From: Dmitri Pal >To: freeipa-users at redhat.com >Sent: Monday, September 17, 2012 11:20 AM >Subject: Re: [Freeipa-users] NFS on Mac > > >On 09/17/2012 11:07 AM, george he wrote: >Hello all, >>I have IPA server and NFS server set up on a computer running centos 6.3. >>Is there a way to set up a mac laptop to access the data on the NFS server? >>The laptop does not have a static IP. DNS is not configured with IPA. >> >>If yes, how do I config the mac? >Is this what you are looking for? >http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ > > >Thanks, >>George >> >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 17 18:47:08 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 14:47:08 -0400 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com> Message-ID: <5057702C.2030102@redhat.com> On 09/17/2012 02:21 PM, george he wrote: > sounds to me the link may work for nfs version 3 only. > Now with IPA and NFS4, there got to be something more. > George I do not know the exact steps on mac because the is no ipa-client on Mac so you would have to configure the machine to be an IPA client manually. This would mean that you need to authenticate with kerberos and then make the nfs part use the credential cache of the logged in user (if you are planning to use it for users mounting shares). This is what needs to happen conceptually. I know that people have done in the past but I do not think there are instructions. Once you manged to do it please see the presentation how to setup secure NFS on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf May be it will give you some hints and pointers. The only known problem with this slide deck is that on slide 18 after kinit admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add nfs/`hostname`@EXAMPLE HTH > > ------------------------------------------------------------------------ > *From:* Dmitri Pal > *To:* freeipa-users at redhat.com > *Sent:* Monday, September 17, 2012 11:20 AM > *Subject:* Re: [Freeipa-users] NFS on Mac > > On 09/17/2012 11:07 AM, george he wrote: >> Hello all, >> I have IPA server and NFS server set up on a computer running >> centos 6.3. >> Is there a way to set up a mac laptop to access the data on the >> NFS server? >> The laptop does not have a static IP. DNS is not configured with IPA. >> If yes, how do I config the mac? > > Is this what you are looking for? > http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ > >> Thanks, >> George >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 17 18:54:14 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 14:54:14 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <5666AE1B-D603-4ACE-8B94-3AF4C9102DAB@gmail.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> <50574160.4080305@redhat.com> <5666AE1B-D603-4ACE-8B94-3AF4C9102DAB@gmail.com> Message-ID: <505771D6.4040006@redhat.com> On 09/17/2012 02:18 PM, Michael Mercier wrote: > On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: > >> On 09/17/2012 10:14 AM, Michael Mercier wrote: >>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >>> >>>> Michael Mercier wrote: >>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>> >>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>>>>> >>>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>> >>>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> SSLRequireSSL >>>>>>>>> AuthType Kerberos >>>>>>>>> AuthName "Kerberos Login" >>>>>>>>> >>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>> KrbSaveCredentials on >>>>>>>>> KrbServiceName HTTP >>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>> >>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>>>>> >>>>>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>> >>>>>>>>> If the I then perform: >>>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>> >>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> .. wait number of minutes >>>>>>>>> >>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>>>>> >>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Mike >>>>>>>> This seems to be some DNS problem. >>>>>>>> You client does not see the second replica and might have some name >>>>>>>> resolution timeouts. >>>>>>>> >>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>> >>>>>>>> To help more we need more details about you client configuration DNS and >>>>>>>> kerberos. >>>>>>> Hi, >>>>>>> >>>>>>> Additional information... >>>>>>> >>>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>>> search mpls.local >>>>>>> domain mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>>> # Generated by NetworkManager >>>>>>> search mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.5 >>>>>>> Address: 172.16.112.5#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver2.mpls.local >>>>>>> Address: 172.16.112.8 >>>>>>> >>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>> >>>>>>> @ NS ipaserver.mpls.local. >>>>>>> NS ipaserver2.mpls.local. >>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>> SRV 0 100 389 ipaserver2 >>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>> SRV 0 100 123 ipaserver2 >>>>>>> ipaclient A 172.16.112.9 >>>>>>> ipaclient2 A 172.16.112.145 >>>>>>> ipaserver A 172.16.112.5 >>>>>>> ipaserver2 A 172.16.112.8 >>>>>>> zenoss A 172.16.112.6 >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>>> >>>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>> in case of network being down it will fail over to the hosts file. >>>>>> I wonder what is in your /etc/hosts? >>>>>> Dose it have just a short host name? >>>>> [root at ipaclient ~]# more /etc/hosts >>>>> 127.0.0.1 localhost.localdomain localhost >>>>> ::1 localhost6.localdomain6 localhost6 >>>>> >>>>> >>>>> Add domain mpls.local to /etc/resolv.conf >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>> [root at ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>> >>>>> [root at ipaserver ~]#ifup eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> Password for mike at MPLS.LOCAL: >>>>> >>>>> [root at ipaserver ~]#ifdown eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>> >>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>> >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>> >>>>> [root at ipaserver ~]#ifup eth0 >>>>> >>>>> [root at ipaclient ~]# kinit mike >>>>> Password for mike at MPLS.LOCAL: >>>> I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? >>>> >>>> Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? >>>> >>> Hello, >>> >>> [root at ipaclient ~]# more /etc/sssd/sssd.conf >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam >>> # SSSD will not start if you do not configure any domains. >>> # Add new domain configurations as [domain/] sections, and >>> # then add the list of domains (in the order you want them to be >>> # queried) to the "domains" attribute below and uncomment it. >>> # domains = LDAP >>> >>> domains = mpls.local >>> [nss] >>> >>> [pam] >>> >>> # Example LDAP domain >>> # [domain/LDAP] >>> # id_provider = ldap >>> # auth_provider = ldap >>> # ldap_schema can be set to "rfc2307", which stores group member names in the >>> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in >>> # the "member" attribute. If you do not know this value, ask your LDAP >>> # administrator. >>> # ldap_schema = rfc2307 >>> # ldap_uri = ldap://ldap.mydomain.org >>> # ldap_search_base = dc=mydomain,dc=org >>> # Note that enabling enumeration will have a moderate performance impact. >>> # Consequently, the default value for enumeration is FALSE. >>> # Refer to the sssd.conf man page for full details. >>> # enumerate = false >>> # Allow offline logins by locally storing password hashes (default: false). >>> # cache_credentials = true >>> >>> # An example Active Directory domain. Please note that this configuration >>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >>> # compliant attribute names. To support UNIX clients with AD 2003 or older, >>> # you must install Microsoft Services For Unix and map LDAP attributes onto >>> # msSFU30* attribute names. >>> # [domain/AD] >>> # id_provider = ldap >>> # auth_provider = krb5 >>> # chpass_provider = krb5 >>> # >>> # ldap_uri = ldap://your.ad.example.com >>> # ldap_search_base = dc=example,dc=com >>> # ldap_schema = rfc2307bis >>> # ldap_sasl_mech = GSSAPI >>> # ldap_user_object_class = user >>> # ldap_group_object_class = group >>> # ldap_user_home_directory = unixHomeDirectory >>> # ldap_user_principal = userPrincipalName >>> # ldap_account_expire_policy = ad >>> # ldap_force_upper_case_realm = true >>> # >>> # krb5_server = your.ad.example.com >>> # krb5_realm = EXAMPLE.COM >>> [domain/mpls.local] >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = mpls.local >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local >> Can you please for the sake of the test remove _srv_ from your >> configuration? >> There might be a bug in how we handle the case when the response from >> DNS lookup is not obtained or something like. >> It seems that it does not fail over properly. >> >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> >>> NOTE: I manually added ipaserver2.mpls.local >>> >>> Where specifically should I add the debugging? >>> I added debug_level = 5 to [sssd] >> You can add it to the bottom. That should work. >> >>> [root at ipaserver ~]ifdown eth0 >>> >>> [root at ipaserver2 ~]ifup eth0 >>> >>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>> >> This is not the right log. The most informative one is called >> sssd_default.log. > Hello, > > I did the following: > > add 'debug_level = 8' to section [domain/mpls.local] > remove _srv_ from ipa_server = > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike at MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > > [root at ipaserver ~]ifdown eth0 > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike at MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > > [root at ipaserver ~]ifup eth0 > [root at ipaserver2 ~]ifdown eth0 > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike at MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [root at ipaclient ~]# > > > NOTES: > 1. The final kinit although successful, took considerably longer to complete So it was successful all three times, right? > 2. I do not have a /var/log/sssd/sssd_default.log Sorry I forgot that you explicitly renamed your domain from default. It would be /var/log/sssd_mpls.local.log then. > > Thanks, > Mike > > > >>>> rob >>>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Mon Sep 17 19:02:08 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 17 Sep 2012 15:02:08 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <505771D6.4040006@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> <50574160.4080305@redhat.com> <5666AE1B-D603-4ACE-8B94-3AF4C9102DAB@gmail.com> <505771D6.4040006@redhat.com> Message-ID: <02B1BE00-230C-47A4-8621-4E4F2FB359FB@gmail.com> On 2012-09-17, at 2:54 PM, Dmitri Pal wrote: > On 09/17/2012 02:18 PM, Michael Mercier wrote: >> On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: >> >>> On 09/17/2012 10:14 AM, Michael Mercier wrote: >>>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >>>> >>>>> Michael Mercier wrote: >>>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>>> >>>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>>> >>>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>>>>>> >>>>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>>> >>>>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SSLRequireSSL >>>>>>>>>> AuthType Kerberos >>>>>>>>>> AuthName "Kerberos Login" >>>>>>>>>> >>>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>>> KrbSaveCredentials on >>>>>>>>>> KrbServiceName HTTP >>>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>>> >>>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>>>>>> >>>>>>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>>> >>>>>>>>>> If the I then perform: >>>>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>>>> >>>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>>> >>>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>>>>> >>>>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>>>> >>>>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>>> >>>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>>> >>>>>>>>>> .. wait number of minutes >>>>>>>>>> >>>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>>>>>> >>>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>>> >>>>>>>>>> Any ideas? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Mike >>>>>>>>> This seems to be some DNS problem. >>>>>>>>> You client does not see the second replica and might have some name >>>>>>>>> resolution timeouts. >>>>>>>>> >>>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>>> >>>>>>>>> To help more we need more details about you client configuration DNS and >>>>>>>>> kerberos. >>>>>>>> Hi, >>>>>>>> >>>>>>>> Additional information... >>>>>>>> >>>>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>>>> search mpls.local >>>>>>>> domain mpls.local >>>>>>>> nameserver 172.16.112.5 >>>>>>>> nameserver 172.16.112.8 >>>>>>>> >>>>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>>>> #File modified by ipa-client-install >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> default_realm = MPLS.LOCAL >>>>>>>> dns_lookup_realm = true >>>>>>>> dns_lookup_kdc = true >>>>>>>> rdns = false >>>>>>>> ticket_lifetime = 24h >>>>>>>> forwardable = yes >>>>>>>> >>>>>>>> [realms] >>>>>>>> MPLS.LOCAL = { >>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>> } >>>>>>>> >>>>>>>> [domain_realm] >>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>> >>>>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>>>> # Generated by NetworkManager >>>>>>>> search mpls.local >>>>>>>> nameserver 172.16.112.5 >>>>>>>> nameserver 172.16.112.8 >>>>>>>> >>>>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>>>> #File modified by ipa-client-install >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> default_realm = MPLS.LOCAL >>>>>>>> dns_lookup_realm = true >>>>>>>> dns_lookup_kdc = true >>>>>>>> rdns = false >>>>>>>> ticket_lifetime = 24h >>>>>>>> forwardable = yes >>>>>>>> >>>>>>>> [realms] >>>>>>>> MPLS.LOCAL = { >>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>> } >>>>>>>> >>>>>>>> [domain_realm] >>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>> >>>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>>> Server: 172.16.112.5 >>>>>>>> Address: 172.16.112.5#53 >>>>>>>> >>>>>>>> Name: ipaserver.mpls.local >>>>>>>> Address: 172.16.112.5 >>>>>>>> >>>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>>> >>>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>>> Server: 172.16.112.8 >>>>>>>> Address: 172.16.112.8#53 >>>>>>>> >>>>>>>> Name: ipaserver.mpls.local >>>>>>>> Address: 172.16.112.5 >>>>>>>> >>>>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>>>> Server: 172.16.112.8 >>>>>>>> Address: 172.16.112.8#53 >>>>>>>> >>>>>>>> Name: ipaserver2.mpls.local >>>>>>>> Address: 172.16.112.8 >>>>>>>> >>>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>>> >>>>>>>> @ NS ipaserver.mpls.local. >>>>>>>> NS ipaserver2.mpls.local. >>>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>>> SRV 0 100 389 ipaserver2 >>>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>>> SRV 0 100 123 ipaserver2 >>>>>>>> ipaclient A 172.16.112.9 >>>>>>>> ipaclient2 A 172.16.112.145 >>>>>>>> ipaserver A 172.16.112.5 >>>>>>>> ipaserver2 A 172.16.112.8 >>>>>>>> zenoss A 172.16.112.6 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Mike >>>>>>>> >>>>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>>> in case of network being down it will fail over to the hosts file. >>>>>>> I wonder what is in your /etc/hosts? >>>>>>> Dose it have just a short host name? >>>>>> [root at ipaclient ~]# more /etc/hosts >>>>>> 127.0.0.1 localhost.localdomain localhost >>>>>> ::1 localhost6.localdomain6 localhost6 >>>>>> >>>>>> >>>>>> Add domain mpls.local to /etc/resolv.conf >>>>>> >>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root at ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver2.mpls.local >>>>>> Address: 172.16.112.8 >>>>>> >>>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>>> >>>>>> [root at ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root at ipaclient ~]# kinit mike >>>>>> Password for mike at MPLS.LOCAL: >>>>>> >>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root at ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>> >>>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>>> Server: 172.16.112.5 >>>>>> Address: 172.16.112.5#53 >>>>>> >>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>>> >>>>>> >>>>>> [root at ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>> >>>>>> [root at ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root at ipaclient ~]# kinit mike >>>>>> Password for mike at MPLS.LOCAL: >>>>> I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? >>>>> >>>>> Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? >>>>> >>>> Hello, >>>> >>>> [root at ipaclient ~]# more /etc/sssd/sssd.conf >>>> [sssd] >>>> config_file_version = 2 >>>> services = nss, pam >>>> # SSSD will not start if you do not configure any domains. >>>> # Add new domain configurations as [domain/] sections, and >>>> # then add the list of domains (in the order you want them to be >>>> # queried) to the "domains" attribute below and uncomment it. >>>> # domains = LDAP >>>> >>>> domains = mpls.local >>>> [nss] >>>> >>>> [pam] >>>> >>>> # Example LDAP domain >>>> # [domain/LDAP] >>>> # id_provider = ldap >>>> # auth_provider = ldap >>>> # ldap_schema can be set to "rfc2307", which stores group member names in the >>>> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in >>>> # the "member" attribute. If you do not know this value, ask your LDAP >>>> # administrator. >>>> # ldap_schema = rfc2307 >>>> # ldap_uri = ldap://ldap.mydomain.org >>>> # ldap_search_base = dc=mydomain,dc=org >>>> # Note that enabling enumeration will have a moderate performance impact. >>>> # Consequently, the default value for enumeration is FALSE. >>>> # Refer to the sssd.conf man page for full details. >>>> # enumerate = false >>>> # Allow offline logins by locally storing password hashes (default: false). >>>> # cache_credentials = true >>>> >>>> # An example Active Directory domain. Please note that this configuration >>>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >>>> # compliant attribute names. To support UNIX clients with AD 2003 or older, >>>> # you must install Microsoft Services For Unix and map LDAP attributes onto >>>> # msSFU30* attribute names. >>>> # [domain/AD] >>>> # id_provider = ldap >>>> # auth_provider = krb5 >>>> # chpass_provider = krb5 >>>> # >>>> # ldap_uri = ldap://your.ad.example.com >>>> # ldap_search_base = dc=example,dc=com >>>> # ldap_schema = rfc2307bis >>>> # ldap_sasl_mech = GSSAPI >>>> # ldap_user_object_class = user >>>> # ldap_group_object_class = group >>>> # ldap_user_home_directory = unixHomeDirectory >>>> # ldap_user_principal = userPrincipalName >>>> # ldap_account_expire_policy = ad >>>> # ldap_force_upper_case_realm = true >>>> # >>>> # krb5_server = your.ad.example.com >>>> # krb5_realm = EXAMPLE.COM >>>> [domain/mpls.local] >>>> cache_credentials = True >>>> krb5_store_password_if_offline = True >>>> ipa_domain = mpls.local >>>> id_provider = ipa >>>> auth_provider = ipa >>>> access_provider = ipa >>>> chpass_provider = ipa >>>> ipa_dyndns_update = True >>>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local >>> Can you please for the sake of the test remove _srv_ from your >>> configuration? >>> There might be a bug in how we handle the case when the response from >>> DNS lookup is not obtained or something like. >>> It seems that it does not fail over properly. >>> >>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>> >>>> NOTE: I manually added ipaserver2.mpls.local >>>> >>>> Where specifically should I add the debugging? >>>> I added debug_level = 5 to [sssd] >>> You can add it to the bottom. That should work. >>> >>>> [root at ipaserver ~]ifdown eth0 >>>> >>>> [root at ipaserver2 ~]ifup eth0 >>>> >>>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>> >>> This is not the right log. The most informative one is called >>> sssd_default.log. >> Hello, >> >> I did the following: >> >> add 'debug_level = 8' to section [domain/mpls.local] >> remove _srv_ from ipa_server = >> >> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike at MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> >> [root at ipaserver ~]ifdown eth0 >> >> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike at MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> >> [root at ipaserver ~]ifup eth0 >> [root at ipaserver2 ~]ifdown eth0 >> >> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike at MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [root at ipaclient ~]# >> >> >> NOTES: >> 1. The final kinit although successful, took considerably longer to complete > > So it was successful all three times, right? Yes, it was successful all three times. > >> 2. I do not have a /var/log/sssd/sssd_default.log > > > Sorry I forgot that you explicitly renamed your domain from default. > It would be /var/log/sssd_mpls.local.log then. I set the log level to 8 and there is a large amount of data produced in this log file. Is there a level that you would suggest for me to share the information? Thanks, Mike > >> >> Thanks, >> Mike >> >> >> >>>>> rob >>>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From Steven.Jones at vuw.ac.nz Mon Sep 17 20:32:32 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2012 20:32:32 +0000 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <5057702C.2030102@redhat.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com>, <5057702C.2030102@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> If anyone has MAC instructions' I'd love a copy pls. regards regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 18 September 2012 6:47 a.m. To: george he Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 02:21 PM, george he wrote: sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George I do not know the exact steps on mac because the is no ipa-client on Mac so you would have to configure the machine to be an IPA client manually. This would mean that you need to authenticate with kerberos and then make the nfs part use the credential cache of the logged in user (if you are planning to use it for users mounting shares). This is what needs to happen conceptually. I know that people have done in the past but I do not think there are instructions. Once you manged to do it please see the presentation how to setup secure NFS on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf May be it will give you some hints and pointers. The only known problem with this slide deck is that on slide 18 after kinit admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add nfs/`hostname`@EXAMPLE HTH ________________________________ From: Dmitri Pal To: freeipa-users at redhat.com Sent: Monday, September 17, 2012 11:20 AM Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 17 20:53:40 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 16:53:40 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <02B1BE00-230C-47A4-8621-4E4F2FB359FB@gmail.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <85ADE4BA-3215-4B94-A306-85CDD523CF74@gmail.com> <50574160.4080305@redhat.com> <5666AE1B-D603-4ACE-8B94-3AF4C9102DAB@gmail.com> <505771D6.4040006@redhat.com> <02B1BE00-230C-47A4-8621-4E4F2FB359FB@gmail.com> Message-ID: <50578DD4.3010700@redhat.com> On 09/17/2012 03:02 PM, Michael Mercier wrote: > On 2012-09-17, at 2:54 PM, Dmitri Pal wrote: > >> On 09/17/2012 02:18 PM, Michael Mercier wrote: >>> On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: >>> >>>> On 09/17/2012 10:14 AM, Michael Mercier wrote: >>>>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >>>>> >>>>>> Michael Mercier wrote: >>>>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>>>> >>>>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>>>> >>>>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. >>>>>>>>>>> >>>>>>>>>>> [root at ipaserver ~]#ipa-replica-manage list >>>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>>> [root at ipaserver ~]# rpm -qa|grep ipa >>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [root at ipaserver2 ~]#ipa-replica-manage list >>>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>>> [root at ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [mike at ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>>>> >>>>>>>>>>> [root at zenoss ~]# rpm -qa|grep ipa >>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> SSLRequireSSL >>>>>>>>>>> AuthType Kerberos >>>>>>>>>>> AuthName "Kerberos Login" >>>>>>>>>>> >>>>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>>>> KrbSaveCredentials on >>>>>>>>>>> KrbServiceName HTTP >>>>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>>>> >>>>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: >>>>>>>>>>> >>>>>>>>>>> 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. >>>>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>>>> >>>>>>>>>>> If the I then perform: >>>>>>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>>>>>> >>>>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>>>> >>>>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>>>>>> >>>>>>>>>>> [root at ipaserver2 ~]#ifup eth0 >>>>>>>>>>> >>>>>>>>>>> [mike at ipaclient ~]$ kinit >>>>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>>>> >>>>>>>>>>> [root at ipaserver2 ~]#ifdown eth0 >>>>>>>>>>> >>>>>>>>>>> .. wait number of minutes >>>>>>>>>>> >>>>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes >>>>>>>>>>> >>>>>>>>>>> [mike at ipaclient ~]$kinit >>>>>>>>>>> Password for mike at MPLS.LOCAL: >>>>>>>>>>> [mike at ipaclient ~]$ >>>>>>>>>>> >>>>>>>>>>> Any ideas? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Mike >>>>>>>>>> This seems to be some DNS problem. >>>>>>>>>> You client does not see the second replica and might have some name >>>>>>>>>> resolution timeouts. >>>>>>>>>> >>>>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>>>> >>>>>>>>>> To help more we need more details about you client configuration DNS and >>>>>>>>>> kerberos. >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Additional information... >>>>>>>>> >>>>>>>>> [root at zenoss ~]#more /etc/resolv.conf >>>>>>>>> search mpls.local >>>>>>>>> domain mpls.local >>>>>>>>> nameserver 172.16.112.5 >>>>>>>>> nameserver 172.16.112.8 >>>>>>>>> >>>>>>>>> [root at zenoss ~]# more /etc/krb5.conf >>>>>>>>> #File modified by ipa-client-install >>>>>>>>> >>>>>>>>> [libdefaults] >>>>>>>>> default_realm = MPLS.LOCAL >>>>>>>>> dns_lookup_realm = true >>>>>>>>> dns_lookup_kdc = true >>>>>>>>> rdns = false >>>>>>>>> ticket_lifetime = 24h >>>>>>>>> forwardable = yes >>>>>>>>> >>>>>>>>> [realms] >>>>>>>>> MPLS.LOCAL = { >>>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>>> } >>>>>>>>> >>>>>>>>> [domain_realm] >>>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>>> >>>>>>>>> [root at ipaclient ~]# more /etc/resolv.conf >>>>>>>>> # Generated by NetworkManager >>>>>>>>> search mpls.local >>>>>>>>> nameserver 172.16.112.5 >>>>>>>>> nameserver 172.16.112.8 >>>>>>>>> >>>>>>>>> [root at ipaclient ~]# more /etc/krb5.conf >>>>>>>>> #File modified by ipa-client-install >>>>>>>>> >>>>>>>>> [libdefaults] >>>>>>>>> default_realm = MPLS.LOCAL >>>>>>>>> dns_lookup_realm = true >>>>>>>>> dns_lookup_kdc = true >>>>>>>>> rdns = false >>>>>>>>> ticket_lifetime = 24h >>>>>>>>> forwardable = yes >>>>>>>>> >>>>>>>>> [realms] >>>>>>>>> MPLS.LOCAL = { >>>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>>> } >>>>>>>>> >>>>>>>>> [domain_realm] >>>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>>> >>>>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>>>> Server: 172.16.112.5 >>>>>>>>> Address: 172.16.112.5#53 >>>>>>>>> >>>>>>>>> Name: ipaserver.mpls.local >>>>>>>>> Address: 172.16.112.5 >>>>>>>>> >>>>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>>>> Server: 172.16.112.8 >>>>>>>>> Address: 172.16.112.8#53 >>>>>>>>> >>>>>>>>> Name: ipaserver.mpls.local >>>>>>>>> Address: 172.16.112.5 >>>>>>>>> >>>>>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>>>>> Server: 172.16.112.8 >>>>>>>>> Address: 172.16.112.8#53 >>>>>>>>> >>>>>>>>> Name: ipaserver2.mpls.local >>>>>>>>> Address: 172.16.112.8 >>>>>>>>> >>>>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>>>> >>>>>>>>> @ NS ipaserver.mpls.local. >>>>>>>>> NS ipaserver2.mpls.local. >>>>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>>>> SRV 0 100 389 ipaserver2 >>>>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>>>> SRV 0 100 123 ipaserver2 >>>>>>>>> ipaclient A 172.16.112.9 >>>>>>>>> ipaclient2 A 172.16.112.145 >>>>>>>>> ipaserver A 172.16.112.5 >>>>>>>>> ipaserver2 A 172.16.112.8 >>>>>>>>> zenoss A 172.16.112.6 >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Mike >>>>>>>>> >>>>>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>>>> in case of network being down it will fail over to the hosts file. >>>>>>>> I wonder what is in your /etc/hosts? >>>>>>>> Dose it have just a short host name? >>>>>>> [root at ipaclient ~]# more /etc/hosts >>>>>>> 127.0.0.1 localhost.localdomain localhost >>>>>>> ::1 localhost6.localdomain6 localhost6 >>>>>>> >>>>>>> >>>>>>> Add domain mpls.local to /etc/resolv.conf >>>>>>> >>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# kinit mike >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>> [root at ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup ipaserver2 >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver2.mpls.local >>>>>>> Address: 172.16.112.8 >>>>>>> >>>>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>>>> >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# kinit mike >>>>>>> Password for mike at MPLS.LOCAL: >>>>>>> >>>>>>> [root at ipaserver ~]#ifdown eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# kinit mike >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>>> >>>>>>> [root at ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>>>> Server: 172.16.112.5 >>>>>>> Address: 172.16.112.5#53 >>>>>>> >>>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver2.mpls.local. >>>>>>> >>>>>>> >>>>>>> [root at ipaclient ~]# kinit mike >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>>> >>>>>>> [root at ipaserver ~]#ifup eth0 >>>>>>> >>>>>>> [root at ipaclient ~]# kinit mike >>>>>>> Password for mike at MPLS.LOCAL: >>>>>> I'd start with the sssd logs. Is it seeing the main server go offline and not switching to the second one? Or is it going into offline mode? >>>>>> >>>>>> Do you have _srv_ or both servers listed in ipa_server in /etc/sssd/sssd.conf? >>>>>> >>>>> Hello, >>>>> >>>>> [root at ipaclient ~]# more /etc/sssd/sssd.conf >>>>> [sssd] >>>>> config_file_version = 2 >>>>> services = nss, pam >>>>> # SSSD will not start if you do not configure any domains. >>>>> # Add new domain configurations as [domain/] sections, and >>>>> # then add the list of domains (in the order you want them to be >>>>> # queried) to the "domains" attribute below and uncomment it. >>>>> # domains = LDAP >>>>> >>>>> domains = mpls.local >>>>> [nss] >>>>> >>>>> [pam] >>>>> >>>>> # Example LDAP domain >>>>> # [domain/LDAP] >>>>> # id_provider = ldap >>>>> # auth_provider = ldap >>>>> # ldap_schema can be set to "rfc2307", which stores group member names in the >>>>> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in >>>>> # the "member" attribute. If you do not know this value, ask your LDAP >>>>> # administrator. >>>>> # ldap_schema = rfc2307 >>>>> # ldap_uri = ldap://ldap.mydomain.org >>>>> # ldap_search_base = dc=mydomain,dc=org >>>>> # Note that enabling enumeration will have a moderate performance impact. >>>>> # Consequently, the default value for enumeration is FALSE. >>>>> # Refer to the sssd.conf man page for full details. >>>>> # enumerate = false >>>>> # Allow offline logins by locally storing password hashes (default: false). >>>>> # cache_credentials = true >>>>> >>>>> # An example Active Directory domain. Please note that this configuration >>>>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >>>>> # compliant attribute names. To support UNIX clients with AD 2003 or older, >>>>> # you must install Microsoft Services For Unix and map LDAP attributes onto >>>>> # msSFU30* attribute names. >>>>> # [domain/AD] >>>>> # id_provider = ldap >>>>> # auth_provider = krb5 >>>>> # chpass_provider = krb5 >>>>> # >>>>> # ldap_uri = ldap://your.ad.example.com >>>>> # ldap_search_base = dc=example,dc=com >>>>> # ldap_schema = rfc2307bis >>>>> # ldap_sasl_mech = GSSAPI >>>>> # ldap_user_object_class = user >>>>> # ldap_group_object_class = group >>>>> # ldap_user_home_directory = unixHomeDirectory >>>>> # ldap_user_principal = userPrincipalName >>>>> # ldap_account_expire_policy = ad >>>>> # ldap_force_upper_case_realm = true >>>>> # >>>>> # krb5_server = your.ad.example.com >>>>> # krb5_realm = EXAMPLE.COM >>>>> [domain/mpls.local] >>>>> cache_credentials = True >>>>> krb5_store_password_if_offline = True >>>>> ipa_domain = mpls.local >>>>> id_provider = ipa >>>>> auth_provider = ipa >>>>> access_provider = ipa >>>>> chpass_provider = ipa >>>>> ipa_dyndns_update = True >>>>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local >>>> Can you please for the sake of the test remove _srv_ from your >>>> configuration? >>>> There might be a bug in how we handle the case when the response from >>>> DNS lookup is not obtained or something like. >>>> It seems that it does not fail over properly. >>>> >>>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>>> >>>>> NOTE: I manually added ipaserver2.mpls.local >>>>> >>>>> Where specifically should I add the debugging? >>>>> I added debug_level = 5 to [sssd] >>>> You can add it to the bottom. That should work. >>>> >>>>> [root at ipaserver ~]ifdown eth0 >>>>> >>>>> [root at ipaserver2 ~]ifup eth0 >>>>> >>>>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging mpls.local >>>>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local replied to ping >>>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss replied to ping >>>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam replied to ping >>>>> >>>> This is not the right log. The most informative one is called >>>> sssd_default.log. >>> Hello, >>> >>> I did the following: >>> >>> add 'debug_level = 8' to section [domain/mpls.local] >>> remove _srv_ from ipa_server = >>> >>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> Password for mike at MPLS.LOCAL: >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> >>> [root at ipaserver ~]ifdown eth0 >>> >>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> Password for mike at MPLS.LOCAL: >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> >>> [root at ipaserver ~]ifup eth0 >>> [root at ipaserver2 ~]ifdown eth0 >>> >>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> Password for mike at MPLS.LOCAL: >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] open failed [2][No such file or directory]. >>> [sssd_krb5_locator] get_krb5info failed. >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [root at ipaclient ~]# >>> >>> >>> NOTES: >>> 1. The final kinit although successful, took considerably longer to complete >> So it was successful all three times, right? > Yes, it was successful all three times. > >>> 2. I do not have a /var/log/sssd/sssd_default.log >> >> Sorry I forgot that you explicitly renamed your domain from default. >> It would be /var/log/sssd_mpls.local.log then. > I set the log level to 8 and there is a large amount of data produced in this log file. Is there a level that you would suggest for me to share the information? It is hard to say where the problem is. Something is definitely wrong with DNS resolution and failing over after it. I know that this area was rewritten in SSSD 1.9 so this specific issue might already be addressed. Also it would be interesting to check if your DNS actually returns the ipaserver2 server as the alternative to ipaserver. If it does not that can be a part of the problem. So we can continue troubleshooting in this case we would need the logs with high debug level (tar and zip and may be open a trac ticket and attach it there) or you can try 1.9 RC1 and see if the problem is already addressed there. Alternatively you can remove _srv_ from your configuration assuming the DNS configuration is correct and we actually have a bug (but I am still not convinced). > > Thanks, > Mike > >>> Thanks, >>> Mike >>> >>> >>> >>>>>> rob >>>>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager for IdM portfolio >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Mon Sep 17 20:55:56 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2012 20:55:56 +0000 Subject: [Freeipa-users] winsync agreements, mostly one way. Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz> In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA. except I want account disabled / enabled to flow both ways. So if I do a ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows Does this effect bi-directional disabling? I assume it does....... So then I have to do a, ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify ipaWinSyncAcctDisable: both is that syntax right? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 17 21:22:33 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Sep 2012 17:22:33 -0400 Subject: [Freeipa-users] winsync agreements, mostly one way. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50579499.5050205@redhat.com> On 09/17/2012 04:55 PM, Steven Jones wrote: > In section 8.4.5 it talks about making an agreement one way...which is > mostly what I want, so everything incl password changes from AD to > IPA. except I want account disabled / enabled to flow both ways. > > So if I do a > > ldapmodify -x -D "cn=directory manager" -w password -p 389 -h > ipaserver.example.com > dn: cn=ipa-winsync,cn=plugins,cn=config > changetype: modify > add: oneWaySync > oneWaySync: fromWindows > > Does this effect bi-directional disabling? I assume it does....... > > So then I have to do a, > > ldapmodify -x -D "cn=directory manager" -w password -p 389 -h > ipaserver.example.com > dn: cn=ipa-winsync,cn=plugins,cn=config > changetype: modify > ipaWinSyncAcctDisable: both > > is that syntax right? > Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups. AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD. Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that? Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 21:34:47 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2012 21:34:47 +0000 Subject: [Freeipa-users] winsync agreements, mostly one way. In-Reply-To: <50579499.5050205@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50579499.5050205@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im confused as section 8.4.5 page 182 first para.... of the Red Hat admin guide for IPA says this (its bi-directional).....so that section needs updating? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 18 September 2012 9:22 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreements, mostly one way. On 09/17/2012 04:55 PM, Steven Jones wrote: In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA. except I want account disabled / enabled to flow both ways. So if I do a ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows Does this effect bi-directional disabling? I assume it does....... So then I have to do a, ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify ipaWinSyncAcctDisable: both is that syntax right? Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups. AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD. Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that? Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 17 21:43:39 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Sep 2012 15:43:39 -0600 Subject: [Freeipa-users] winsync agreements, mostly one way. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50579499.5050205@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5057998B.7070000@redhat.com> On 09/17/2012 03:34 PM, Steven Jones wrote: > Hi, > > Im confused as section 8.4.5 page 182 first para.... > > of the Red Hat admin guide for IPA says this (its > bi-directional).....so that section needs updating? In IPA, adding users is uni-directional, from AD to IPA. However, once the users are in sync, updates are bi-directional. This includes account disable, which syncs both directions. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal > [dpal at redhat.com] > *Sent:* Tuesday, 18 September 2012 9:22 a.m. > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreements, mostly one way. > > On 09/17/2012 04:55 PM, Steven Jones wrote: >> In section 8.4.5 it talks about making an agreement one way...which >> is mostly what I want, so everything incl password changes from AD to >> IPA. except I want account disabled / enabled to flow both ways. >> >> So if I do a >> >> ldapmodify -x -D "cn=directory manager" -w password -p 389 -h >> ipaserver.example.com >> dn: cn=ipa-winsync,cn=plugins,cn=config >> changetype: modify >> add: oneWaySync >> oneWaySync: fromWindows >> >> Does this effect bi-directional disabling? I assume it does....... >> >> So then I have to do a, >> >> ldapmodify -x -D "cn=directory manager" -w password -p 389 -h >> ipaserver.example.com >> dn: cn=ipa-winsync,cn=plugins,cn=config >> changetype: modify >> ipaWinSyncAcctDisable: both >> >> is that syntax right? >> > > Winsyc plugin used in IPA comes originally from DS. In the context of > IPA it can be only one way so changing this configuration is not > something we expect or would work in IPA. In the DS context you can > have two way sync of users and groups. > > AFAIK (Rich please correct me) we do not replicate the > enabled/disabled status from IPA to AD. > Conceptually we think of the AD as authoritative source for the > information. Allowing user to be disabled by IPA admin and then > replicate this status back violates this model and would sound really > dangerous for AD side. Are you sure that even if that would have been > allowed your AD admins would actually permit you to do that? > > Anyways so far it is one of the limitations of the current product. > You can definitely explain the use case in a bit more details and file > an RFE. If the use case is compelling we will consider it for the > later release. > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 21:57:57 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2012 21:57:57 +0000 Subject: [Freeipa-users] winsync agreements, mostly one way. In-Reply-To: <5057998B.7070000@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50579499.5050205@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057998B.7070000@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA547E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, So cool, I think that is what I want....but I think the documentation so be updated with thsi cooemnt as it makes it a lot clearer. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 9:43 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreements, mostly one way. On 09/17/2012 03:34 PM, Steven Jones wrote: Hi, Im confused as section 8.4.5 page 182 first para.... of the Red Hat admin guide for IPA says this (its bi-directional).....so that section needs updating? In IPA, adding users is uni-directional, from AD to IPA. However, once the users are in sync, updates are bi-directional. This includes account disable, which syncs both directions. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 22:17:50 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2012 22:17:50 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 17 23:37:57 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Sep 2012 17:37:57 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5057B455.7040006@redhat.com> On 09/17/2012 04:17 PM, Steven Jones wrote: > Hi, > > I just tried to do a winsync agreement with specifying the AD point as > cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not > in the users folder but the VUW_Staff folder (at the same level) and > it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope > While doing the actual update does this get verbosly logged anywhere > as opposed to "update in progress" dumped to the screen? Something > went badly wrong, I just dont know what. You are seeing something different than #355? > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 18 00:17:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2012 00:17:52 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <5057B455.7040006@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 18 00:47:27 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Sep 2012 18:47:27 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5057C49F.6040304@redhat.com> On 09/17/2012 06:17 PM, Steven Jones wrote: > Hi, > > The first time missed the --win-subtree settings so I wiped the admins > in the IPA admin group and users as they were not in cn=users as per > the bug. The second time as far as I can tell I specified the correct > cn via win-subtree flag but I still appear to have lost the users in > IPA.....now I expected to lose the admins but the loss of users as > well confounds me. > > I did a ldapsearch as per checking and its seems to be saying the > right folder/ou/cn but IPA is empty. > > Hence I was wondering if there was a log recording what the update was > doing so I could try and figure out the mistake. Ive tried greping > cant find any indication. > > I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Tuesday, 18 September 2012 11:37 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/17/2012 04:17 PM, Steven Jones wrote: >> Hi, >> >> I just tried to do a winsync agreement with specifying the AD point >> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are >> not in the users folder but the VUW_Staff folder (at the same level) >> and it wiped all IPA users that are also in AD. > > Yes, this is what happens with https://fedorahosted.org/389/ticket/355 > #355 winsync should not delete entry that appears to be out of scope > >> While doing the actual update does this get verbosly logged anywhere >> as opposed to "update in progress" dumped to the screen? Something >> went badly wrong, I just dont know what. > > You are seeing something different than #355? > >> >> :/ >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 18 01:10:53 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2012 01:10:53 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <5057C49F.6040304@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From thildred at redhat.com Tue Sep 18 01:25:57 2012 From: thildred at redhat.com (Tim Hildred) Date: Mon, 17 Sep 2012 21:25:57 -0400 (EDT) Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <45750243.1020792.1347931136304.JavaMail.root@redhat.com> Message-ID: <1953305360.1021445.1347931557383.JavaMail.root@redhat.com> Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get "Based on a dictionary word" for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why "C679V375" was "too simple" when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 i feel like im being punked Jul 12 14:12:40 it is based on a dictionary word Jul 12 14:12:43 it is too short Jul 12 14:12:49 is does not have enough unique letters Jul 12 14:12:51 etc From thildred at redhat.com Tue Sep 18 01:39:09 2012 From: thildred at redhat.com (Tim Hildred) Date: Mon, 17 Sep 2012 21:39:09 -0400 (EDT) Subject: [Freeipa-users] Password Expiration Grace Limit In-Reply-To: Message-ID: <1104620993.1023199.1347932349457.JavaMail.root@redhat.com> > There seems to be nothing in the documentation about a user being > able to initiate a password change dialogue after their password has > expired https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Using_SSH_for_Password_Authentication.html Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred From Steven.Jones at vuw.ac.nz Tue Sep 18 01:44:54 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2012 01:44:54 +0000 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <1953305360.1021445.1347931557383.JavaMail.root@redhat.com> References: <45750243.1020792.1347931136304.JavaMail.root@redhat.com>, <1953305360.1021445.1347931557383.JavaMail.root@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4053CA65DF@STAWINCOX10MBX1.staff.vuw.ac.nz> Maybe its the local system having requirements and not IPA? In my secure logs I see pam is quering first locally and then the sss daemon....maybe its failing you on the default rh setup of the OS? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Tim Hildred [thildred at redhat.com] Sent: Tuesday, 18 September 2012 1:25 p.m. To: freeipa-users Subject: [Freeipa-users] Password requirements too stringent Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get "Based on a dictionary word" for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why "C679V375" was "too simple" when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 i feel like im being punked Jul 12 14:12:40 it is based on a dictionary word Jul 12 14:12:43 it is too short Jul 12 14:12:49 is does not have enough unique letters Jul 12 14:12:51 etc _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Tue Sep 18 02:37:48 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 18 Sep 2012 02:37:48 +0000 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <1953305360.1021445.1347931557383.JavaMail.root@redhat.com> References: <1953305360.1021445.1347931557383.JavaMail.root@redhat.com> Message-ID: <6EBA0483-980D-490A-8CE1-54023A9649A6@citrixonline.com> Tim, please check your /etc/pam.d/system-auth with the password block. If you see password requisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: "ipa passwd username" Hope this info helps! "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester JR.Aquino at citrix.com [cid:image002.jpg at 01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get "Based on a dictionary word" for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why "C679V375" was "too simple" when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 i feel like im being punked Jul 12 14:12:40 it is based on a dictionary word Jul 12 14:12:43 it is too short Jul 12 14:12:49 is does not have enough unique letters Jul 12 14:12:51 etc _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 15835 bytes Desc: image002.jpg URL: From thildred at redhat.com Tue Sep 18 02:53:29 2012 From: thildred at redhat.com (Tim Hildred) Date: Mon, 17 Sep 2012 22:53:29 -0400 (EDT) Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <6EBA0483-980D-490A-8CE1-54023A9649A6@citrixonline.com> Message-ID: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> JR I had that line. I commented it out. Thank you. Now, what do I have to restart? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "JR Aquino" > To: "Tim Hildred" > Cc: "freeipa-users" > Sent: Tuesday, September 18, 2012 12:37:48 PM > Subject: Re: [Freeipa-users] Password requirements too stringent > > Tim, please check your /etc/pam.d/system-auth with the password > block. If you see password requisite pam_cracklib.so, then > this is why you are having a problem. > > $ man pam_cracklib > > It is a local security library for enforcing strong password > practices from the unix cli. > > ProTip: > If you don't need this, you can remove it from pam > If you want to work around this, set your password from the IPA webui > or via the cli: "ipa passwd username" > > Hope this info helps! > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > JR Aquino > > Senior Information Security Specialist, Technical Operations > T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 > GIAC Certified Incident Handler | GIAC WebApplication Penetration > Tester > JR.Aquino at citrix.com > > > [cid:image002.jpg at 01CD4A37.5451DC00] > > Powering mobile workstyles and cloud services > > > > > > On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: > > Hey all; > > I'm running IPA internally to control access to our cloud > environment. > > I must admit, I do not understand the password requirements. I have > had them set to the defaults. I read this: > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html > > I have the minimum character classes set to 0. When people use SSH to > change their passwords, they get "Based on a dictionary word" for > passwords that have nothing to do with dictionary words. > > I can't find anywhere in the documentation a break down of what makes > an unacceptable versus acceptable password. > > Can anyone help me figure out what to tell my users? I think people > would get a lot less frustrated if they knew why "C679V375" was "too > simple" when the password policy has 0 required classes. > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thildred at redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > ps: funny exchange with user: > Jul 12 14:12:33 i feel like im being punked > Jul 12 14:12:40 it is based on a dictionary word > Jul 12 14:12:43 it is too short > Jul 12 14:12:49 is does not have enough unique letters > Jul 12 14:12:51 etc > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From JR.Aquino at citrix.com Tue Sep 18 02:57:49 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 18 Sep 2012 02:57:49 +0000 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> Message-ID: <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > JR > > I had that line. I commented it out. Thank you. > > Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thildred at redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > ----- Original Message ----- >> From: "JR Aquino" >> To: "Tim Hildred" >> Cc: "freeipa-users" >> Sent: Tuesday, September 18, 2012 12:37:48 PM >> Subject: Re: [Freeipa-users] Password requirements too stringent >> >> Tim, please check your /etc/pam.d/system-auth with the password >> block. If you see password requisite pam_cracklib.so, then >> this is why you are having a problem. >> >> $ man pam_cracklib >> >> It is a local security library for enforcing strong password >> practices from the unix cli. >> >> ProTip: >> If you don't need this, you can remove it from pam >> If you want to work around this, set your password from the IPA webui >> or via the cli: "ipa passwd username" >> >> Hope this info helps! >> >> "Keeping your head in the cloud" >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> JR Aquino >> >> Senior Information Security Specialist, Technical Operations >> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 >> GIAC Certified Incident Handler | GIAC WebApplication Penetration >> Tester >> JR.Aquino at citrix.com >> >> >> [cid:image002.jpg at 01CD4A37.5451DC00] >> >> Powering mobile workstyles and cloud services >> >> >> >> >> >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: >> >> Hey all; >> >> I'm running IPA internally to control access to our cloud >> environment. >> >> I must admit, I do not understand the password requirements. I have >> had them set to the defaults. I read this: >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html >> >> I have the minimum character classes set to 0. When people use SSH to >> change their passwords, they get "Based on a dictionary word" for >> passwords that have nothing to do with dictionary words. >> >> I can't find anywhere in the documentation a break down of what makes >> an unacceptable versus acceptable password. >> >> Can anyone help me figure out what to tell my users? I think people >> would get a lot less frustrated if they knew why "C679V375" was "too >> simple" when the password policy has 0 required classes. >> >> Tim Hildred, RHCE >> Content Author II - Engineering Content Services, Red Hat, Inc. >> Brisbane, Australia >> Email: thildred at redhat.com >> Internal: 8588287 >> Mobile: +61 4 666 25242 >> IRC: thildred >> >> ps: funny exchange with user: >> Jul 12 14:12:33 i feel like im being punked >> Jul 12 14:12:40 it is based on a dictionary word >> Jul 12 14:12:43 it is too short >> Jul 12 14:12:49 is does not have enough unique letters >> Jul 12 14:12:51 etc >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> From jhrozek at redhat.com Tue Sep 18 07:29:12 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Sep 2012 09:29:12 +0200 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> Message-ID: <20120918072912.GA31442@hendrix.brq.redhat.com> On Tue, Sep 18, 2012 at 02:57:49AM +0000, JR Aquino wrote: > > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > > > JR > > > > I had that line. I commented it out. Thank you. > > > > Now, what do I have to restart? > > I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib * > > If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! > > ;) > Some services, notably the sshd, must be restarted in order to re-read the PAM config. From jhrozek at redhat.com Tue Sep 18 08:03:08 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Sep 2012 10:03:08 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <50573F1B.7050100@redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> Message-ID: <20120918080308.GB31442@hendrix.brq.redhat.com> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > > [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > > > > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > > [sssd_krb5_locator] sssd_krb5_locator_init called > > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > > [sssd_krb5_locator] [172.16.112.8] used > > [sssd_krb5_locator] sssd_krb5_locator_close called > > [sssd_krb5_locator] sssd_krb5_locator_init called > > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > > [sssd_krb5_locator] [172.16.112.8] used > > [sssd_krb5_locator] sssd_krb5_locator_close called > > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > > Jakub, does this make sense to you? > As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with "su - mike" or "ssh mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes the file. Does using "su - mike" refresh the file? Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 From Duncan.Innes at virginmoney.com Tue Sep 18 11:05:26 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 18 Sep 2012 12:05:26 +0100 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> Message-ID: <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> Folks, Juggling a problem here that perhaps doesn't have a perfect solution. I'm looking at systems that get re-provisioned by a Satellite/Spacewalk/Installation method. For full (Free)IPA integration, we normally delete the old entry from IPA, create a new one from scratch and set the OTP to match what we put in our post-install script called by the kickstart file. Just noticed that I can do the same thing by Unprovisioning the system via the WebUI and then setting the OTP. Is there a way to Unprovision a registered host and set a OTP via the command line? I was looking at 'ipa host-mod --setattr' but not getting too far with the Unprovisioning aspect. Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 7801 134507 | duncan.innes at virginmoney.com > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of JR Aquino > Sent: 18 September 2012 03:58 > To: Tim Hildred > Cc: freeipa-users > Subject: Re: [Freeipa-users] Password requirements too stringent > > > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > > > JR > > > > I had that line. I commented it out. Thank you. > > > > Now, what do I have to restart? > > I believe it should take effect in real time, but you may > need to test to be sure. If it is still happening, you may > need to double check that some other pam cfg doesn't also > have it present: $ cd /etc/pam.d/ && grep pam_cracklib * > > If you have removed it from everything and it is still giving > you the same error, then I would try a reboot... perhaps > getty needs to reinitialize or something. But I'd try those > steps before a reboot! > > ;) > > > Tim Hildred, RHCE > > Content Author II - Engineering Content Services, Red Hat, Inc. > > Brisbane, Australia > > Email: thildred at redhat.com > > Internal: 8588287 > > Mobile: +61 4 666 25242 > > IRC: thildred > > > > ----- Original Message ----- > >> From: "JR Aquino" > >> To: "Tim Hildred" > >> Cc: "freeipa-users" > >> Sent: Tuesday, September 18, 2012 12:37:48 PM > >> Subject: Re: [Freeipa-users] Password requirements too stringent > >> > >> Tim, please check your /etc/pam.d/system-auth with the password > >> block. If you see password requisite pam_cracklib.so, then > >> this is why you are having a problem. > >> > >> $ man pam_cracklib > >> > >> It is a local security library for enforcing strong password > >> practices from the unix cli. > >> > >> ProTip: > >> If you don't need this, you can remove it from pam If you want to > >> work around this, set your password from the IPA webui or via the > >> cli: "ipa passwd username" > >> > >> Hope this info helps! > >> > >> "Keeping your head in the cloud" > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >> JR Aquino > >> > >> Senior Information Security Specialist, Technical Operations > >> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC > >> Certified Incident Handler | GIAC WebApplication > Penetration Tester > >> JR.Aquino at citrix.com > >> > >> > >> [cid:image002.jpg at 01CD4A37.5451DC00] > >> > >> Powering mobile workstyles and cloud services > >> > >> > >> > >> > >> > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: > >> > >> Hey all; > >> > >> I'm running IPA internally to control access to our cloud > >> environment. > >> > >> I must admit, I do not understand the password > requirements. I have > >> had them set to the defaults. I read this: > >> > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html > >> > >> I have the minimum character classes set to 0. When people > use SSH to > >> change their passwords, they get "Based on a dictionary word" for > >> passwords that have nothing to do with dictionary words. > >> > >> I can't find anywhere in the documentation a break down of > what makes > >> an unacceptable versus acceptable password. > >> > >> Can anyone help me figure out what to tell my users? I > think people > >> would get a lot less frustrated if they knew why > "C679V375" was "too > >> simple" when the password policy has 0 required classes. > >> > >> Tim Hildred, RHCE > >> Content Author II - Engineering Content Services, Red Hat, Inc. > >> Brisbane, Australia > >> Email: thildred at redhat.com > >> Internal: 8588287 > >> Mobile: +61 4 666 25242 > >> IRC: thildred > >> > >> ps: funny exchange with user: > >> Jul 12 14:12:33 i feel like im being punked Jul 12 > 14:12:40 > >> it is based on a dictionary word Jul 12 14:12:43 > it > >> is too short Jul 12 14:12:49 is does not have > enough unique > >> letters Jul 12 14:12:51 etc > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From shelltoesuperstar at gmail.com Tue Sep 18 11:34:20 2012 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Tue, 18 Sep 2012 12:34:20 +0100 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> Message-ID: Hi I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST}" In the past and that seems to work quite well. The ideal for me would be a situation where the IPA information could persist between rebuilds. Cheers, Charlie On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan < Duncan.Innes at virginmoney.com> wrote: > Folks, > > Juggling a problem here that perhaps doesn't have a perfect solution. > I'm looking at systems that get re-provisioned by a > Satellite/Spacewalk/Installation method. For full (Free)IPA > integration, we normally delete the old entry from IPA, create a new one > from scratch and set the OTP to match what we put in our post-install > script called by the kickstart file. > > Just noticed that I can do the same thing by Unprovisioning the system > via the WebUI and then setting the OTP. > > Is there a way to Unprovision a registered host and set a OTP via the > command line? I was looking at 'ipa host-mod --setattr' but not getting > too far with the Unprovisioning aspect. > > Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 > 7801 134507 | duncan.innes at virginmoney.com > > > > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of JR Aquino > > Sent: 18 September 2012 03:58 > > To: Tim Hildred > > Cc: freeipa-users > > Subject: Re: [Freeipa-users] Password requirements too stringent > > > > > > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > > > > > JR > > > > > > I had that line. I commented it out. Thank you. > > > > > > Now, what do I have to restart? > > > > I believe it should take effect in real time, but you may > > need to test to be sure. If it is still happening, you may > > need to double check that some other pam cfg doesn't also > > have it present: $ cd /etc/pam.d/ && grep pam_cracklib * > > > > If you have removed it from everything and it is still giving > > you the same error, then I would try a reboot... perhaps > > getty needs to reinitialize or something. But I'd try those > > steps before a reboot! > > > > ;) > > > > > Tim Hildred, RHCE > > > Content Author II - Engineering Content Services, Red Hat, Inc. > > > Brisbane, Australia > > > Email: thildred at redhat.com > > > Internal: 8588287 > > > Mobile: +61 4 666 25242 > > > IRC: thildred > > > > > > ----- Original Message ----- > > >> From: "JR Aquino" > > >> To: "Tim Hildred" > > >> Cc: "freeipa-users" > > >> Sent: Tuesday, September 18, 2012 12:37:48 PM > > >> Subject: Re: [Freeipa-users] Password requirements too stringent > > >> > > >> Tim, please check your /etc/pam.d/system-auth with the password > > >> block. If you see password requisite pam_cracklib.so, then > > >> this is why you are having a problem. > > >> > > >> $ man pam_cracklib > > >> > > >> It is a local security library for enforcing strong password > > >> practices from the unix cli. > > >> > > >> ProTip: > > >> If you don't need this, you can remove it from pam If you want to > > >> work around this, set your password from the IPA webui or via the > > >> cli: "ipa passwd username" > > >> > > >> Hope this info helps! > > >> > > >> "Keeping your head in the cloud" > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> JR Aquino > > >> > > >> Senior Information Security Specialist, Technical Operations > > >> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC > > >> Certified Incident Handler | GIAC WebApplication > > Penetration Tester > > >> JR.Aquino at citrix.com > > >> > > >> > > >> [cid:image002.jpg at 01CD4A37.5451DC00] > > >> > > >> Powering mobile workstyles and cloud services > > >> > > >> > > >> > > >> > > >> > > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: > > >> > > >> Hey all; > > >> > > >> I'm running IPA internally to control access to our cloud > > >> environment. > > >> > > >> I must admit, I do not understand the password > > requirements. I have > > >> had them set to the defaults. I read this: > > >> > > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin > > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html > > >> > > >> I have the minimum character classes set to 0. When people > > use SSH to > > >> change their passwords, they get "Based on a dictionary word" for > > >> passwords that have nothing to do with dictionary words. > > >> > > >> I can't find anywhere in the documentation a break down of > > what makes > > >> an unacceptable versus acceptable password. > > >> > > >> Can anyone help me figure out what to tell my users? I > > think people > > >> would get a lot less frustrated if they knew why > > "C679V375" was "too > > >> simple" when the password policy has 0 required classes. > > >> > > >> Tim Hildred, RHCE > > >> Content Author II - Engineering Content Services, Red Hat, Inc. > > >> Brisbane, Australia > > >> Email: thildred at redhat.com > > >> Internal: 8588287 > > >> Mobile: +61 4 666 25242 > > >> IRC: thildred > > >> > > >> ps: funny exchange with user: > > >> Jul 12 14:12:33 i feel like im being punked Jul 12 > > 14:12:40 > > >> it is based on a dictionary word Jul 12 14:12:43 > > it > > >> is too short Jul 12 14:12:49 is does not have > > enough unique > > >> letters Jul 12 14:12:51 etc > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> Freeipa-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> > > >> > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This message has been checked for viruses and spam by the > > Virgin Money email scanning system powered by Messagelabs. > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by > the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of > Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) with its > registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 > 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Tue Sep 18 12:27:49 2012 From: jreg2k at gmail.com (James James) Date: Tue, 18 Sep 2012 14:27:49 +0200 Subject: [Freeipa-users] MemberOf plugin and LDAP filter Message-ID: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 18 12:32:16 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Sep 2012 06:32:16 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505869D0.3060703@redhat.com> On 09/17/2012 07:10 PM, Steven Jones wrote: > Hi, > > I understand that I'll lose users that are cn=Staff_Admins,dc=etc > > So the Q is why I am losing users in the --win-subtree > cn=VUW_Staff,dc= etc > > This I dont understand.... > > I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Tuesday, 18 September 2012 12:47 p.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/17/2012 06:17 PM, Steven Jones wrote: >> Hi, >> >> The first time missed the --win-subtree settings so I wiped the >> admins in the IPA admin group and users as they were not in cn=users >> as per the bug. The second time as far as I can tell I specified the >> correct cn via win-subtree flag but I still appear to have lost the >> users in IPA.....now I expected to lose the admins but the loss of >> users as well confounds me. >> >> I did a ldapsearch as per checking and its seems to be saying the >> right folder/ou/cn but IPA is empty. >> >> Hence I was wondering if there was a log recording what the update >> was doing so I could try and figure out the mistake. Ive tried >> greping cant find any indication. >> >> I will re-try with -v, verbose. > > It is not clear from the manuals, but no matter what -win-subtree you > specify, winsync will search AD starting from the dc=domain suffix. > So, for example, if you have > cn=mystaff,cn=staff,dc=example,dc=com > and you specify > --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" > winsync will still search starting from dc=example,dc=com and will hit > ticket/355 if there are any users outside of > cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a > user in IPA. > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/17/2012 04:17 PM, Steven Jones wrote: >>> Hi, >>> >>> I just tried to do a winsync agreement with specifying the AD point >>> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are >>> not in the users folder but the VUW_Staff folder (at the same level) >>> and it wiped all IPA users that are also in AD. >> >> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >> #355 winsync should not delete entry that appears to be out of scope >> >>> While doing the actual update does this get verbosly logged anywhere >>> as opposed to "update in progress" dumped to the screen? Something >>> went badly wrong, I just dont know what. >> >> You are seeing something different than #355? >> >>> >>> :/ >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Sep 18 13:28:50 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 18 Sep 2012 15:28:50 +0200 Subject: [Freeipa-users] MemberOf plugin and LDAP filter In-Reply-To: References: Message-ID: <50587712.80709@nixtra.com> On 09/18/2012 02:27 PM, James James wrote: > Hi everybody, > > can somebody help me with the memberof plugin ? Is there a way to add > the memberof attribute like it was in 389-ds ? > For my mailing list program, I want to have the email of the emails of > all the person belongings to a group. Is there a filter to do that ? > > Thanks. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, This works for me: ldapsearch -Y GSSAPI memberof=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com mail Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 18 13:54:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Sep 2012 09:54:23 -0400 Subject: [Freeipa-users] MemberOf plugin and LDAP filter In-Reply-To: References: Message-ID: <50587D0F.8020209@redhat.com> James James wrote: > Hi everybody, > > can somebody help me with the memberof plugin ? Is there a way to add > the memberof attribute like it was in 389-ds ? > For my mailing list program, I want to have the email of the emails of > all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group "mygroup" use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob From rcritten at redhat.com Tue Sep 18 13:56:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Sep 2012 09:56:25 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505869D0.3060703@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz> <505869D0.3060703@redhat.com> Message-ID: <50587D89.6060505@redhat.com> Rich Megginson wrote: > On 09/17/2012 07:10 PM, Steven Jones wrote: >> Hi, >> >> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >> >> So the Q is why I am losing users in the --win-subtree >> cn=VUW_Staff,dc= etc > > > >> >> This I dont understand.... >> >> I have the -v already, anyway to make it very verbose? > > http://port389.org/wiki/FAQ#Troubleshooting > Use the replication log level 8192 > I'd like to see the directory server errors log > /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under > the --win-subtree cn=VUW_Staff,dc= etc IPA doesn't get a per-entry status update when doing replication. We can just ask "are we done yet?" If not print Update in progress... rob From Duncan.Innes at virginmoney.com Tue Sep 18 13:59:42 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 18 Sep 2012 14:59:42 +0100 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> Message-ID: <56343345B145C043AE990701E3D193952B564C@EXVS2.nrplc.localnet> Thanks, I stumbled across the same resolution just before I went for lunch. Found myself more keen to eat and less keen to let you all know I'd found a solution. Not sure IPA could re-use all the information between rebuilds quite as freely as you want. Unless you backup the IPA certificate etc. before re-provisioning and then restore the relevant details on rebuild. Would that be possible? Finally, appologies for the utter failure to edit the cruft out of my original message before sending it. Cheers Duncan > From: Charlie Derwent > Sent: 18 September 2012 12:34 > To: Innes, Duncan > Cc: freeipa-users > Subject: Re: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host > > Hi > > I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST}" > In the past and that seems to work quite well. The ideal for me would be a > situation where the IPA information could persist between rebuilds. > > Cheers, > Charlie > > On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan wrote: > > > Folks, > > > > Juggling a problem here that perhaps doesn't have a perfect solution. > > I'm looking at systems that get re-provisioned by a > > Satellite/Spacewalk/Installation method. For full (Free)IPA > > integration, we normally delete the old entry from IPA, create a new one > > from scratch and set the OTP to match what we put in our post-install > > script called by the kickstart file. > > > > Just noticed that I can do the same thing by Unprovisioning the system > > via the WebUI and then setting the OTP. > > > > Is there a way to Unprovision a registered host and set a OTP via the > > command line? I was looking at 'ipa host-mod --setattr' but not getting > > too far with the Unprovisioning aspect. > > > > Duncan Innes | Linux Architect | Virgin Money > > Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From jreg2k at gmail.com Tue Sep 18 14:03:42 2012 From: jreg2k at gmail.com (James James) Date: Tue, 18 Sep 2012 16:03:42 +0200 Subject: [Freeipa-users] MemberOf plugin and LDAP filter In-Reply-To: <50587D0F.8020209@redhat.com> References: <50587D0F.8020209@redhat.com> Message-ID: Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check my memberOf plugin ? 2012/9/18 Rob Crittenden > James James wrote: > >> Hi everybody, >> >> can somebody help me with the memberof plugin ? Is there a way to add >> the memberof attribute like it was in 389-ds ? >> For my mailing list program, I want to have the email of the emails of >> all the person belongings to a group. Is there a filter to do that ? >> > > To find all e-mail address of users in group "mygroup" use: > > $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com' > '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail > > This will include nested users who are in groups that are members of > mygroup. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Tue Sep 18 14:05:28 2012 From: jreg2k at gmail.com (James James) Date: Tue, 18 Sep 2012 16:05:28 +0200 Subject: [Freeipa-users] MemberOf plugin and LDAP filter In-Reply-To: References: <50587D0F.8020209@redhat.com> Message-ID: Oups in the first message I should write : I want to have the email of the emails of all the person belonging to a group. and not I want to have the email of the emails of all the person belongingS to a group. :0) 2012/9/18 James James > Thanks for your answer. > In my group I have to users but when I use this command : > > > $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' > '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail > > the result is: > > # search result > search: 2 > result: 0 Success > > How can I check my memberOf plugin ? > > > > 2012/9/18 Rob Crittenden > >> James James wrote: >> >>> Hi everybody, >>> >>> can somebody help me with the memberof plugin ? Is there a way to add >>> the memberof attribute like it was in 389-ds ? >>> For my mailing list program, I want to have the email of the emails of >>> all the person belongings to a group. Is there a filter to do that ? >>> >> >> To find all e-mail address of users in group "mygroup" use: >> >> $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com' >> '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail >> >> This will include nested users who are in groups that are members of >> mygroup. >> >> rob >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Sep 18 14:41:46 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 18 Sep 2012 10:41:46 -0400 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> Message-ID: <5058882A.6010208@redhat.com> On 09/18/2012 07:34 AM, Charlie Derwent wrote: > Hi > > I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS} > ${HOST}" In the past and that seems to work quite well. The ideal for > me would be a situation where the IPA information could persist > between rebuilds. Can you please elaborate more? Between rebuilds of what client or server? And what information you want to persist: cert, keytab, OTP? Thanks Dmitri > > Cheers, > Charlie > On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan > > > wrote: > > Folks, > > Juggling a problem here that perhaps doesn't have a perfect solution. > I'm looking at systems that get re-provisioned by a > Satellite/Spacewalk/Installation method. For full (Free)IPA > integration, we normally delete the old entry from IPA, create a > new one > from scratch and set the OTP to match what we put in our post-install > script called by the kickstart file. > > Just noticed that I can do the same thing by Unprovisioning the system > via the WebUI and then setting the OTP. > > Is there a way to Unprovision a registered host and set a OTP via the > command line? I was looking at 'ipa host-mod --setattr' but not > getting > too far with the Unprovisioning aspect. > > Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 > | +44 > 7801 134507 | duncan.innes at virginmoney.com > > > > > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com > > > [mailto:freeipa-users-bounces at redhat.com > ] On Behalf Of JR Aquino > > Sent: 18 September 2012 03:58 > > To: Tim Hildred > > Cc: freeipa-users > > Subject: Re: [Freeipa-users] Password requirements too stringent > > > > > > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > > > > > JR > > > > > > I had that line. I commented it out. Thank you. > > > > > > Now, what do I have to restart? > > > > I believe it should take effect in real time, but you may > > need to test to be sure. If it is still happening, you may > > need to double check that some other pam cfg doesn't also > > have it present: $ cd /etc/pam.d/ && grep pam_cracklib * > > > > If you have removed it from everything and it is still giving > > you the same error, then I would try a reboot... perhaps > > getty needs to reinitialize or something. But I'd try those > > steps before a reboot! > > > > ;) > > > > > Tim Hildred, RHCE > > > Content Author II - Engineering Content Services, Red Hat, Inc. > > > Brisbane, Australia > > > Email: thildred at redhat.com > > > Internal: 8588287 > > > Mobile: +61 4 666 25242 > > > IRC: thildred > > > > > > ----- Original Message ----- > > >> From: "JR Aquino" > > > >> To: "Tim Hildred" > > > >> Cc: "freeipa-users" > > > >> Sent: Tuesday, September 18, 2012 12:37:48 PM > > >> Subject: Re: [Freeipa-users] Password requirements too stringent > > >> > > >> Tim, please check your /etc/pam.d/system-auth with the password > > >> block. If you see password requisite pam_cracklib.so, > then > > >> this is why you are having a problem. > > >> > > >> $ man pam_cracklib > > >> > > >> It is a local security library for enforcing strong password > > >> practices from the unix cli. > > >> > > >> ProTip: > > >> If you don't need this, you can remove it from pam If you want to > > >> work around this, set your password from the IPA webui or via the > > >> cli: "ipa passwd username" > > >> > > >> Hope this info helps! > > >> > > >> "Keeping your head in the cloud" > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> JR Aquino > > >> > > >> Senior Information Security Specialist, Technical Operations > > >> T: +1 805 690 3478 | F: +1 805 > 879 3730 | M: +1 805 717 0365 > GIAC > > >> Certified Incident Handler | GIAC WebApplication > > Penetration Tester > > >> JR.Aquino at citrix.com > > > > >> > > >> > > >> [cid:image002.jpg at 01CD4A37.5451DC00] > > >> > > >> Powering mobile workstyles and cloud services > > >> > > >> > > >> > > >> > > >> > > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: > > >> > > >> Hey all; > > >> > > >> I'm running IPA internally to control access to our cloud > > >> environment. > > >> > > >> I must admit, I do not understand the password > > requirements. I have > > >> had them set to the defaults. I read this: > > >> > > > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin > > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html > > >> > > >> I have the minimum character classes set to 0. When people > > use SSH to > > >> change their passwords, they get "Based on a dictionary word" for > > >> passwords that have nothing to do with dictionary words. > > >> > > >> I can't find anywhere in the documentation a break down of > > what makes > > >> an unacceptable versus acceptable password. > > >> > > >> Can anyone help me figure out what to tell my users? I > > think people > > >> would get a lot less frustrated if they knew why > > "C679V375" was "too > > >> simple" when the password policy has 0 required classes. > > >> > > >> Tim Hildred, RHCE > > >> Content Author II - Engineering Content Services, Red Hat, Inc. > > >> Brisbane, Australia > > >> Email: thildred at redhat.com > > >> Internal: 8588287 > > >> Mobile: +61 4 666 25242 > > >> IRC: thildred > > >> > > >> ps: funny exchange with user: > > >> Jul 12 14:12:33 i feel like im being punked Jul 12 > > 14:12:40 > > >> it is based on a dictionary word Jul 12 14:12:43 > > it > > >> is too short Jul 12 14:12:49 is does not have > > enough unique > > >> letters Jul 12 14:12:51 etc > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> Freeipa-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> > > >> > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This message has been checked for viruses and spam by the > > Virgin Money email scanning system powered by Messagelabs. > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If > you receive a copy in error, please inform the sender and then > delete this message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and > regulated by the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative > only of Virgin Money Personal Financial Service Limited. Company > no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and > has its registered office at Discovery House, Whiting Road, > Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial > Services Authority. Registered in England and Wales (Company no. > 6952311) with its registered office at Northern Rock House, > Gosforth, Newcastle upon Tyne NE3 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 18 14:47:14 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Sep 2012 10:47:14 -0400 Subject: [Freeipa-users] MemberOf plugin and LDAP filter In-Reply-To: References: <50587D0F.8020209@redhat.com> Message-ID: <50588972.1010808@redhat.com> James James wrote: > Oups in the first message I should write : > I want to have the email of the emails of all the person belonging to a > group. > > and not > I want to have the email of the emails of all the person belongingS to a > group. > > :0) I'd pick a user you know is in the group and start there: ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' uid=someuser memberof Confirm that there is a memberof for that user. This is all pre-configured, there shouldn't be the need to do anything. rob > > > 2012/9/18 James James > > > Thanks for your answer. > In my group I have to users but when I use this command : > > > $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' > '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail > > the result is: > > # search result > search: 2 > result: 0 Success > > How can I check my memberOf plugin ? > > > > 2012/9/18 Rob Crittenden > > > James James wrote: > > Hi everybody, > > can somebody help me with the memberof plugin ? Is there a > way to add > the memberof attribute like it was in 389-ds ? > For my mailing list program, I want to have the email of the > emails of > all the person belongings to a group. Is there a filter to > do that ? > > > To find all e-mail address of users in group "mygroup" use: > > $ ldapsearch -Y GSSAPI -b > 'cn=users,cn=accounts,dc=__example,dc=com' > '(memberOf=cn=mygroup,cn=__groups,cn=accounts,dc=example,__dc=com)' > mail > > This will include nested users who are in groups that are > members of mygroup. > > rob > > > From mmercier at gmail.com Tue Sep 18 18:38:13 2012 From: mmercier at gmail.com (Michael Mercier) Date: Tue, 18 Sep 2012 14:38:13 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <20120918080308.GB31442@hendrix.brq.redhat.com> References: <05E4D95B-464F-4872-BA92-CA4B27488C37@gmail.com> <504A1D65.40500@redhat.com> <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> Message-ID: <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: >>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 >>> >>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] >>> [sssd_krb5_locator] [172.16.112.8] used >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] >>> [sssd_krb5_locator] [172.16.112.8] used >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >> >> Jakub, does this make sense to you? >> > > As stated elsewhere in this thread, bare kinit does not contact the SSSD > at all. You want to go through the PAM stack (with "su - mike" or "ssh > mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes > the file. > > Does using "su - mike" refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root at ipaclient sssd]# su - mike [mike at ipaclient ~]$ exit logout [root at ipaserver ~]ifdown eth0 [root at ipaclient sssd]# su - mike [mike at ipaclient ~]$ exit logout [root at ipaserver ~]ifup eth0 [root at ipaserver2 ~]ifdown eth0 [root at ipaclient sssd]# su - mike [mike at ipaclient ~]$ exit logout [root at ipaserver ~]ifdown eth0 [root at ipaserver2 ~]ifup eth0 [root at ipaclient sssd]# su - mike # short delay ~2 seconds [mike at ipaclient ~]$ exit logout [root at ipaserver ~]ifup eth0 [root at ipaserver2 ~]ifdown eth0 [root at ipaclient sssd]# su - mike # short delay ~2 seconds [mike at ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike > > Michael also said that the IP address 172.16.112.8 is the address of the > server that is down. I assume that at one point the SSSD was using that > server but no request came to the SSSD since the last one, so the SSSD > did not fail over to the other configured server. Your SRV records > indicated that the servers had the same priority fields, so selecting on > over another is pretty much random. > > I don't think the SSSD is operating in offline mode completely, > otherwise it would have removed the file to avoid this kind of timeouts. > > Bottom line, kinit does not contact the SSSD and does not refresh the > address via the locator plugin. > > Returning multiple addresses from the locator plugin or creating a > smarter way of interacting between the Kerberos tools and the SSSD is > the scope of https://fedorahosted.org/sssd/ticket/941 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From lagern at lafayette.edu Tue Sep 18 19:06:46 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Tue, 18 Sep 2012 15:06:46 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <504DE30A.9080004@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> Message-ID: <5058C646.8010308@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for falling off like that. I opened a RedHat ticket on the issue, and have been running in circles with them. I forgot to check on the list for responses. I'm still having problems. Someone suggested I try: kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Which i just did, and it worked, or, at least it initialized my session. I'm still unable to execute ipa commands. In fact, im unable to execute almost any ipa commands. The web interface works, but only after RedHat had me enable kerberos password auth in the httpd config. So i can now auth to the web gui interactively, instead of requiring a kinit from my workstion. The only real client i have here is RHEV. And auth there still works except on accounts which have expired. Those accounts, cant even change their passwords. RedHat had me disable the password expiration via the web gui, however that hasnt helped accounts that are already expired. RedHat is currently blaming time skew, which i think is ridiculous. Im testing my ipa commands right on the ipa master. How could there possible be time skew. I did find that the time on my replica was off, but my replica isnt working anyway, which is a whole other issue. I think it needs to be flattened, and re-joined. On 09/10/2012 08:54 AM, Dmitri Pal wrote: > On 08/24/2012 04:43 PM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> This did not seem to help... >>> >> >> What else isn't working? Does the UI work? Do clients on other >> machines work? Does user lookup still work? >> >> rob > > > Was this issue ever resolved? > >> >>> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote: >>>> Nathan Lager wrote: >>>>> [root at ipaserver PROD krb5kdc]# ipactl status Directory >>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service: >>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA >>>>> Service: RUNNING [root at ipaserver PROD krb5kdc]# rpm -qa | >>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>> ipa-server-2.2.0-16.el6.x86_64 >>>> >>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by >>>> Apache for doing S4U2Proxy. No restart of httpd should be >>>> required. >>>> >>>> rob >>>> >>>>> >>>>> >>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>>>>> Nathan Lager wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>>> >>>>>>> I tried the same, kinit, and then ipa passwd commands >>>>>>> as before, here's the output: >>>>>>> >>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: NEEDED_PREAUTH: >>>>>>> lagern at SYSTEMS.LAFAYETTE.EDU for >>>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, >>>>>>> Additional pre-authentication required >>>>>>> >>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU >>>>>>> for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >>>>>>> >>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU >>>>>>> for HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>>>> >>>>>> What version of IPA is this? >>>>>> >>>>>> Does ipactl status show all services up? >>>>>> >>>>>> rob >>>>> >>>>> >>>> >>>> >>> >> >> >> _______________________________________________ Freeipa-users >> mailing list Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBYxkYACgkQsZqG4IN3sum8awCglRnww5OA84X8QbcNB/n1+e9w lrIAn1WMdwzeGeGmG07po0P5Xk1AikN/ =PEKm -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Sep 18 19:22:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Sep 2012 15:22:00 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058C646.8010308@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> <5058C646.8010308@lafayette.edu> Message-ID: <5058C9D8.7020407@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry for falling off like that. > I opened a RedHat ticket on the issue, and have been running in > circles with them. I forgot to check on the list for responses. > > > I'm still having problems. Someone suggested I try: > > kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu > > Which i just did, and it worked, or, at least it initialized my session. > > I'm still unable to execute ipa commands. In fact, im unable to > execute almost any ipa commands. > > The web interface works, but only after RedHat had me enable kerberos > password auth in the httpd config. So i can now auth to the web gui > interactively, instead of requiring a kinit from my workstion. > > The only real client i have here is RHEV. And auth there still works > except on accounts which have expired. Those accounts, cant even > change their passwords. > > RedHat had me disable the password expiration via the web gui, however > that hasnt helped accounts that are already expired. > > RedHat is currently blaming time skew, which i think is ridiculous. > Im testing my ipa commands right on the ipa master. How could there > possible be time skew. I did find that the time on my replica was > off, but my replica isnt working anyway, which is a whole other issue. > I think it needs to be flattened, and re-joined. I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you do this by setting KrbMethodK5Passwd to on? You say that some commands work, which ones? It seems that kinit works? kinit admin Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the httpd service, then: $ kdestroy $ kinit admin $ ipa user-show admin Provide the logs covering the restart of Apache until the error from /var/log/httpd/error_log, /var/log/krb5kdc.log and /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 seconds so it may be a while before it gets updated. What are the versions of: httpd mod_auth_kerb ipa-server krb5-server This is RHEL 6.3? The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it works with password authentication in the UI. rob From jhrozek at redhat.com Tue Sep 18 20:03:27 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Sep 2012 22:03:27 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> References: <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> Message-ID: <20120918200327.GO31442@hendrix.brq.redhat.com> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: > > On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > > > On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > >>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > >>> > >>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > >>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > >>> [sssd_krb5_locator] [172.16.112.8] used > >>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > >>> [sssd_krb5_locator] [172.16.112.8] used > >>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > >> > >> Jakub, does this make sense to you? > >> > > > > As stated elsewhere in this thread, bare kinit does not contact the SSSD > > at all. You want to go through the PAM stack (with "su - mike" or "ssh > > mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes > > the file. > > > > Does using "su - mike" refresh the file? > > When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. > > e.g. > > [root at ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes "pam_rootok.so" which just returns PAM_SUCCESS if the user who performs su has UID=0. I kinda expect the result to be the same (at least for user who is not recently cached) because the case of IPA we need to establish a GSSAPI encrypted connection anyway so we'd talk to the KDC only to perform initgroups. From lagern at lafayette.edu Tue Sep 18 20:37:36 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Tue, 18 Sep 2012 16:37:36 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058C9D8.7020407@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> <5058C646.8010308@lafayette.edu> <5058C9D8.7020407@redhat.com> Message-ID: <5058DB90.3000908@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IM going to respond inline to avoid confusion. On 09/18/2012 03:22 PM, Rob Crittenden wrote: > > I think we need to start with the basics, so here is a slew of > questions, things to try: > > You said you enabled password auth? Did you do this by setting > KrbMethodK5Passwd to on? > Yes, in /etc/conf.d/ipa.conf, I changed KrbMethodK5Passwd from off to on, and reloaded httpd. > You say that some commands work, which ones? > There are very few that dont error out. The ones i've come across are things like, ipa-replica-manage, every ipa command ive attempted to run dies with: [root at caroline0 PROD conf.d]# ipa user-show lagern ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error > It seems that kinit works? kinit admin > kinit admin works, but admin's password is expired, so the session never fully init's. Before his password expired, i could kinit admin. I can still kinit as myself, which is an admin account. > Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and > restart the httpd service, then: > > $ kdestroy $ kinit admin $ ipa user-show admin > > Provide the logs covering the restart of Apache until the error > from /var/log/httpd/error_log, /var/log/krb5kdc.log and > /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers > for 30 seconds so it may be a while before it gets updated. > loglevel is already debug due to my other testing. I've restarted httpd anyway, in case you get any meaningful errors in httpd's start procedure. I then ran the commands you requested. Here are the log outputs. Im sorry that these are dumped in and hard to read.. /var/log/httpd/error_log: [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in ignored [Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down [Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for digest authentication ... [Tue Sep 18 16:26:47 2012] [notice] Digest: done [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2. [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6. [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.13.1.0 Basic ECC mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:52 2012] [error] ipa: INFO: *** PROCESS START *** [Tue Sep 18 16:26:52 2012] [error] ipa: INFO: *** PROCESS START *** [Tue Sep 18 16:27:06 2012] [info] Connection to child 1 established (server caroline0.lafayette.edu:443, client 139.147.7.204) [Tue Sep 18 16:27:06 2012] [info] Initial (No.1) HTTPS request received for child 1 (server caroline0.lafayette.edu:443) [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1939): [client 139.147.7.204] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1278): [client 139.147.7.204] Acquiring creds for HTTP at caroline0.lafayette.edu, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1372): [client 139.147.7.204] Using principal HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU for s4u2proxy, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1414): [client 139.147.7.204] Credentials for HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU will expire at 1348001920, it is now 1348000026, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1597): [client 139.147.7.204] Done obtaining credentials for s4u2proxy, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:08 2012] [debug] src/mod_auth_kerb.c(1138): [client 139.147.7.204] GSS-API major_status:000d0000, minor_status:00000000, referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:08 2012] [error] [client 139.147.7.204] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Unknown error), referer: https://caroline0.lafayette.edu/ipa/xml [Tue Sep 18 16:27:08 2012] [info] [client 139.147.7.204] (32)Broken pipe: core_output_filter: writing data to the network [Tue Sep 18 16:27:08 2012] [info] Connection to child 1 closed (server caroline0.lafayette.edu:443, client 139.147.7.204) /var/log/krb5kdc.log: Sep 18 16:26:55 caroline0.lafayette.edu krb5kdc[20842](info): AS_REQ (4 etypes {18 17 16 23}) 139.147.7.204: NEEDED_PREAUTH: lagern at SYSTEMS.LAFAYETTE.EDU for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional pre-authentication required Sep 18 16:26:59 caroline0.lafayette.edu krb5kdc[20842](info): AS_REQ (4 etypes {18 17 16 23}) 139.147.7.204: ISSUE: authtime 1348000019, etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Sep 18 16:27:06 caroline0.lafayette.edu krb5kdc[20842](info): TGS_REQ (4 etypes {18 17 16 23}) 139.147.7.204: ISSUE: authtime 1348000019, etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU /var/log/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU/access [18/Sep/2012:16:26:47 -0400] conn=44 op=11 SRCH base="cn=accounts,dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(uid=apache)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey" [18/Sep/2012:16:26:47 -0400] conn=44 op=11 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2012:16:26:54 -0400] conn=4 op=97 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:26:54 -0400] conn=4 op=97 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:54 -0400] conn=4 op=98 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:26:54 -0400] conn=4 op=98 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:54 -0400] conn=4 op=99 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:26:54 -0400] conn=4 op=99 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:54 -0400] conn=4 op=100 SRCH base="cn=global_policy,cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [18/Sep/2012:16:26:54 -0400] conn=4 op=100 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:58 -0400] conn=4 op=102 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:26:58 -0400] conn=4 op=102 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:58 -0400] conn=4 op=103 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:26:58 -0400] conn=4 op=103 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:58 -0400] conn=4 op=104 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:26:58 -0400] conn=4 op=104 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:58 -0400] conn=4 op=105 SRCH base="cn=global_policy,cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [18/Sep/2012:16:26:58 -0400] conn=4 op=105 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:26:58 -0400] conn=4 op=106 MOD dn="uid=lagern,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu" [18/Sep/2012:16:26:58 -0400] conn=4 op=106 RESULT err=0 tag=103 nentries=0 etime=0 csn=5058d913000000040000 [18/Sep/2012:16:27:05 -0400] conn=4 op=107 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:27:05 -0400] conn=4 op=107 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=108 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:27:05 -0400] conn=4 op=108 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=109 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:27:05 -0400] conn=4 op=109 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=110 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:27:05 -0400] conn=4 op=110 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=111 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:27:05 -0400] conn=4 op=111 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:22 -0400] conn=49 fd=67 slot=67 connection from 139.147.7.205 to 139.147.7.204 [18/Sep/2012:16:27:22 -0400] conn=49 op=0 UNBIND [18/Sep/2012:16:27:22 -0400] conn=49 op=0 fd=67 closed - U1 [18/Sep/2012:16:29:27 -0400] conn=50 fd=67 slot=67 connection from 139.147.7.204 to 139.147.7.204 [18/Sep/2012:16:29:27 -0400] conn=50 op=0 UNBIND [18/Sep/2012:16:29:27 -0400] conn=50 op=0 fd=67 closed - U1 > What are the versions of: > > httpd [root at caroline0 PROD ~]# rpm -qa | grep httpd httpd-2.2.15-15.el6_2.1.x86_64 > mod_auth_kerb [root at caroline0 PROD ~]# rpm -qa | grep mod_auth_kerb mod_auth_kerb-5.4-9.el6.x86_64 > ipa-server [root at caroline0 PROD ~]# rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 > krb5-server [root at caroline0 PROD ~]# rpm -qa | grep krb5-server krb5-server-1.9-33.el6_3.2.x86_64 krb5-server-ldap-1.9-33.el6_3.2.x86_64 > > This is RHEL 6.3? Yes. [root at caroline0 PROD ~]# cat /etc/issue Red Hat Enterprise Linux Server release 6.3 (Santiago) Kernel \r on an \m > > The problem seems isolated to mod_auth_kerb and/or s4u2proxy since > it works with password authentication in the UI. > > rob - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBY248ACgkQsZqG4IN3sukPpwCeJv+P6C/5odcVlj+2lXjLaXHT AaAAnj4hDetnFZXWFfBrGRrWKp8lwckB =UpQU -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Sep 18 21:17:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Sep 2012 17:17:00 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058DB90.3000908@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> <5058C646.8010308@lafayette.edu> <5058C9D8.7020407@redhat.com> <5058DB90.3000908@lafayette.edu> Message-ID: <5058E4CC.3010604@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > IM going to respond inline to avoid confusion. > > On 09/18/2012 03:22 PM, Rob Crittenden wrote: >> >> I think we need to start with the basics, so here is a slew of >> questions, things to try: >> >> You said you enabled password auth? Did you do this by setting >> KrbMethodK5Passwd to on? >> > > Yes, in /etc/conf.d/ipa.conf, I changed > KrbMethodK5Passwd from off to on, and reloaded httpd. > >> You say that some commands work, which ones? >> > There are very few that dont error out. The ones i've come across are > things like, ipa-replica-manage, every ipa command ive > attempted to run dies with: > > > [root at caroline0 PROD conf.d]# ipa user-show lagern > ipa: ERROR: cannot connect to > u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error > > >> It seems that kinit works? kinit admin >> > kinit admin works, but admin's password is expired, so the session > never fully init's. Before his password expired, i could kinit admin. > I can still kinit as myself, which is an admin account. > >> Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and >> restart the httpd service, then: >> >> $ kdestroy $ kinit admin $ ipa user-show admin >> >> Provide the logs covering the restart of Apache until the error >> from /var/log/httpd/error_log, /var/log/krb5kdc.log and >> /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers >> for 30 seconds so it may be a while before it gets updated. >> > > loglevel is already debug due to my other testing. > I've restarted httpd anyway, in case you get any meaningful errors in > httpd's start procedure. > > I then ran the commands you requested. Here are the log outputs. > > Im sorry that these are dumped in and hard to read.. > > /var/log/httpd/error_log: > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: > KeyError(140591752845280,) in '/usr/lib64/python2.6/threading.pyc'> ignored > [Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down > [Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 > [Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for > digest authentication ... > [Tue Sep 18 16:26:47 2012] [notice] Digest: done > [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2. > [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6. > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [notice] Apache/2.2.15 (Unix) DAV/2 > mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.13.1.0 Basic ECC mod_wsgi/3.2 > Python/2.6.6 configured -- resuming normal operations > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker > ajp://localhost:9447/ already initialized > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [info] Configuring server for SSL protocol > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(655): Enabling SSL3 > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(660): Enabling TLS > [Tue Sep 18 16:26:48 2012] [debug] nss_engine_init.c(831): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Tue Sep 18 16:26:48 2012] [info] Using nickname Server-Cert. > [Tue Sep 18 16:26:52 2012] [error] ipa: INFO: *** PROCESS START *** > [Tue Sep 18 16:26:52 2012] [error] ipa: INFO: *** PROCESS START *** > [Tue Sep 18 16:27:06 2012] [info] Connection to child 1 established > (server caroline0.lafayette.edu:443, client 139.147.7.204) > [Tue Sep 18 16:27:06 2012] [info] Initial (No.1) HTTPS request > received for child 1 (server caroline0.lafayette.edu:443) > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1939): [client > 139.147.7.204] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1278): [client > 139.147.7.204] Acquiring creds for HTTP at caroline0.lafayette.edu, > referer: https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1372): [client > 139.147.7.204] Using principal > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU for s4u2proxy, > referer: https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1414): [client > 139.147.7.204] Credentials for > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU will expire at > 1348001920, it is now 1348000026, referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1597): [client > 139.147.7.204] Done obtaining credentials for s4u2proxy, referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [debug] src/mod_auth_kerb.c(1138): [client > 139.147.7.204] GSS-API major_status:000d0000, minor_status:00000000, > referer: https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [error] [client 139.147.7.204] > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Unknown error), referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [info] [client 139.147.7.204] (32)Broken > pipe: core_output_filter: writing data to the network > [Tue Sep 18 16:27:08 2012] [info] Connection to child 1 closed (server > caroline0.lafayette.edu:443, client 139.147.7.204) > > /var/log/krb5kdc.log: > Sep 18 16:26:55 caroline0.lafayette.edu krb5kdc[20842](info): AS_REQ > (4 etypes {18 17 16 23}) 139.147.7.204: NEEDED_PREAUTH: > lagern at SYSTEMS.LAFAYETTE.EDU for > krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional > pre-authentication required > Sep 18 16:26:59 caroline0.lafayette.edu krb5kdc[20842](info): AS_REQ > (4 etypes {18 17 16 23}) 139.147.7.204: ISSUE: authtime 1348000019, > etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for > krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU > Sep 18 16:27:06 caroline0.lafayette.edu krb5kdc[20842](info): TGS_REQ > (4 etypes {18 17 16 23}) 139.147.7.204: ISSUE: authtime 1348000019, > etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > > /var/log/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU/access > [18/Sep/2012:16:26:47 -0400] conn=44 op=11 SRCH > base="cn=accounts,dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(uid=apache)(objectClass=posixAccount))" attrs="objectClass > uid userPassword uidNumber gidNumber gecos homeDirectory loginShell > krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn > shadowLastChange shadowMin shadowMax shadowWarning shadowInactive > shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration > pwdattribute authorizedService accountexpires useraccountcontrol > nsAccountLock host logindisabled loginexpirationtime > loginallowedtimemap ipaSshPubKey" > [18/Sep/2012:16:26:47 -0400] conn=44 op=11 RESULT err=0 tag=101 > nentries=0 etime=0 > [18/Sep/2012:16:26:54 -0400] conn=4 op=97 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:26:54 -0400] conn=4 op=97 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:54 -0400] conn=4 op=98 SRCH > base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > [18/Sep/2012:16:26:54 -0400] conn=4 op=98 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:54 -0400] conn=4 op=99 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:26:54 -0400] conn=4 op=99 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:54 -0400] conn=4 op=100 SRCH > base="cn=global_policy,cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength > krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" > [18/Sep/2012:16:26:54 -0400] conn=4 op=100 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:58 -0400] conn=4 op=102 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:26:58 -0400] conn=4 op=102 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:58 -0400] conn=4 op=103 SRCH > base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > [18/Sep/2012:16:26:58 -0400] conn=4 op=103 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:58 -0400] conn=4 op=104 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:26:58 -0400] conn=4 op=104 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:58 -0400] conn=4 op=105 SRCH > base="cn=global_policy,cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength > krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" > [18/Sep/2012:16:26:58 -0400] conn=4 op=105 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:26:58 -0400] conn=4 op=106 MOD > dn="uid=lagern,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu" > [18/Sep/2012:16:26:58 -0400] conn=4 op=106 RESULT err=0 tag=103 > nentries=0 etime=0 csn=5058d913000000040000 > [18/Sep/2012:16:27:05 -0400] conn=4 op=107 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:27:05 -0400] conn=4 op=107 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:27:05 -0400] conn=4 op=108 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:27:05 -0400] conn=4 op=108 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:27:05 -0400] conn=4 op=109 SRCH > base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > [18/Sep/2012:16:27:05 -0400] conn=4 op=109 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:27:05 -0400] conn=4 op=110 SRCH > base="dc=systems,dc=lafayette,dc=edu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lagern at SYSTEMS.LAFAYETTE.EDU))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [18/Sep/2012:16:27:05 -0400] conn=4 op=110 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:27:05 -0400] conn=4 op=111 SRCH > base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > [18/Sep/2012:16:27:05 -0400] conn=4 op=111 RESULT err=0 tag=101 > nentries=1 etime=0 > [18/Sep/2012:16:27:22 -0400] conn=49 fd=67 slot=67 connection from > 139.147.7.205 to 139.147.7.204 > [18/Sep/2012:16:27:22 -0400] conn=49 op=0 UNBIND > [18/Sep/2012:16:27:22 -0400] conn=49 op=0 fd=67 closed - U1 > [18/Sep/2012:16:29:27 -0400] conn=50 fd=67 slot=67 connection from > 139.147.7.204 to 139.147.7.204 > [18/Sep/2012:16:29:27 -0400] conn=50 op=0 UNBIND > [18/Sep/2012:16:29:27 -0400] conn=50 op=0 fd=67 closed - U1 > > >> What are the versions of: >> >> httpd > [root at caroline0 PROD ~]# rpm -qa | grep httpd > httpd-2.2.15-15.el6_2.1.x86_64 > >> mod_auth_kerb > [root at caroline0 PROD ~]# rpm -qa | grep mod_auth_kerb > mod_auth_kerb-5.4-9.el6.x86_64 > >> ipa-server > [root at caroline0 PROD ~]# rpm -qa | grep ipa-server > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > >> krb5-server > [root at caroline0 PROD ~]# rpm -qa | grep krb5-server > krb5-server-1.9-33.el6_3.2.x86_64 > krb5-server-ldap-1.9-33.el6_3.2.x86_64 > >> >> This is RHEL 6.3? > Yes. > [root at caroline0 PROD ~]# cat /etc/issue > Red Hat Enterprise Linux Server release 6.3 (Santiago) > Kernel \r on an \m Ok, what are the permissions on the keytab, /etc/httpd/conf/ipa.keytab? They should be apache:apache mode 0600. Are you in SELinux enforcing mode? Can you try in permissive to see if that works? rob From thildred at redhat.com Wed Sep 19 01:43:48 2012 From: thildred at redhat.com (Tim Hildred) Date: Tue, 18 Sep 2012 21:43:48 -0400 (EDT) Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <20120918072912.GA31442@hendrix.brq.redhat.com> Message-ID: <351696385.1717744.1348019028544.JavaMail.root@redhat.com> So, commenting out: password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Permission denied, please try again. ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Password expired. Change your password now. Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user ykatabam. Current Password: Password change failed. Server message: Password change failed passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "Jakub Hrozek" > To: freeipa-users at redhat.com > Sent: Tuesday, September 18, 2012 5:29:12 PM > Subject: Re: [Freeipa-users] Password requirements too stringent > > On Tue, Sep 18, 2012 at 02:57:49AM +0000, JR Aquino wrote: > > > > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: > > > > > JR > > > > > > I had that line. I commented it out. Thank you. > > > > > > Now, what do I have to restart? > > > > I believe it should take effect in real time, but you may need to > > test to be sure. If it is still happening, you may need to double > > check that some other pam cfg doesn't also have it present: $ cd > > /etc/pam.d/ && grep pam_cracklib * > > > > If you have removed it from everything and it is still giving you > > the same error, then I would try a reboot... perhaps getty needs > > to reinitialize or something. But I'd try those steps before a > > reboot! > > > > ;) > > > > Some services, notably the sshd, must be restarted in order to > re-read > the PAM config. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From lagern at lafayette.edu Wed Sep 19 02:05:58 2012 From: lagern at lafayette.edu (Lager, Nathan T.) Date: Tue, 18 Sep 2012 22:05:58 -0400 (EDT) Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058E4CC.3010604@redhat.com> Message-ID: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> ----- Original Message ----- > From: "Rob Crittenden" > To: "Nathan Lager" > Cc: freeipa-users at redhat.com > Sent: Tuesday, September 18, 2012 5:17:00 PM > Subject: Re: [Freeipa-users] sudden ipa errors. > > Ok, what are the permissions on the keytab, > /etc/httpd/conf/ipa.keytab? > They should be apache:apache mode 0600. [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab -rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf/ipa.keytab > > Are you in SELinux enforcing mode? Can you try in permissive to see if > that works? I was enforcing at the start of all of this, but ive since switched to permissive for troubleshooting. It hasnt made a difference. > > rob From jhrozek at redhat.com Wed Sep 19 06:56:42 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 19 Sep 2012 08:56:42 +0200 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <351696385.1717744.1348019028544.JavaMail.root@redhat.com> References: <20120918072912.GA31442@hendrix.brq.redhat.com> <351696385.1717744.1348019028544.JavaMail.root@redhat.com> Message-ID: <20120919065642.GA15999@hendrix.brq.redhat.com> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: > So, commenting out: > password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 > > Caused users updating their passwords using ssh to get: > > [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > Permission denied, please try again. > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > Password expired. Change your password now. > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user ykatabam. > Current Password: > Password change failed. Server message: Password change failed > passwd: Authentication token manipulation error > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? What did /var/log/secure have to say? The message sounds to me like it's coming from the server.. From thildred at redhat.com Wed Sep 19 07:15:41 2012 From: thildred at redhat.com (Tim Hildred) Date: Wed, 19 Sep 2012 03:15:41 -0400 (EDT) Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <20120919065642.GA15999@hendrix.brq.redhat.com> Message-ID: <1843575025.1814604.1348038941584.JavaMail.root@redhat.com> Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 10.64.48.102 port 47713 ssh2 Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for user ykatabam by (uid=0) Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: disconnected by user Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for user ykatabam Sep 19 14:40:33 dns1 sshd[11113]: Received disconnect from 10.64.15.231: 11: disconnected by user Looks like you're right Jakub. >From what I gather: - the server requires a complex password in that cracklib.so, so it was suggested I take that "password requisite cracklib.so" out. - with that gone, it looks kind of like IPA doesn't come into the picture? I uncommented that line, and now it all works again, but I'm back to really-stringent-password-requirement-town. What next? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "Jakub Hrozek" > To: "Tim Hildred" > Cc: freeipa-users at redhat.com > Sent: Wednesday, September 19, 2012 4:56:42 PM > Subject: Re: [Freeipa-users] Password requirements too stringent > > On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: > > So, commenting out: > > password requisite pam_cracklib.so try_first_pass retry=3 > > type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 > > > > Caused users updating their passwords using ssh to get: > > > > [ykatabam at ykatabam ~]$ ssh > > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com > > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > > Permission denied, please try again. > > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > > Password expired. Change your password now. > > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user ykatabam. > > Current Password: > > Password change failed. Server message: Password change failed > > passwd: Authentication token manipulation error > > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > > > Is that to say that you need at least 1 password requisite? That > > instead of commenting out the password requisite pam_cracklib.so, > > I should have replaced it with something? > > What did /var/log/secure have to say? > > The message sounds to me like it's coming from the server.. > From pspacek at redhat.com Wed Sep 19 08:08:30 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 19 Sep 2012 10:08:30 +0200 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com>, <5057702C.2030102@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50597D7E.6040404@redhat.com> On 09/17/2012 10:32 PM, Steven Jones wrote: > If anyone has MAC instructions' I'd love a copy pls. As usual, we can create account on freeipa.org wiki if anybody is interested in creating a how-to. That is the best place to share. Let us know! Petr^2 Spacek > > ------------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on > behalf of Dmitri Pal [dpal at redhat.com] > *Sent:* Tuesday, 18 September 2012 6:47 a.m. > *To:* george he > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] NFS on Mac > > On 09/17/2012 02:21 PM, george he wrote: >> sounds to me the link may work for nfs version 3 only. >> Now with IPA and NFS4, there got to be something more. >> George > > I do not know the exact steps on mac because the is no ipa-client on Mac so > you would have to configure the machine to be an IPA client manually. > This would mean that you need to authenticate with kerberos and then make the > nfs part use the credential cache of the logged in user (if you are planning > to use it for users mounting shares). This is what needs to happen > conceptually. I know that people have done in the past but I do not think > there are instructions. > > Once you manged to do it please see the presentation how to setup secure NFS > on Linux > http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf > May be it will give you some hints and pointers. > > The only known problem with this slide deck is that on slide 18 after kinit > admin and before ipa-getkeytab you need to add service for the NFS server > ipa service-add nfs/`hostname`@EXAMPLE > > HTH >> >> ------------------------------------------------------------------------------ >> *From:* Dmitri Pal >> *To:* freeipa-users at redhat.com >> *Sent:* Monday, September 17, 2012 11:20 AM >> *Subject:* Re: [Freeipa-users] NFS on Mac >> >> On 09/17/2012 11:07 AM, george he wrote: >>> Hello all, >>> I have IPA server and NFS server set up on a computer running centos 6.3. >>> Is there a way to set up a mac laptop to access the data on the NFS server? >>> The laptop does not have a static IP. DNS is not configured with IPA. >>> If yes, how do I config the mac? >> >> Is this what you are looking for? >> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ >> >>> Thanks, >>> George From sigbjorn at nixtra.com Wed Sep 19 08:18:09 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 19 Sep 2012 10:18:09 +0200 (CEST) Subject: [Freeipa-users] NFS on Mac In-Reply-To: <50597D7E.6040404@redhat.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com>, <5057702C.2030102@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> <50597D7E.6040404@redhat.com> Message-ID: <24813.213.225.75.97.1348042689.squirrel@www.nixtra.com> As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit the results. *grin* :) Regards, Siggi On Wed, September 19, 2012 10:08, Petr Spacek wrote: > On 09/17/2012 10:32 PM, Steven Jones wrote: > >> If anyone has MAC instructions' I'd love a copy pls. >> > > As usual, we can create account on freeipa.org wiki if anybody is interested > in creating a how-to. That is the best place to share. > > Let us know! > > > Petr^2 Spacek > > >> >> ------------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on >> behalf of Dmitri Pal [dpal at redhat.com] *Sent:* Tuesday, 18 September 2012 6:47 a.m. >> *To:* george he >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] NFS on Mac >> >> >> On 09/17/2012 02:21 PM, george he wrote: >> >>> sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be >>> something more. George >>> >> >> I do not know the exact steps on mac because the is no ipa-client on Mac so >> you would have to configure the machine to be an IPA client manually. This would mean that you >> need to authenticate with kerberos and then make the nfs part use the credential cache of the >> logged in user (if you are planning to use it for users mounting shares). This is what needs to >> happen conceptually. I know that people have done in the past but I do not think there are >> instructions. >> >> Once you manged to do it please see the presentation how to setup secure NFS >> on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf >> May be it will give you some hints and pointers. >> >> >> The only known problem with this slide deck is that on slide 18 after kinit >> admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add >> nfs/`hostname`@EXAMPLE >> >> HTH >> >>> >>> ------------------------------------------------------------------------------ >>> *From:* Dmitri Pal >>> *To:* freeipa-users at redhat.com >>> *Sent:* Monday, September 17, 2012 11:20 AM >>> *Subject:* Re: [Freeipa-users] NFS on Mac >>> >>> >>> On 09/17/2012 11:07 AM, george he wrote: >>> >>>> Hello all, >>>> I have IPA server and NFS server set up on a computer running centos 6.3. >>>> Is there a way to set up a mac laptop to access the data on the NFS server? >>>> The laptop does not have a static IP. DNS is not configured with IPA. >>>> If yes, how do I config the mac? >>>> >>> >>> Is this what you are looking for? >>> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ >>> >>> >>>> Thanks, >>>> George >>>> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From ondrejv at s3group.cz Wed Sep 19 08:57:00 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Wed, 19 Sep 2012 10:57:00 +0200 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <24813.213.225.75.97.1348042689.squirrel@www.nixtra.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com>, <5057702C.2030102@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> <50597D7E.6040404@redhat.com> <24813.213.225.75.97.1348042689.squirrel@www.nixtra.com> Message-ID: <505988DC.6090809@s3group.cz> what about this one? http://code.google.com/p/macnfsv4/wiki/HOWTO looks like rpc.idmapd on linux == nfsuserd on Mac O. On 09/19/2012 10:18 AM, Sigbjorn Lie wrote: > As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit > the results. > > *grin* :) > > > > Regards, > Siggi > > > > On Wed, September 19, 2012 10:08, Petr Spacek wrote: >> On 09/17/2012 10:32 PM, Steven Jones wrote: >> >>> If anyone has MAC instructions' I'd love a copy pls. >>> >> As usual, we can create account on freeipa.org wiki if anybody is interested >> in creating a how-to. That is the best place to share. >> >> Let us know! >> >> >> Petr^2 Spacek >> >> >>> ------------------------------------------------------------------------------ >>> *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on >>> behalf of Dmitri Pal [dpal at redhat.com] *Sent:* Tuesday, 18 September 2012 6:47 a.m. >>> *To:* george he >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] NFS on Mac >>> >>> >>> On 09/17/2012 02:21 PM, george he wrote: >>> >>>> sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be >>>> something more. George >>>> >>> I do not know the exact steps on mac because the is no ipa-client on Mac so >>> you would have to configure the machine to be an IPA client manually. This would mean that you >>> need to authenticate with kerberos and then make the nfs part use the credential cache of the >>> logged in user (if you are planning to use it for users mounting shares). This is what needs to >>> happen conceptually. I know that people have done in the past but I do not think there are >>> instructions. >>> >>> Once you manged to do it please see the presentation how to setup secure NFS >>> on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf >>> May be it will give you some hints and pointers. >>> >>> >>> The only known problem with this slide deck is that on slide 18 after kinit >>> admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add >>> nfs/`hostname`@EXAMPLE >>> >>> HTH >>> >>>> ------------------------------------------------------------------------------ >>>> *From:* Dmitri Pal >>>> *To:* freeipa-users at redhat.com >>>> *Sent:* Monday, September 17, 2012 11:20 AM >>>> *Subject:* Re: [Freeipa-users] NFS on Mac >>>> >>>> >>>> On 09/17/2012 11:07 AM, george he wrote: >>>> >>>>> Hello all, >>>>> I have IPA server and NFS server set up on a computer running centos 6.3. >>>>> Is there a way to set up a mac laptop to access the data on the NFS server? >>>>> The laptop does not have a static IP. DNS is not configured with IPA. >>>>> If yes, how do I config the mac? >>>>> >>>> Is this what you are looking for? >>>> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ >>>> >>>> >>>>> Thanks, >>>>> George >>>>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Sep 19 11:32:59 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Sep 2012 07:32:59 -0400 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <20120919065642.GA15999@hendrix.brq.redhat.com> References: <20120918072912.GA31442@hendrix.brq.redhat.com> <351696385.1717744.1348019028544.JavaMail.root@redhat.com> <20120919065642.GA15999@hendrix.brq.redhat.com> Message-ID: <5059AD6B.1010309@redhat.com> On 09/19/2012 02:56 AM, Jakub Hrozek wrote: > On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: >> So, commenting out: >> password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 >> >> Caused users updating their passwords using ssh to get: >> >> [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com >> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >> Permission denied, please try again. >> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >> Password expired. Change your password now. >> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user ykatabam. >> Current Password: >> Password change failed. Server message: Password change failed >> passwd: Authentication token manipulation error >> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. >> >> Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? > What did /var/log/secure have to say? > > The message sounds to me like it's coming from the server.. Please look at the krb5kdc.log on the server. This is the server side message. Most likely it did not like the password because it did not meet the policy. I wonder whether there is a bug in case password policy has 0 for the required character classes. Trying different passwords and changing the policy while watching the log will give you more answers. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pspacek at redhat.com Wed Sep 19 11:56:21 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 19 Sep 2012 13:56:21 +0200 Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <5059AD6B.1010309@redhat.com> References: <20120918072912.GA31442@hendrix.brq.redhat.com> <351696385.1717744.1348019028544.JavaMail.root@redhat.com> <20120919065642.GA15999@hendrix.brq.redhat.com> <5059AD6B.1010309@redhat.com> Message-ID: <5059B2E5.50801@redhat.com> On 09/19/2012 01:32 PM, Dmitri Pal wrote: > On 09/19/2012 02:56 AM, Jakub Hrozek wrote: >> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: >>> So, commenting out: >>> password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 >>> >>> Caused users updating their passwords using ssh to get: >>> >>> [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >>> Permission denied, please try again. >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >>> Password expired. Change your password now. >>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user ykatabam. >>> Current Password: >>> Password change failed. Server message: Password change failed >>> passwd: Authentication token manipulation error >>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. >>> >>> Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? >> What did /var/log/secure have to say? >> >> The message sounds to me like it's coming from the server.. > Please look at the krb5kdc.log on the server. > This is the server side message. > Most likely it did not like the password because it did not meet the policy. > I wonder whether there is a bug in case password policy has 0 for the > required character classes. > Trying different passwords and changing the policy while watching the > log will give you more answers. BTW if required character classes == 1 there is nothing to enforce, because each (non-empty) password has at least one character class. You can check if there is some difference between 0 and 1. Petr^2 Spacek From dpal at redhat.com Wed Sep 19 12:12:38 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Sep 2012 08:12:38 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058C646.8010308@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> <5058C646.8010308@lafayette.edu> Message-ID: <5059B6B6.7010201@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/18/2012 03:06 PM, Nathan Lager wrote: > Sorry for falling off like that. > I opened a RedHat ticket on the issue, and have been running in > circles with them. I forgot to check on the list for responses. > > > I'm still having problems. Someone suggested I try: > > kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu > > Which i just did, and it worked, or, at least it initialized my session. > > I'm still unable to execute ipa commands. In fact, im unable to > execute almost any ipa commands. > > The web interface works, but only after RedHat had me enable kerberos > password auth in the httpd config. So i can now auth to the web gui > interactively, instead of requiring a kinit from my workstion. > > The only real client i have here is RHEV. And auth there still works > except on accounts which have expired. Those accounts, cant even > change their passwords. > > RedHat had me disable the password expiration via the web gui, however > that hasnt helped accounts that are already expired. > > RedHat is currently blaming time skew, which i think is ridiculous. Well this is probably my fault. I looked in the case (it is huge) and saw that there are issues with the time in the log so I suggested they ask you to check the times to rule that part out. I have not had a chance to follow up. But time skew usually creates all sorts of strange things and if the time skew was the problem in the past but some passwords were created then there might be problems with the expiration. I was also very concerned about the framework not being able to get kerberos ticket for whatever reason and the reason was not clear. > Im testing my ipa commands right on the ipa master. How could there > possible be time skew. This was not clear from the case and also I asked to ask you just to check the time on the server. > I did find that the time on my replica was > off, but my replica isnt working anyway, which is a whole other issue. > I think it needs to be flattened, and re-joined. OK let us treat it as a separate issue. > > > On 09/10/2012 08:54 AM, Dmitri Pal wrote: > > On 08/24/2012 04:43 PM, Rob Crittenden wrote: > >> Nathan Lager wrote: > >>> This did not seem to help... > >>> > >> > >> What else isn't working? Does the UI work? Do clients on other > >> machines work? Does user lookup still work? > >> > >> rob > > > > Was this issue ever resolved? > > >> > >>> > >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote: > >>>> Nathan Lager wrote: > >>>>> [root at ipaserver PROD krb5kdc]# ipactl status Directory > >>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service: > >>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA > >>>>> Service: RUNNING [root at ipaserver PROD krb5kdc]# rpm -qa | > >>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 > >>>>> ipa-server-2.2.0-16.el6.x86_64 > >>>> > >>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by > >>>> Apache for doing S4U2Proxy. No restart of httpd should be > >>>> required. > >>>> > >>>> rob > >>>> > >>>>> > >>>>> > >>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: > >>>>>> Nathan Lager wrote: > >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>>> > >>>>>>> I tried the same, kinit, and then ipa passwd commands > >>>>>>> as before, here's the output: > >>>>>>> > >>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu > >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) > >>>>>>> ipa-servers-ip: NEEDED_PREAUTH: > >>>>>>> lagern at SYSTEMS.LAFAYETTE.EDU for > >>>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, > >>>>>>> Additional pre-authentication required > >>>>>>> > >>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu > >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) > >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes > >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU > >>>>>>> for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU > >>>>>>> > >>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu > >>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) > >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes > >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU > >>>>>>> for HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>>>> > >>>>>> What version of IPA is this? > >>>>>> > >>>>>> Does ipactl status show all services up? > >>>>>> > >>>>>> rob > >>>>> > >>>>> > >>>> > >>>> > >>> > >> > >> > >> _______________________________________________ Freeipa-users > >> mailing list Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users - -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. - ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQWba1AAoJEKRjuMOPSn1YTJEH/RJ1gw28L5ml0XF8I3XWXLgY 49n2IWPGF8vIGC8pSx024F0hAGBBtrY9sQGROU53IkMpkmiJPPROmstCiEQBogbf 6wcVq9EXqG+oIZHZOL5KXla+9a1Xy1o1pEx8m61j7mFexLa8i3LejwdK0lZETGuy Up21DWr1C1NBSPviD8IjRU1V8I15TL5skzO0BcAfzf7PNCFBsKzBJf5QO2ocb1WK CPXT1HdR4l/q1X2iPV33EHI+JmwDREpFCewSoMy3bBJGl4T7rIZKKzcI/dLRy3sH Wp8I3/e0bH0nm9mpkXday7qaxF1eepKEr+kJ5RpYUI2k8JJ7M3EKfFRGDORaQCU= =LHdS -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Sep 19 12:20:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Sep 2012 08:20:57 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5058DB90.3000908@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> <5037E76F.7000902@redhat.com> <504DE30A.9080004@redhat.com> <5058C646.8010308@lafayette.edu> <5058C9D8.7020407@redhat.com> <5058DB90.3000908@lafayette.edu> Message-ID: <5059B8A9.6040706@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/18/2012 04:37 PM, Nathan Lager wrote: > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1597): [client > 139.147.7.204] Done obtaining credentials for s4u2proxy, referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [debug] src/mod_auth_kerb.c(1138): [client > 139.147.7.204] GSS-API major_status:000d0000, minor_status:00000000, > referer: https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [error] [client 139.147.7.204] > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Unknown error), referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 2012] [info] [client 139.147.7.204] (32)Broken > pipe: core_output_filter: writing data to the network > [Tue Sep 18 16:27:08 2012] [info] Connection to child 1 closed (server > caroline0.lafayette.edu:443, client 139.147.7.204) This is probably most significant part. It gets creds for s4u2proxy and then dies getting the what? The cred for ldap? Rob is there any log that would be worth looking at this situation? There should be a keytab for ldap principal. Do we know if it is OK? - -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. - ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQWbipAAoJEKRjuMOPSn1YlNUH/3ROJcCL1kQR+Mh7hYnTETPV SEaKJOZOM9MH4h5TbcyGcpnBYDQhg5CphATdlW2VONZCiAy9wKIS9lbVAYz2zUn9 Zc4ovwM5JHijqEgPcStV2dXbnI/5+FaCpIncv3rLrQ1zpokWdqwJBUxpXVOOlMyU hHttu4lWbHjSsWdntwi8Nf66UkN0fEFL+JfHI+hkQ+86LPFxzY0IFkren6dvSk7J a3Wlgxw9bDaHH8HMJCmrPcLMyCqaOKDOGcIekBbEk2XoKnin5cxh0W3IsvrY6L66 900rV5isA2j0EbCFEvY/iG8ydmhacVQA8+GX00Pf2ApUhFJ+cyYg5UOocvjA81A= =4uGm -----END PGP SIGNATURE----- From jreg2k at gmail.com Wed Sep 19 14:29:47 2012 From: jreg2k at gmail.com (James James) Date: Wed, 19 Sep 2012 16:29:47 +0200 Subject: [Freeipa-users] ipa {user-find} ca cert file Message-ID: Hi, I have followed this http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CAand everything works well. Now when, from the console, I execute $ ipa user-find I've got [root at ipa ipa]# ipa user-find ipa: ERROR: cert validation failed for "E=certusser at example.com,CN= ipa.example.com,OU=TEST,O=TEST,C=FR" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Any help will be very appreciated .. James -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 19 14:37:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 10:37:28 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> Message-ID: <5059D8A8.1060100@redhat.com> Lager, Nathan T. wrote: > > ----- Original Message ----- >> From: "Rob Crittenden" >> To: "Nathan Lager" >> Cc: freeipa-users at redhat.com >> Sent: Tuesday, September 18, 2012 5:17:00 PM >> Subject: Re: [Freeipa-users] sudden ipa errors. >> >> Ok, what are the permissions on the keytab, >> /etc/httpd/conf/ipa.keytab? >> They should be apache:apache mode 0600. > > [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab > -rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf/ipa.keytab > >> >> Are you in SELinux enforcing mode? Can you try in permissive to see if >> that works? > I was enforcing at the start of all of this, but ive since switched to permissive for troubleshooting. It hasnt made a difference. Are you getting an HTTP service principal in the client? $ kdestroy $ kinit admin $ ipa user-show admin $ klist -fea Lets try to skip s4u2proxy. Does this work: $ ipa --delegate user-show admin Unfortunately the major and minor error codes are as generic as can be so they aren't any help at all. rob From rcritten at redhat.com Wed Sep 19 14:40:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 10:40:37 -0400 Subject: [Freeipa-users] ipa {user-find} ca cert file In-Reply-To: References: Message-ID: <5059D965.4080907@redhat.com> James James wrote: > Hi, > > I have followed this > http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA > and everything works well. > > Now when, from the console, I execute > > $ ipa user-find > > I've got > > [root at ipa ipa]# ipa user-find > ipa: ERROR: cert validation failed for "E=certusser at example.com > ,CN=ipa.example.com > ,OU=TEST,O=TEST,C=FR" > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked > as not trusted by the user.) > ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml': > [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has > been marked as not trusted by the user. > > Any help will be very appreciated .. You need to add the CA certificate to /etc/pki/nssdb on the client and mark it as trusted. Note that installing certificates from another CA is not recommended and you may run into further corner cases. If you have an existing CA then installing the IPA dogtag CA as a subordinate is a better long-term solution. rob From jreg2k at gmail.com Wed Sep 19 14:48:01 2012 From: jreg2k at gmail.com (James James) Date: Wed, 19 Sep 2012 16:48:01 +0200 Subject: [Freeipa-users] ipa {user-find} ca cert file In-Reply-To: <5059D965.4080907@redhat.com> References: <5059D965.4080907@redhat.com> Message-ID: OK Thanks a lot for the solution and for the advice. 2012/9/19 Rob Crittenden > James James wrote: > >> Hi, >> >> I have followed this >> http://freeipa.org/page/**Certificate_Authority#Using_** >> Certificates_From_a_Different_**CA >> and everything works well. >> >> Now when, from the console, I execute >> >> $ ipa user-find >> >> I've got >> >> [root at ipa ipa]# ipa user-find >> ipa: ERROR: cert validation failed for "E=certusser at example.com >> **,CN=ipa.example.com >> ,OU=**TEST,O=TEST,C=FR" >> >> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked >> as not trusted by the user.) >> ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/**ipa/xml >> ': >> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has >> been marked as not trusted by the user. >> >> Any help will be very appreciated .. >> > > You need to add the CA certificate to /etc/pki/nssdb on the client and > mark it as trusted. > > Note that installing certificates from another CA is not recommended and > you may run into further corner cases. If you have an existing CA then > installing the IPA dogtag CA as a subordinate is a better long-term > solution. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lagern at lafayette.edu Wed Sep 19 15:26:09 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 19 Sep 2012 11:26:09 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5059D8A8.1060100@redhat.com> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> Message-ID: <5059E411.7030704@lafayette.edu> On 09/19/2012 10:37 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> ----- Original Message ----- >>> From: "Rob Crittenden" To: "Nathan Lager" >>> Cc: freeipa-users at redhat.com Sent: >>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. >>> >>> Ok, what are the permissions on the keytab, >>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode >>> 0600. >> >> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >> -rw-------. apache apache >> unconfined_u:object_r:httpd_config_t:s0 >> /etc/httpd/conf/ipa.keytab >> >>> >>> Are you in SELinux enforcing mode? Can you try in permissive to >>> see if that works? >> I was enforcing at the start of all of this, but ive since >> switched to permissive for troubleshooting. It hasnt made a >> difference. > > Are you getting an HTTP service principal in the client? > > $ kdestroy $ kinit admin $ ipa user-show admin $ klist -fea > > Lets try to skip s4u2proxy. Does this work: > > $ ipa --delegate user-show admin > > Unfortunately the major and minor error codes are as generic as can > be so they aren't any help at all. > > rob Here's the output. The --delegate still failed. [root at caroline0 PROD ~]# klist -fea Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lagern at SYSTEMS.LAFAYETTE.EDU Valid starting Expires Service principal 09/19/12 11:23:03 09/20/12 11:22:52 krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 09/20/12 11:22:52 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error [root at caroline0 PROD ~]# -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 From rcritten at redhat.com Wed Sep 19 15:34:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 11:34:09 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5059E411.7030704@lafayette.edu> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> Message-ID: <5059E5F1.5070904@redhat.com> Nathan Lager wrote: > > On 09/19/2012 10:37 AM, Rob Crittenden wrote: >> Lager, Nathan T. wrote: >>> >>> ----- Original Message ----- >>>> From: "Rob Crittenden" To: "Nathan Lager" >>>> Cc: freeipa-users at redhat.com Sent: >>>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>>> [Freeipa-users] sudden ipa errors. >>>> >>>> Ok, what are the permissions on the keytab, >>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode >>>> 0600. >>> >>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >>> -rw-------. apache apache >>> unconfined_u:object_r:httpd_config_t:s0 >>> /etc/httpd/conf/ipa.keytab >>> >>>> >>>> Are you in SELinux enforcing mode? Can you try in permissive to >>>> see if that works? >>> I was enforcing at the start of all of this, but ive since >>> switched to permissive for troubleshooting. It hasnt made a >>> difference. >> >> Are you getting an HTTP service principal in the client? >> >> $ kdestroy $ kinit admin $ ipa user-show admin $ klist -fea >> >> Lets try to skip s4u2proxy. Does this work: >> >> $ ipa --delegate user-show admin >> >> Unfortunately the major and minor error codes are as generic as can >> be so they aren't any help at all. >> >> rob > > Here's the output. The --delegate still failed. > > [root at caroline0 PROD ~]# klist -fea > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: lagern at SYSTEMS.LAFAYETTE.EDU > > Valid starting Expires Service principal > 09/19/12 11:23:03 09/20/12 11:22:52 > krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU > Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > aes256-cts-hmac-sha1-96 > Addresses: (none) > 09/19/12 11:23:11 09/20/12 11:22:52 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > aes256-cts-hmac-sha1-96 > Addresses: (none) > [root at caroline0 PROD ~]# ipa --delegate user-show admin > ipa: ERROR: cannot connect to > u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error > [root at caroline0 PROD ~]# Is it the same major/minor error in gss_acquire_cred()? Does GSSAPI over LDAP work? $ ldapsearch -Y GSSAPI -h ipa.example.com -b cn=users,cn=accounts,dc=example,dc=com admin rob From mmercier at gmail.com Wed Sep 19 16:00:08 2012 From: mmercier at gmail.com (Michael Mercier) Date: Wed, 19 Sep 2012 12:00:08 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <20120918200327.GO31442@hendrix.brq.redhat.com> References: <199A95F6-FB79-4CAE-8BC7-09D0AD6B6E2B@gmail.com> <504A415B.1070609@redhat.com> <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> <20120918200327.GO31442@hendrix.brq.redhat.com> Message-ID: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: > On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: >> >> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: >> >>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: >>>>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 >>>>> >>>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>>>> [sssd_krb5_locator] sssd_krb5_locator_init called >>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] >>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] >>>>> [sssd_krb5_locator] [172.16.112.8] used >>>>> [sssd_krb5_locator] sssd_krb5_locator_close called >>>>> [sssd_krb5_locator] sssd_krb5_locator_init called >>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] >>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] >>>>> [sssd_krb5_locator] [172.16.112.8] used >>>>> [sssd_krb5_locator] sssd_krb5_locator_close called >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>> >>>> Jakub, does this make sense to you? >>>> >>> >>> As stated elsewhere in this thread, bare kinit does not contact the SSSD >>> at all. You want to go through the PAM stack (with "su - mike" or "ssh >>> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes >>> the file. >>> >>> Does using "su - mike" refresh the file? >> >> When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. >> >> e.g. >> >> [root at ipaclient sssd]# su - mike > > ^^ Sorry, but can you re-run the test again and either su from another > non-root user or ssh into the client for instance? The reason is that > performing su as root would not contact the SSSD at all either. The > default PAM configuration for su includes "pam_rootok.so" which just > returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike at ipaclient ~]$ su - eric Password: # NOTE: no delay [eric at ipaclient ~]$ exit logout [root at ipaserver ~]ifdown eth0 [mike at ipaclient ~]$ su - eric Password: # NOTE: there is a delay here, ~5 seconds [eric at ipaclient ~]$ exit logout [root at ipaserver ~]ifup eth0 [root at ipaserver2 ~]ifdown eth0 [mike at ipaclient ~]$ su - eric Password: # NOTE: no delay [eric at ipaclient ~]$exit logout [root at ipaserver ~]ifdown eth0 [root at ipaserver2 ~]ifup eth0 [mike at ipaclient ~]$ su - eric Password: # NOTE: no delay [eric at ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. Thanks, Mike > > I kinda expect the result to be the same (at least for user who is not > recently cached) because the case of IPA we need to establish a GSSAPI > encrypted connection anyway so we'd talk to the KDC only to perform > initgroups. From jhrozek at redhat.com Wed Sep 19 16:11:17 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 19 Sep 2012 18:11:17 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: References: <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> <20120918200327.GO31442@hendrix.brq.redhat.com> Message-ID: <20120919161117.GL15999@hendrix.brq.redhat.com> On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: > > On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: > > > On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: > >> > >> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > >> > >>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > >>>>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > >>>>> > >>>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > >>>>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > >>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > >>>>> [sssd_krb5_locator] [172.16.112.8] used > >>>>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>>>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > >>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > >>>>> [sssd_krb5_locator] [172.16.112.8] used > >>>>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > >>>> > >>>> Jakub, does this make sense to you? > >>>> > >>> > >>> As stated elsewhere in this thread, bare kinit does not contact the SSSD > >>> at all. You want to go through the PAM stack (with "su - mike" or "ssh > >>> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes > >>> the file. > >>> > >>> Does using "su - mike" refresh the file? > >> > >> When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. > >> > >> e.g. > >> > >> [root at ipaclient sssd]# su - mike > > > > ^^ Sorry, but can you re-run the test again and either su from another > > non-root user or ssh into the client for instance? The reason is that > > performing su as root would not contact the SSSD at all either. The > > default PAM configuration for su includes "pam_rootok.so" which just > > returns PAM_SUCCESS if the user who performs su has UID=0. > > Hello, > > [mike at ipaclient ~]$ su - eric > Password: # NOTE: no delay > [eric at ipaclient ~]$ exit > logout > > [root at ipaserver ~]ifdown eth0 > > [mike at ipaclient ~]$ su - eric > Password: # NOTE: there is a delay here, ~5 seconds > [eric at ipaclient ~]$ exit > logout > > [root at ipaserver ~]ifup eth0 > > [root at ipaserver2 ~]ifdown eth0 > > [mike at ipaclient ~]$ su - eric > Password: # NOTE: no delay > [eric at ipaclient ~]$exit > logout > > [root at ipaserver ~]ifdown eth0 > > [root at ipaserver2 ~]ifup eth0 > > [mike at ipaclient ~]$ su - eric > Password: # NOTE: no delay > [eric at ipaclient ~]$ exit > logout > > There does not appear to be any problems when doing an su -. > I agree. I think that the SSSD fails over just fine. > An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Thank you for testing, Mike! From dpal at redhat.com Wed Sep 19 16:27:25 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Sep 2012 12:27:25 -0400 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <20120919161117.GL15999@hendrix.brq.redhat.com> References: <504A5DFA.1040401@redhat.com> <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> <20120918200327.GO31442@hendrix.brq.redhat.com> <20120919161117.GL15999@hendrix.brq.redhat.com> Message-ID: <5059F26D.2060505@redhat.com> On 09/19/2012 12:11 PM, Jakub Hrozek wrote: > On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: >> On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: >> >>> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: >>>> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: >>>> >>>>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: >>>>>>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 >>>>>>> >>>>>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_init called >>>>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>>>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] >>>>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] >>>>>>> [sssd_krb5_locator] [172.16.112.8] used >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_close called >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_init called >>>>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>>>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] >>>>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] >>>>>>> [sssd_krb5_locator] [172.16.112.8] used >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_close called >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials >>>>>> Jakub, does this make sense to you? >>>>>> >>>>> As stated elsewhere in this thread, bare kinit does not contact the SSSD >>>>> at all. You want to go through the PAM stack (with "su - mike" or "ssh >>>>> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes >>>>> the file. >>>>> >>>>> Does using "su - mike" refresh the file? >>>> When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. >>>> >>>> e.g. >>>> >>>> [root at ipaclient sssd]# su - mike >>> ^^ Sorry, but can you re-run the test again and either su from another >>> non-root user or ssh into the client for instance? The reason is that >>> performing su as root would not contact the SSSD at all either. The >>> default PAM configuration for su includes "pam_rootok.so" which just >>> returns PAM_SUCCESS if the user who performs su has UID=0. >> Hello, >> >> [mike at ipaclient ~]$ su - eric >> Password: # NOTE: no delay >> [eric at ipaclient ~]$ exit >> logout >> >> [root at ipaserver ~]ifdown eth0 >> >> [mike at ipaclient ~]$ su - eric >> Password: # NOTE: there is a delay here, ~5 seconds >> [eric at ipaclient ~]$ exit >> logout >> >> [root at ipaserver ~]ifup eth0 >> >> [root at ipaserver2 ~]ifdown eth0 >> >> [mike at ipaclient ~]$ su - eric >> Password: # NOTE: no delay >> [eric at ipaclient ~]$exit >> logout >> >> [root at ipaserver ~]ifdown eth0 >> >> [root at ipaserver2 ~]ifup eth0 >> >> [mike at ipaclient ~]$ su - eric >> Password: # NOTE: no delay >> [eric at ipaclient ~]$ exit >> logout >> >> There does not appear to be any problems when doing an su -. >> > I agree. I think that the SSSD fails over just fine. > >> An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. > The unlock (if perfomed through GDM at least) would trigger an auth and > by extension going online/offline. > > What I suspect was happening is that the kinit just contacted a KDC that was > present in the kdcinfo files, but down without the Kerberos libraries > knowing it was down -- and without a mechanism to tell the SSSD to go > and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? > > Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lagern at lafayette.edu Wed Sep 19 18:47:34 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 19 Sep 2012 14:47:34 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5059E5F1.5070904@redhat.com> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> Message-ID: <505A1346.4010002@lafayette.edu> On 09/19/2012 11:34 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>> Lager, Nathan T. wrote: >>>> >>>> ----- Original Message ----- >>>>> From: "Rob Crittenden" To: "Nathan >>>>> Lager" Cc: freeipa-users at redhat.com >>>>> Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>>>> [Freeipa-users] sudden ipa errors. >>>>> >>>>> Ok, what are the permissions on the keytab, >>>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache >>>>> mode 0600. >>>> >>>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >>>> -rw-------. apache apache >>>> unconfined_u:object_r:httpd_config_t:s0 >>>> /etc/httpd/conf/ipa.keytab >>>> >>>>> >>>>> Are you in SELinux enforcing mode? Can you try in >>>>> permissive to see if that works? >>>> I was enforcing at the start of all of this, but ive since >>>> switched to permissive for troubleshooting. It hasnt made a >>>> difference. >>> >>> Are you getting an HTTP service principal in the client? >>> >>> $ kdestroy $ kinit admin $ ipa user-show admin $ klist >>> -fea >>> >>> Lets try to skip s4u2proxy. Does this work: >>> >>> $ ipa --delegate user-show admin >>> >>> Unfortunately the major and minor error codes are as generic as >>> can be so they aren't any help at all. >>> >>> rob >> >> Here's the output. The --delegate still failed. >> >> [root at caroline0 PROD ~]# klist -fea Ticket cache: >> FILE:/tmp/krb5cc_0 Default principal: >> lagern at SYSTEMS.LAFAYETTE.EDU >> >> Valid starting Expires Service principal 09/19/12 >> 11:23:03 09/20/12 11:22:52 >> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: FIA, >> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 >> 09/20/12 11:22:52 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: FAT, >> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 PROD >> ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to >> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error >> [root at caroline0 PROD ~]# > > Is it the same major/minor error in gss_acquire_cred()? > > Does GSSAPI over LDAP work? > > $ ldapsearch -Y GSSAPI -h ipa.example.com -b > cn=users,cn=accounts,dc=example,dc=com admin > This appears to work. [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h caroline0.lafayette.edu -b cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin SASL/GSSAPI authentication started SASL username: lagern at SYSTEMS.LAFAYETTE.EDU SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: admin # # users, accounts, systems.lafayette.edu dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu # admin, users, accounts, systems.lafayette.edu dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu <-- a bunch of other users here --> # search result search: 4 result: 0 Success # numResponses: 10 # numEntries: 9 > rob > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 From rcritten at redhat.com Wed Sep 19 18:54:16 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 14:54:16 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A1346.4010002@lafayette.edu> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> Message-ID: <505A14D8.2050404@redhat.com> Nathan Lager wrote: > > > On 09/19/2012 11:34 AM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> >>> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>>> Lager, Nathan T. wrote: >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Rob Crittenden" To: "Nathan >>>>>> Lager" Cc: freeipa-users at redhat.com >>>>>> Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>>>>> [Freeipa-users] sudden ipa errors. >>>>>> >>>>>> Ok, what are the permissions on the keytab, >>>>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache >>>>>> mode 0600. >>>>> >>>>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >>>>> -rw-------. apache apache >>>>> unconfined_u:object_r:httpd_config_t:s0 >>>>> /etc/httpd/conf/ipa.keytab >>>>> >>>>>> >>>>>> Are you in SELinux enforcing mode? Can you try in >>>>>> permissive to see if that works? >>>>> I was enforcing at the start of all of this, but ive since >>>>> switched to permissive for troubleshooting. It hasnt made a >>>>> difference. >>>> >>>> Are you getting an HTTP service principal in the client? >>>> >>>> $ kdestroy $ kinit admin $ ipa user-show admin $ klist >>>> -fea >>>> >>>> Lets try to skip s4u2proxy. Does this work: >>>> >>>> $ ipa --delegate user-show admin >>>> >>>> Unfortunately the major and minor error codes are as generic as >>>> can be so they aren't any help at all. >>>> >>>> rob >>> >>> Here's the output. The --delegate still failed. >>> >>> [root at caroline0 PROD ~]# klist -fea Ticket cache: >>> FILE:/tmp/krb5cc_0 Default principal: >>> lagern at SYSTEMS.LAFAYETTE.EDU >>> >>> Valid starting Expires Service principal 09/19/12 >>> 11:23:03 09/20/12 11:22:52 >>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: FIA, >>> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 >>> 09/20/12 11:22:52 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: FAT, >>> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 PROD >>> ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to >>> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error >>> [root at caroline0 PROD ~]# >> >> Is it the same major/minor error in gss_acquire_cred()? >> >> Does GSSAPI over LDAP work? >> >> $ ldapsearch -Y GSSAPI -h ipa.example.com -b >> cn=users,cn=accounts,dc=example,dc=com admin >> > This appears to work. > > [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h > caroline0.lafayette.edu -b > cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin > SASL/GSSAPI authentication started > SASL username: lagern at SYSTEMS.LAFAYETTE.EDU > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base with > scope subtree > # filter: (objectclass=*) > # requesting: admin > # > > # users, accounts, systems.lafayette.edu > dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > > # admin, users, accounts, systems.lafayette.edu > dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > > <-- a bunch of other users here --> > > # search result > search: 4 > result: 0 Success > > # numResponses: 10 > # numEntries: 9 > Ok, so it's JUST Apache then. Is the hostname on caroline0 set as a FQDN (/bin/hostname)? If not, I'd try setting it to caroline0.lafayette.edu If so, might be worth trying to refresh your Apache keytab. I made some educated guesses on your hostnames/realm, please double-check: # ipa-getkeytab -s caroline0.lafayette.edu -p HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k /etc/httpd/conf/ipa.keytab Should not be required to restart httpd but it shouldn't hurt. Run kdestroy/kinit before trying ipa user-show again. rob From lagern at lafayette.edu Wed Sep 19 19:37:43 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 19 Sep 2012 15:37:43 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A14D8.2050404@redhat.com> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> <505A14D8.2050404@redhat.com> Message-ID: <505A1F07.3030007@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2012 02:54 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> >>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>>>> Lager, Nathan T. wrote: >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Rob Crittenden" To: >>>>>>> "Nathan Lager" Cc: >>>>>>> freeipa-users at redhat.com Sent: Tuesday, September 18, >>>>>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa >>>>>>> errors. >>>>>>> >>>>>>> Ok, what are the permissions on the keytab, >>>>>>> /etc/httpd/conf/ipa.keytab? They should be >>>>>>> apache:apache mode 0600. >>>>>> >>>>>> [lagern at caroline0 PROD ~]$ ls -lZ >>>>>> /etc/httpd/conf/ipa.keytab -rw-------. apache apache >>>>>> unconfined_u:object_r:httpd_config_t:s0 >>>>>> /etc/httpd/conf/ipa.keytab >>>>>> >>>>>>> >>>>>>> Are you in SELinux enforcing mode? Can you try in >>>>>>> permissive to see if that works? >>>>>> I was enforcing at the start of all of this, but ive >>>>>> since switched to permissive for troubleshooting. It >>>>>> hasnt made a difference. >>>>> >>>>> Are you getting an HTTP service principal in the client? >>>>> >>>>> $ kdestroy $ kinit admin $ ipa user-show admin $ >>>>> klist -fea >>>>> >>>>> Lets try to skip s4u2proxy. Does this work: >>>>> >>>>> $ ipa --delegate user-show admin >>>>> >>>>> Unfortunately the major and minor error codes are as >>>>> generic as can be so they aren't any help at all. >>>>> >>>>> rob >>>> >>>> Here's the output. The --delegate still failed. >>>> >>>> [root at caroline0 PROD ~]# klist -fea Ticket cache: >>>> FILE:/tmp/krb5cc_0 Default principal: >>>> lagern at SYSTEMS.LAFAYETTE.EDU >>>> >>>> Valid starting Expires Service principal >>>> 09/19/12 11:23:03 09/20/12 11:22:52 >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: >>>> FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 >>>> 09/20/12 11:22:52 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: >>>> FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 >>>> PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot >>>> connect to u'http://caroline0.lafayette.edu/ipa/xml': >>>> Internal Server Error [root at caroline0 PROD ~]# >>> >>> Is it the same major/minor error in gss_acquire_cred()? >>> >>> Does GSSAPI over LDAP work? >>> >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b >>> cn=users,cn=accounts,dc=example,dc=com admin >>> >> This appears to work. >> >> [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h >> caroline0.lafayette.edu -b >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin >> SASL/GSSAPI authentication started SASL username: >> lagern at SYSTEMS.LAFAYETTE.EDU SASL SSF: 56 SASL data security >> layer installed. # extended LDIF # # LDAPv3 # base >> with scope >> subtree # filter: (objectclass=*) # requesting: admin # >> >> # users, accounts, systems.lafayette.edu dn: >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu >> >> # admin, users, accounts, systems.lafayette.edu dn: >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu >> >> <-- a bunch of other users here --> >> >> # search result search: 4 result: 0 Success >> >> # numResponses: 10 # numEntries: 9 >> > > Ok, so it's JUST Apache then. > > Is the hostname on caroline0 set as a FQDN (/bin/hostname)? > > If not, I'd try setting it to caroline0.lafayette.edu > > If so, might be worth trying to refresh your Apache keytab. I made > some educated guesses on your hostnames/realm, please > double-check: > > # ipa-getkeytab -s caroline0.lafayette.edu -p > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k > /etc/httpd/conf/ipa.keytab > > Should not be required to restart httpd but it shouldn't hurt. Run > kdestroy/kinit before trying ipa user-show again. > > rob well, seems like we're at least narrowing things down. But its still no good. The hostname is the fqdn. /bin/hostname returns it as such. [root at caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU -k /etc/httpd/conf/ipa.keytab Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab [root at caroline0 PROD ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already used by another worker [ OK ] [root at caroline0 PROD ~]# kdestroy [root at caroline0 PROD ~]# kinit lagern Password for lagern at SYSTEMS.LAFAYETTE.EDU: [root at caroline0 PROD ~]# ipa pwpolicy-show ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaHwcACgkQsZqG4IN3sulB2wCgi72jnz6mv5yID8UEK4emMUxV bbYAn2e+dRcRFxYipO5fVH4NNfrmV0vA =yIus -----END PGP SIGNATURE----- From dpal at redhat.com Wed Sep 19 19:42:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Sep 2012 15:42:15 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A1F07.3030007@lafayette.edu> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> <505A14D8.2050404@redhat.com> <505A1F07.3030007@lafayette.edu> Message-ID: <505A2017.4010107@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2012 03:37 PM, Nathan Lager wrote: > > > On 09/19/2012 02:54 PM, Rob Crittenden wrote: > > Nathan Lager wrote: > >> > >> > >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: > >>> Nathan Lager wrote: > >>>> > >>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote: > >>>>> Lager, Nathan T. wrote: > >>>>>> > >>>>>> ----- Original Message ----- > >>>>>>> From: "Rob Crittenden" To: > >>>>>>> "Nathan Lager" Cc: > >>>>>>> freeipa-users at redhat.com Sent: Tuesday, September 18, > >>>>>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa > >>>>>>> errors. > >>>>>>> > >>>>>>> Ok, what are the permissions on the keytab, > >>>>>>> /etc/httpd/conf/ipa.keytab? They should be > >>>>>>> apache:apache mode 0600. > >>>>>> > >>>>>> [lagern at caroline0 PROD ~]$ ls -lZ > >>>>>> /etc/httpd/conf/ipa.keytab -rw-------. apache apache > >>>>>> unconfined_u:object_r:httpd_config_t:s0 > >>>>>> /etc/httpd/conf/ipa.keytab > >>>>>> > >>>>>>> > >>>>>>> Are you in SELinux enforcing mode? Can you try in > >>>>>>> permissive to see if that works? > >>>>>> I was enforcing at the start of all of this, but ive > >>>>>> since switched to permissive for troubleshooting. It > >>>>>> hasnt made a difference. > >>>>> > >>>>> Are you getting an HTTP service principal in the client? > >>>>> > >>>>> $ kdestroy $ kinit admin $ ipa user-show admin $ > >>>>> klist -fea > >>>>> > >>>>> Lets try to skip s4u2proxy. Does this work: > >>>>> > >>>>> $ ipa --delegate user-show admin > >>>>> > >>>>> Unfortunately the major and minor error codes are as > >>>>> generic as can be so they aren't any help at all. > >>>>> > >>>>> rob > >>>> > >>>> Here's the output. The --delegate still failed. > >>>> > >>>> [root at caroline0 PROD ~]# klist -fea Ticket cache: > >>>> FILE:/tmp/krb5cc_0 Default principal: > >>>> lagern at SYSTEMS.LAFAYETTE.EDU > >>>> > >>>> Valid starting Expires Service principal > >>>> 09/19/12 11:23:03 09/20/12 11:22:52 > >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: > >>>> FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > >>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 > >>>> 09/20/12 11:22:52 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: > >>>> FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > >>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 > >>>> PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot > >>>> connect to u'http://caroline0.lafayette.edu/ipa/xml': > >>>> Internal Server Error [root at caroline0 PROD ~]# > >>> > >>> Is it the same major/minor error in gss_acquire_cred()? > >>> > >>> Does GSSAPI over LDAP work? > >>> > >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b > >>> cn=users,cn=accounts,dc=example,dc=com admin > >>> > >> This appears to work. > >> > >> [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h > >> caroline0.lafayette.edu -b > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin > >> SASL/GSSAPI authentication started SASL username: > >> lagern at SYSTEMS.LAFAYETTE.EDU SASL SSF: 56 SASL data security > >> layer installed. # extended LDIF # # LDAPv3 # base > >> with scope > >> subtree # filter: (objectclass=*) # requesting: admin # > >> > >> # users, accounts, systems.lafayette.edu dn: > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > >> > >> # admin, users, accounts, systems.lafayette.edu dn: > >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > >> > >> <-- a bunch of other users here --> > >> > >> # search result search: 4 result: 0 Success > >> > >> # numResponses: 10 # numEntries: 9 > >> > > > Ok, so it's JUST Apache then. > > > Is the hostname on caroline0 set as a FQDN (/bin/hostname)? > > > If not, I'd try setting it to caroline0.lafayette.edu > > > If so, might be worth trying to refresh your Apache keytab. I made > > some educated guesses on your hostnames/realm, please > > double-check: > > > # ipa-getkeytab -s caroline0.lafayette.edu -p > > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k > > /etc/httpd/conf/ipa.keytab > > > Should not be required to restart httpd but it shouldn't hurt. Run > > kdestroy/kinit before trying ipa user-show again. > > > rob > > well, seems like we're at least narrowing things down. But its still > no good. > > The hostname is the fqdn. /bin/hostname returns it as such. > > > [root at caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU -k > /etc/httpd/conf/ipa.keytab > Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab > [root at caroline0 PROD ~]# service httpd restart > Stopping httpd: [ OK ] > Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker > ajp://localhost:9447/ already used by another worker > [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already > used by another worker > [ OK ] > [root at caroline0 PROD ~]# kdestroy > [root at caroline0 PROD ~]# kinit lagern > Password for lagern at SYSTEMS.LAFAYETTE.EDU: > [root at caroline0 PROD ~]# ipa pwpolicy-show > ipa: ERROR: cannot connect to > u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error > > Rob, keytab and kerberos part seems to be fine, ldap works too. Can it be one of the certs? May be some cert expired? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users - -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. - ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQWiAXAAoJEKRjuMOPSn1YKUcIAKkW/1Uc41rmvGUNbs5JzIqA 2J+YxO/nuyr4p1Re8f49/FOdCBdXvxmeVgtFQS+zFMlk1/86c7Wh0CbZTO3Ob+XL zx7v19gT+CvJQ/fLrEcHhrBB0XnQvLkt+lyFP8A0xhyLNHe8ygw7Sz7d2fq2iwso bBEYlK7AR4jtOfRupIG5Rx4seunr45dsJWHYbVvrgXlYkTx8KrD271nkVnBj6LM1 /BYYiWmMWwm0V5Lf9SMgl5LaOj08AgC3x+501b9++5DDV9icg8IqnMEXmlEDRvWE mh6t/mRWBDQxHNIbFW7OPgU/YPOfwvBfNndJusX9TSOBAdHyXl2kdC4Yccuv5+U= =OM2q -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 19 19:47:45 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 15:47:45 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A2017.4010107@redhat.com> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> <505A14D8.2050404@redhat.com> <505A1F07.3030007@lafayette.edu> <505A2017.4010107@redhat.com> Message-ID: <505A2161.9040409@redhat.com> Dmitri Pal wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/19/2012 03:37 PM, Nathan Lager wrote: >> > > > > On 09/19/2012 02:54 PM, Rob Crittenden wrote: > > > Nathan Lager wrote: > > >> > > >> > > >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: > > >>> Nathan Lager wrote: > > >>>> > > >>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote: > > >>>>> Lager, Nathan T. wrote: > > >>>>>> > > >>>>>> ----- Original Message ----- > > >>>>>>> From: "Rob Crittenden" To: > > >>>>>>> "Nathan Lager" Cc: > > >>>>>>> freeipa-users at redhat.com Sent: Tuesday, September 18, > > >>>>>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa > > >>>>>>> errors. > > >>>>>>> > > >>>>>>> Ok, what are the permissions on the keytab, > > >>>>>>> /etc/httpd/conf/ipa.keytab? They should be > > >>>>>>> apache:apache mode 0600. > > >>>>>> > > >>>>>> [lagern at caroline0 PROD ~]$ ls -lZ > > >>>>>> /etc/httpd/conf/ipa.keytab -rw-------. apache apache > > >>>>>> unconfined_u:object_r:httpd_config_t:s0 > > >>>>>> /etc/httpd/conf/ipa.keytab > > >>>>>> > > >>>>>>> > > >>>>>>> Are you in SELinux enforcing mode? Can you try in > > >>>>>>> permissive to see if that works? > > >>>>>> I was enforcing at the start of all of this, but ive > > >>>>>> since switched to permissive for troubleshooting. It > > >>>>>> hasnt made a difference. > > >>>>> > > >>>>> Are you getting an HTTP service principal in the client? > > >>>>> > > >>>>> $ kdestroy $ kinit admin $ ipa user-show admin $ > > >>>>> klist -fea > > >>>>> > > >>>>> Lets try to skip s4u2proxy. Does this work: > > >>>>> > > >>>>> $ ipa --delegate user-show admin > > >>>>> > > >>>>> Unfortunately the major and minor error codes are as > > >>>>> generic as can be so they aren't any help at all. > > >>>>> > > >>>>> rob > > >>>> > > >>>> Here's the output. The --delegate still failed. > > >>>> > > >>>> [root at caroline0 PROD ~]# klist -fea Ticket cache: > > >>>> FILE:/tmp/krb5cc_0 Default principal: > > >>>> lagern at SYSTEMS.LAFAYETTE.EDU > > >>>> > > >>>> Valid starting Expires Service principal > > >>>> 09/19/12 11:23:03 09/20/12 11:22:52 > > >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: > > >>>> FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > > >>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 > > >>>> 09/20/12 11:22:52 > > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: > > >>>> FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > > >>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 > > >>>> PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot > > >>>> connect to u'http://caroline0.lafayette.edu/ipa/xml': > > >>>> Internal Server Error [root at caroline0 PROD ~]# > > >>> > > >>> Is it the same major/minor error in gss_acquire_cred()? > > >>> > > >>> Does GSSAPI over LDAP work? > > >>> > > >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b > > >>> cn=users,cn=accounts,dc=example,dc=com admin > > >>> > > >> This appears to work. > > >> > > >> [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h > > >> caroline0.lafayette.edu -b > > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin > > >> SASL/GSSAPI authentication started SASL username: > > >> lagern at SYSTEMS.LAFAYETTE.EDU SASL SSF: 56 SASL data security > > >> layer installed. # extended LDIF # # LDAPv3 # base > > >> with scope > > >> subtree # filter: (objectclass=*) # requesting: admin # > > >> > > >> # users, accounts, systems.lafayette.edu dn: > > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > > >> > > >> # admin, users, accounts, systems.lafayette.edu dn: > > >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu > > >> > > >> <-- a bunch of other users here --> > > >> > > >> # search result search: 4 result: 0 Success > > >> > > >> # numResponses: 10 # numEntries: 9 > > >> > > > > > Ok, so it's JUST Apache then. > > > > > Is the hostname on caroline0 set as a FQDN (/bin/hostname)? > > > > > If not, I'd try setting it to caroline0.lafayette.edu > > > > > If so, might be worth trying to refresh your Apache keytab. I made > > > some educated guesses on your hostnames/realm, please > > > double-check: > > > > > # ipa-getkeytab -s caroline0.lafayette.edu -p > > > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k > > > /etc/httpd/conf/ipa.keytab > > > > > Should not be required to restart httpd but it shouldn't hurt. Run > > > kdestroy/kinit before trying ipa user-show again. > > > > > rob > > > > well, seems like we're at least narrowing things down. But its still > > no good. > > > > The hostname is the fqdn. /bin/hostname returns it as such. > > > > > > [root at caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p > > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU -k > > /etc/httpd/conf/ipa.keytab > > Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab > > [root at caroline0 PROD ~]# service httpd restart > > Stopping httpd: [ OK ] > > Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker > > ajp://localhost:9447/ already used by another worker > > [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already > > used by another worker > > [ OK ] > > [root at caroline0 PROD ~]# kdestroy > > [root at caroline0 PROD ~]# kinit lagern > > Password for lagern at SYSTEMS.LAFAYETTE.EDU: > > [root at caroline0 PROD ~]# ipa pwpolicy-show > > ipa: ERROR: cannot connect to > > u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error > > > > > > Rob, keytab and kerberos part seems to be fine, ldap works too. > Can it be one of the certs? May be some cert expired? No, the error is coming from GSSAPI, it is unfortunately completely useless. I think we've pretty well narrowed down the problem to httpd/mod_auth_kerb but I don't know yet if this is a configuration issue or a bug. Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? rob From lagern at lafayette.edu Wed Sep 19 19:56:36 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 19 Sep 2012 15:56:36 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A2161.9040409@redhat.com> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> <505A14D8.2050404@redhat.com> <505A1F07.3030007@lafayette.edu> <505A2017.4010107@redhat.com> <505A2161.9040409@redhat.com> Message-ID: <505A2374.9010200@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2012 03:47 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> Rob, keytab and kerberos part seems to be fine, ldap works too. >> Can it be one of the certs? May be some cert expired? > > No, the error is coming from GSSAPI, it is unfortunately > completely useless. I think we've pretty well narrowed down the > problem to httpd/mod_auth_kerb but I don't know yet if this is a > configuration issue or a bug. > > Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? Sure, as far as I know its completely stock, aside from the krb password auth change. # # VERSION 4 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /var/run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 WSGIProcessGroup ipa WSGIApplicationGroup ipa WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: SetHandler None SetHandler None SetHandler None KrbConstrainedDelegationLock ipa # Protect /ipa and everything below it in webspace with Apache Kerberos auth AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # Turn off Apache authentication for sessions Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages SetHandler None AllowOverride None Satisfy Any Allow from all # For CRL publishing Alias /ipa/crl "/var/lib/pki-ca/publish" SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" SetHandler None AllowOverride None Satisfy Any Allow from all # Protect our CGIs AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py > > rob > > _______________________________________________ Freeipa-users > mailing list Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaI3QACgkQsZqG4IN3sumy3wCbBqmfPFIXwZOstNiH8jBY39hx +uQAn11DGp7RbKyM4PiV8VJ0NH1v4lwY =ol+i -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Sep 19 20:35:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 16:35:30 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A2374.9010200@lafayette.edu> References: <1938173025.2883682.1348020358791.JavaMail.root@zstore00.zprd.lafayette.edu> <5059D8A8.1060100@redhat.com> <5059E411.7030704@lafayette.edu> <5059E5F1.5070904@redhat.com> <505A1346.4010002@lafayette.edu> <505A14D8.2050404@redhat.com> <505A1F07.3030007@lafayette.edu> <505A2017.4010107@redhat.com> <505A2161.9040409@redhat.com> <505A2374.9010200@lafayette.edu> Message-ID: <505A2C92.9070104@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 09/19/2012 03:47 PM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> >>> Rob, keytab and kerberos part seems to be fine, ldap works too. >>> Can it be one of the certs? May be some cert expired? >> >> No, the error is coming from GSSAPI, it is unfortunately >> completely useless. I think we've pretty well narrowed down the >> problem to httpd/mod_auth_kerb but I don't know yet if this is a >> configuration issue or a bug. >> >> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? > Sure, as far as I know its completely stock, aside from the krb > password auth change. Yup, configuration looks fine. Ok, let's eliminate the ipa tool as the problem and try curl: Create a file test.json with these contents: {"method":"batch","params":[[ {"method":"user_show","params":[["admin"],{"all":false}]} ],{}],"id":1} then run this: curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" -H "Referer: https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X POST https://caroline0.lafayette.edu/ipa/json This does the equivalent of an: ipa user-show admin rob From sigbjorn at nixtra.com Wed Sep 19 20:37:27 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 19 Sep 2012 22:37:27 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing Message-ID: <505A2D07.9030608@nixtra.com> Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /etc/sysconfig/selinux and rebooted. The named daemon does not start now. The error below was logged in /var/log/messages: Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: PROCESS_TGS) I am able to start named after setting SElinux in permissive mode (setenforce 0). Then to verify: I stop all IPA services (ipactl stop), reenabled selinux (setenforce 1), and start the IPA services (ipactl start). A new error is logged in /var/log/messages: Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid credentials Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) From the /var/log/krb5kdc.log: Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, for , Cannot create replay cache file /var/tmp/krbtgt_0: File exists Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, for , Cannot create replay cache file /var/tmp/krbtgt_0: File exists Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, Additional pre-authentication required Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM /var/named/data/named.run logged nothing. Any suggestions for how to troubleshoot this issue? Regards, Siggi From rcritten at redhat.com Wed Sep 19 20:48:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 16:48:40 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A2D07.9030608@nixtra.com> References: <505A2D07.9030608@nixtra.com> Message-ID: <505A2FA8.4050007@redhat.com> Sigbjorn Lie wrote: > Hi, > > I noticed an updated krb5-server package today advertising that it's > fixing the issue with slow GSSAPI binds discussed earlier, so I > installed it in my test environment, set SElinux back to enforcing in > /etc/sysconfig/selinux and rebooted. > > The named daemon does not start now. The error below was logged in > /var/log/messages: > > Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (KDC returned error > string: PROCESS_TGS) > > I am able to start named after setting SElinux in permissive mode > (setenforce 0). > > Then to verify: I stop all IPA services (ipactl stop), reenabled selinux > (setenforce 1), and start the IPA services (ipactl start). A new error > is logged in /var/log/messages: > > Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid > credentials > Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied > Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) > > > From the /var/log/krb5kdc.log: > Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, > for , Cannot create replay cache file /var/tmp/krbtgt_0: > File exists > Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, > for , Cannot create replay cache file /var/tmp/krbtgt_0: > File exists > Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: > DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, > Additional pre-authentication required > Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes > {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for > krbtgt/IX.TEST.COM at IX.TEST.COM > > /var/named/data/named.run logged nothing. > > > > Any suggestions for how to troubleshoot this issue? Pure guess, but: restorecon /var/tmp/krbtgt_0 rob From Steven.Jones at vuw.ac.nz Wed Sep 19 21:00:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 19 Sep 2012 21:00:41 +0000 Subject: [Freeipa-users] NFS on Mac In-Reply-To: <24813.213.225.75.97.1348042689.squirrel@www.nixtra.com> References: <1347894430.78736.YahooMailNeo@web163106.mail.bf1.yahoo.com> <50573FAD.8030008@redhat.com> <1347906088.5867.YahooMailNeo@web163102.mail.bf1.yahoo.com>, <5057702C.2030102@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA522E@STAWINCOX10MBX1.staff.vuw.ac.nz> <50597D7E.6040404@redhat.com>, <24813.213.225.75.97.1348042689.squirrel@www.nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CDBAD@STAWINCOX10MBX1.staff.vuw.ac.nz> I can do you a virtual Mac... :P regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, 19 September 2012 8:18 p.m. To: Petr Spacek Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] NFS on Mac As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit the results. *grin* :) Regards, Siggi On Wed, September 19, 2012 10:08, Petr Spacek wrote: > On 09/17/2012 10:32 PM, Steven Jones wrote: > >> If anyone has MAC instructions' I'd love a copy pls. >> > > As usual, we can create account on freeipa.org wiki if anybody is interested > in creating a how-to. That is the best place to share. > > Let us know! > > > Petr^2 Spacek > > >> >> ------------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on >> behalf of Dmitri Pal [dpal at redhat.com] *Sent:* Tuesday, 18 September 2012 6:47 a.m. >> *To:* george he >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] NFS on Mac >> >> >> On 09/17/2012 02:21 PM, george he wrote: >> >>> sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be >>> something more. George >>> >> >> I do not know the exact steps on mac because the is no ipa-client on Mac so >> you would have to configure the machine to be an IPA client manually. This would mean that you >> need to authenticate with kerberos and then make the nfs part use the credential cache of the >> logged in user (if you are planning to use it for users mounting shares). This is what needs to >> happen conceptually. I know that people have done in the past but I do not think there are >> instructions. >> >> Once you manged to do it please see the presentation how to setup secure NFS >> on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf >> May be it will give you some hints and pointers. >> >> >> The only known problem with this slide deck is that on slide 18 after kinit >> admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add >> nfs/`hostname`@EXAMPLE >> >> HTH >> >>> >>> ------------------------------------------------------------------------------ >>> *From:* Dmitri Pal >>> *To:* freeipa-users at redhat.com >>> *Sent:* Monday, September 17, 2012 11:20 AM >>> *Subject:* Re: [Freeipa-users] NFS on Mac >>> >>> >>> On 09/17/2012 11:07 AM, george he wrote: >>> >>>> Hello all, >>>> I have IPA server and NFS server set up on a computer running centos 6.3. >>>> Is there a way to set up a mac laptop to access the data on the NFS server? >>>> The laptop does not have a static IP. DNS is not configured with IPA. >>>> If yes, how do I config the mac? >>>> >>> >>> Is this what you are looking for? >>> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ >>> >>> >>>> Thanks, >>>> George >>>> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Wed Sep 19 21:03:30 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 19 Sep 2012 23:03:30 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A2FA8.4050007@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> Message-ID: <505A3322.9020601@nixtra.com> On 09/19/2012 10:48 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> Hi, >> >> I noticed an updated krb5-server package today advertising that it's >> fixing the issue with slow GSSAPI binds discussed earlier, so I >> installed it in my test environment, set SElinux back to enforcing in >> /etc/sysconfig/selinux and rebooted. >> >> The named daemon does not start now. The error below was logged in >> /var/log/messages: >> >> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (KDC returned error >> string: PROCESS_TGS) >> >> I am able to start named after setting SElinux in permissive mode >> (setenforce 0). >> >> Then to verify: I stop all IPA services (ipactl stop), reenabled selinux >> (setenforce 1), and start the IPA services (ipactl start). A new error >> is logged in /var/log/messages: >> >> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid >> credentials >> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >> denied >> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >> >> >> From the /var/log/krb5kdc.log: >> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes >> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >> for , Cannot create replay cache file /var/tmp/krbtgt_0: >> File exists >> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes >> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >> for , Cannot create replay cache file /var/tmp/krbtgt_0: >> File exists >> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes >> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, >> Additional pre-authentication required >> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes >> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >> krbtgt/IX.TEST.COM at IX.TEST.COM >> >> /var/named/data/named.run logged nothing. >> >> >> >> Any suggestions for how to troubleshoot this issue? > > Pure guess, but: > > restorecon /var/tmp/krbtgt_0 > > rob Sorry, that did not help. There seem to be a new error in the messages file every time I attempt a named restart though. See below for the latest: Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf (IX.TEST.COM) does not match tkey-gssapi-credential (DNS/ipa01.ix.test.com) Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) Rgds, Siggi From rcritten at redhat.com Wed Sep 19 21:05:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 17:05:35 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A3322.9020601@nixtra.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> Message-ID: <505A339F.9060905@redhat.com> Sigbjorn Lie wrote: > On 09/19/2012 10:48 PM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> Hi, >>> >>> I noticed an updated krb5-server package today advertising that it's >>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>> installed it in my test environment, set SElinux back to enforcing in >>> /etc/sysconfig/selinux and rebooted. >>> >>> The named daemon does not start now. The error below was logged in >>> /var/log/messages: >>> >>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (KDC returned error >>> string: PROCESS_TGS) >>> >>> I am able to start named after setting SElinux in permissive mode >>> (setenforce 0). >>> >>> Then to verify: I stop all IPA services (ipactl stop), reenabled selinux >>> (setenforce 1), and start the IPA services (ipactl start). A new error >>> is logged in /var/log/messages: >>> >>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid >>> credentials >>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >>> denied >>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>> >>> >>> From the /var/log/krb5kdc.log: >>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes >>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>> for , Cannot create replay cache file /var/tmp/krbtgt_0: >>> File exists >>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes >>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>> for , Cannot create replay cache file /var/tmp/krbtgt_0: >>> File exists >>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes >>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, >>> Additional pre-authentication required >>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes >>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>> krbtgt/IX.TEST.COM at IX.TEST.COM >>> >>> /var/named/data/named.run logged nothing. >>> >>> >>> >>> Any suggestions for how to troubleshoot this issue? >> >> Pure guess, but: >> >> restorecon /var/tmp/krbtgt_0 >> >> rob > Sorry, that did not help. There seem to be a new error in the messages > file every time I attempt a named restart though. See below for the latest: > > Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf > (IX.TEST.COM) does not match tkey-gssapi-credential (DNS/ipa01.ix.test.com) > Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure > Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure > Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) I'd continue to check /var/log/audit/audit.log for AVCs. rob From sigbjorn at nixtra.com Wed Sep 19 21:30:00 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 19 Sep 2012 23:30:00 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A339F.9060905@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> Message-ID: Ok. I'm fairly new to selinux but I will give it a go tomorrow. Thanks. Rgds S. Rob Crittenden wrote: >Sigbjorn Lie wrote: >> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I noticed an updated krb5-server package today advertising that >it's >>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>> installed it in my test environment, set SElinux back to enforcing >in >>>> /etc/sysconfig/selinux and rebooted. >>>> >>>> The named daemon does not start now. The error below was logged in >>>> /var/log/messages: >>>> >>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>> failure. Minor code may provide more information (KDC returned >error >>>> string: PROCESS_TGS) >>>> >>>> I am able to start named after setting SElinux in permissive mode >>>> (setenforce 0). >>>> >>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >selinux >>>> (setenforce 1), and start the IPA services (ipactl start). A new >error >>>> is logged in /var/log/messages: >>>> >>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: >Invalid >>>> credentials >>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: >permission >>>> denied >>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>> >>>> >>>> From the /var/log/krb5kdc.log: >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >etypes >>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client> >>>> for , Cannot create replay cache file >/var/tmp/krbtgt_0: >>>> File exists >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >etypes >>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client> >>>> for , Cannot create replay cache file >/var/tmp/krbtgt_0: >>>> File exists >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >etypes >>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>> DNS/ipa01.ix.test.com at IX.TEST.COM for >krbtgt/IX.TEST.COM at IX.TEST.COM, >>>> Additional pre-authentication required >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >etypes >>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>> >>>> /var/named/data/named.run logged nothing. >>>> >>>> >>>> >>>> Any suggestions for how to troubleshoot this issue? >>> >>> Pure guess, but: >>> >>> restorecon /var/tmp/krbtgt_0 >>> >>> rob >> Sorry, that did not help. There seem to be a new error in the >messages >> file every time I attempt a named restart though. See below for the >latest: >> >> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >> (IX.TEST.COM) does not match tkey-gssapi-credential >(DNS/ipa01.ix.test.com) >> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) > >I'd continue to check /var/log/audit/audit.log for AVCs. > >rob -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Wed Sep 19 21:49:30 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 19 Sep 2012 23:49:30 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A339F.9060905@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> Message-ID: <505A3DEA.90407@nixtra.com> On 09/19/2012 11:05 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I noticed an updated krb5-server package today advertising that it's >>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>> installed it in my test environment, set SElinux back to enforcing in >>>> /etc/sysconfig/selinux and rebooted. >>>> >>>> The named daemon does not start now. The error below was logged in >>>> /var/log/messages: >>>> >>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>> failure. Minor code may provide more information (KDC returned error >>>> string: PROCESS_TGS) >>>> >>>> I am able to start named after setting SElinux in permissive mode >>>> (setenforce 0). >>>> >>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >>>> selinux >>>> (setenforce 1), and start the IPA services (ipactl start). A new error >>>> is logged in /var/log/messages: >>>> >>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid >>>> credentials >>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >>>> denied >>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>> >>>> >>>> From the /var/log/krb5kdc.log: >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>> etypes >>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>> client> >>>> for , Cannot create replay cache file >>>> /var/tmp/krbtgt_0: >>>> File exists >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>> etypes >>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>> client> >>>> for , Cannot create replay cache file >>>> /var/tmp/krbtgt_0: >>>> File exists >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>> etypes >>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, >>>> Additional pre-authentication required >>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>> etypes >>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>> >>>> /var/named/data/named.run logged nothing. >>>> >>>> >>>> >>>> Any suggestions for how to troubleshoot this issue? >>> >>> Pure guess, but: >>> >>> restorecon /var/tmp/krbtgt_0 >>> >>> rob >> Sorry, that did not help. There seem to be a new error in the messages >> file every time I attempt a named restart though. See below for the >> latest: >> >> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >> (IX.TEST.COM) does not match tkey-gssapi-credential >> (DNS/ipa01.ix.test.com) >> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) > > I'd continue to check /var/log/audit/audit.log for AVCs. > > rob > OK, I had a quick look before I'm off for today. :) There's a lot of these messages, denying named access to /var/tmp/DNS_25. type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348086955.398:42405): avc: denied { read write } for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088493.162:42450): avc: denied { read write } for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same before and after: -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 Rgds, Siggi From rcritten at redhat.com Wed Sep 19 22:08:34 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2012 18:08:34 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A3DEA.90407@nixtra.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> Message-ID: <505A4262.6070708@redhat.com> Sigbjorn Lie wrote: > On 09/19/2012 11:05 PM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>>> Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> I noticed an updated krb5-server package today advertising that it's >>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>>> installed it in my test environment, set SElinux back to enforcing in >>>>> /etc/sysconfig/selinux and rebooted. >>>>> >>>>> The named daemon does not start now. The error below was logged in >>>>> /var/log/messages: >>>>> >>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>>> failure. Minor code may provide more information (KDC returned error >>>>> string: PROCESS_TGS) >>>>> >>>>> I am able to start named after setting SElinux in permissive mode >>>>> (setenforce 0). >>>>> >>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >>>>> selinux >>>>> (setenforce 1), and start the IPA services (ipactl start). A new error >>>>> is logged in /var/log/messages: >>>>> >>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid >>>>> credentials >>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >>>>> denied >>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>>> >>>>> >>>>> From the /var/log/krb5kdc.log: >>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>> etypes >>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>> client> >>>>> for , Cannot create replay cache file >>>>> /var/tmp/krbtgt_0: >>>>> File exists >>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>> etypes >>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>> client> >>>>> for , Cannot create replay cache file >>>>> /var/tmp/krbtgt_0: >>>>> File exists >>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>> etypes >>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM, >>>>> Additional pre-authentication required >>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>> etypes >>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>>> >>>>> /var/named/data/named.run logged nothing. >>>>> >>>>> >>>>> >>>>> Any suggestions for how to troubleshoot this issue? >>>> >>>> Pure guess, but: >>>> >>>> restorecon /var/tmp/krbtgt_0 >>>> >>>> rob >>> Sorry, that did not help. There seem to be a new error in the messages >>> file every time I attempt a named restart though. See below for the >>> latest: >>> >>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >>> (IX.TEST.COM) does not match tkey-gssapi-credential >>> (DNS/ipa01.ix.test.com) >>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) >> >> I'd continue to check /var/log/audit/audit.log for AVCs. >> >> rob >> > > OK, I had a quick look before I'm off for today. :) > > There's a lot of these messages, denying named access to /var/tmp/DNS_25. > > > > type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for > pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348086955.398:42405): avc: denied { read write } > for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for > pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for > pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for > pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for > pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for > pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for > pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for > pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for > pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for > pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for > pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for > pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for > pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088493.162:42450): avc: denied { read write } > for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for > pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 > scontext=unconfined_u:system_r:named_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > > > > I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same > before and after: > > -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 Ok, I'm not sure. Perhaps selinux-policy has an update available too? You may want to consider temporarily setting selinux to permissive while we sort this out if your system is otherwise unusable. rob From Steven.Jones at vuw.ac.nz Wed Sep 19 22:55:49 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 19 Sep 2012 22:55:49 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505869D0.3060703@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 19 23:03:46 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Sep 2012 17:03:46 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505A4F52.9090807@redhat.com> On 09/19/2012 04:55 PM, Steven Jones wrote: > Hi, > > > Sample of errors log, > > ========= > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program > - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database > /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program > - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database > /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: > successfully committed csn 504d01f7000000110000 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - > agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): > State: stop_fatal_error -> stop_fatal_error > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - > agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): > State: stop_fatal_error -> stop_fatal_error > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - > ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 > into pending list > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state > information from entry > uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN > 504d42c5000000040000 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program > - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database > /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program > - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database > /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: > successfully committed csn 504d01f8000000110000 > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - > agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): > State: stop_fatal_error -> stop_fatal_error > [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - > agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): > State: stop_fatal_error -> stop_fatal_error > ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Wednesday, 19 September 2012 12:32 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/17/2012 07:10 PM, Steven Jones wrote: >> Hi, >> >> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >> >> So the Q is why I am losing users in the --win-subtree >> cn=VUW_Staff,dc= etc > > > >> >> This I dont understand.... >> >> I have the -v already, anyway to make it very verbose? > > http://port389.org/wiki/FAQ#Troubleshooting > Use the replication log level 8192 > I'd like to see the directory server errors log > /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under > the --win-subtree cn=VUW_Staff,dc= etc > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/17/2012 06:17 PM, Steven Jones wrote: >>> Hi, >>> >>> The first time missed the --win-subtree settings so I wiped the >>> admins in the IPA admin group and users as they were not in cn=users >>> as per the bug. The second time as far as I can tell I specified >>> the correct cn via win-subtree flag but I still appear to have lost >>> the users in IPA.....now I expected to lose the admins but the loss >>> of users as well confounds me. >>> >>> I did a ldapsearch as per checking and its seems to be saying the >>> right folder/ou/cn but IPA is empty. >>> >>> Hence I was wondering if there was a log recording what the update >>> was doing so I could try and figure out the mistake. Ive tried >>> greping cant find any indication. >>> >>> I will re-try with -v, verbose. >> >> It is not clear from the manuals, but no matter what -win-subtree you >> specify, winsync will search AD starting from the dc=domain suffix. >> So, for example, if you have >> cn=mystaff,cn=staff,dc=example,dc=com >> and you specify >> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >> winsync will still search starting from dc=example,dc=com and will >> hit ticket/355 if there are any users outside of >> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as >> a user in IPA. >> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I just tried to do a winsync agreement with specifying the AD point >>>> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are >>>> not in the users folder but the VUW_Staff folder (at the same >>>> level) and it wiped all IPA users that are also in AD. >>> >>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>> #355 winsync should not delete entry that appears to be out of scope >>> >>>> While doing the actual update does this get verbosly logged >>>> anywhere as opposed to "update in progress" dumped to the screen? >>>> Something went badly wrong, I just dont know what. >>> >>> You are seeing something different than #355? >>> >>>> >>>> :/ >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 00:13:53 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 00:13:53 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505A4F52.9090807@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF239@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, No that is the replication agreement, Ive turned that server off so it doesnt also get "wiped". I am running with a log error level 8192 right now for a full errrors output... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 00:15:36 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 00:15:36 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505A4F52.9090807@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 02:48:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 02:48:48 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 12:15 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From thildred at redhat.com Thu Sep 20 03:52:48 2012 From: thildred at redhat.com (Tim Hildred) Date: Wed, 19 Sep 2012 23:52:48 -0400 (EDT) Subject: [Freeipa-users] Password requirements too stringent In-Reply-To: <5059B2E5.50801@redhat.com> Message-ID: <1798563724.2481312.1348113168096.JavaMail.root@redhat.com> Hey, sorry, I'm a little confused about all the pieces. I want to let my users reset expired password using ssh. I would really like them to be able to use the same password every time, and not worry if that password is "icecream". >From what I can tell, sshd_config turns the authentication over to PAM, which uses sssd(?) to get information from IPA. Is it true this line in /etc/pam.d/password-auth was enforcing the stringent requirements, and not IPA? password requisite pam_cracklib.so I've noticed that if I comment out that line, authentication fails because none of my IPA users are in /etc/passwd. The configuration also gets reset to the default when I restart sssd. Can anyone give me a suggestion that will: - allow my users to use any password they want, with the least possible restrictions, - reset expired passwords with SSH? Here is a selection from krb5kdc.log (followed by the corresponding section of /var/log/secure): Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111377, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: PREAUTH_FAILED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Decrypt integrity check failed Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111435, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111437, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111558, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM And here is the corresponding section in /var/log/secure: Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): system info: [Password has expired] Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required) Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 20 13:22:57 dns1 sshd[12308]: Accepted password for timbo from 10.64.0.171 port 55407 ssh2 Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:session): session opened for user timbo by (uid=0) Sep 20 13:22:57 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Decrypt integrity check failed] Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user timbo: 4 (System error) Sep 20 13:23:05 dns1 sshd[12311]: Received disconnect from 10.64.0.171: 11: disconnected by user Sep 20 13:23:05 dns1 sshd[12308]: pam_unix(sshd:session): session closed for user timbo Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): system info: [Password has expired] Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required) Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 20 13:23:55 dns1 sshd[12314]: Accepted password for timbo from 10.64.0.171 port 55413 ssh2 Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:session): session opened for user timbo by (uid=0) Sep 20 13:23:55 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:24:14 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error) Sep 20 13:24:17 dns1 sshd[12317]: Received disconnect from 10.64.0.171: 11: disconnected by user Sep 20 13:24:17 dns1 sshd[12314]: pam_unix(sshd:session): session closed for user timbo Sep 20 13:25:02 dns1 sshd[12279]: Received signal 15; terminating. Sep 20 13:25:02 dns1 sshd[12360]: Server listening on 0.0.0.0 port 22. Sep 20 13:25:02 dns1 sshd[12360]: Server listening on :: port 22. Sep 20 13:25:25 dns1 sshd[12362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): system info: [Password has expired] Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required) Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 20 13:25:26 dns1 sshd[12362]: Accepted password for timbo from 10.64.0.171 port 55426 ssh2 Sep 20 13:25:26 dns1 sshd[12362]: pam_unix(sshd:session): session opened for user timbo by (uid=0) Sep 20 13:25:26 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:25:28 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error) Sep 20 13:25:31 dns1 sshd[12366]: Received disconnect from 10.64.0.171: 11: disconnected by user Sep 20 13:25:31 dns1 sshd[12362]: pam_unix(sshd:session): session closed for user timbo Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): system info: [Password has expired] Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required) Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 20 13:25:58 dns1 sshd[12371]: Accepted password for timbo from 10.64.0.171 port 55429 ssh2 Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:session): session opened for user timbo by (uid=0) Sep 20 13:25:58 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:26:01 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error) Sep 20 13:26:04 dns1 sshd[12374]: Received disconnect from 10.64.0.171: 11: disconnected by user Sep 20 13:26:04 dns1 sshd[12371]: pam_unix(sshd:session): session closed for user timbo Any ideas? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thildred at redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "Petr Spacek" > To: freeipa-users at redhat.com > Sent: Wednesday, September 19, 2012 9:56:21 PM > Subject: Re: [Freeipa-users] Password requirements too stringent > > On 09/19/2012 01:32 PM, Dmitri Pal wrote: > > On 09/19/2012 02:56 AM, Jakub Hrozek wrote: > >> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: > >>> So, commenting out: > >>> password requisite pam_cracklib.so try_first_pass retry=3 > >>> type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 > >>> > >>> Caused users updating their passwords using ssh to get: > >>> > >>> [ykatabam at ykatabam ~]$ ssh > >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com > >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > >>> Permission denied, please try again. > >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password: > >>> Password expired. Change your password now. > >>> Last login: Fri Sep 14 10:20:49 2012 from > >>> vpn1-48-53.bne.redhat.com > >>> WARNING: Your password has expired. > >>> You must change your password now and login again! > >>> Changing password for user ykatabam. > >>> Current Password: > >>> Password change failed. Server message: Password change failed > >>> passwd: Authentication token manipulation error > >>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > >>> > >>> Is that to say that you need at least 1 password requisite? That > >>> instead of commenting out the password requisite > >>> pam_cracklib.so, I should have replaced it with something? > >> What did /var/log/secure have to say? > >> > >> The message sounds to me like it's coming from the server.. > > Please look at the krb5kdc.log on the server. > > This is the server side message. > > Most likely it did not like the password because it did not meet > > the policy. > > I wonder whether there is a bug in case password policy has 0 for > > the > > required character classes. > > Trying different passwords and changing the policy while watching > > the > > log will give you more answers. > > BTW if required character classes == 1 there is nothing to enforce, > because > each (non-empty) password has at least one character class. > > You can check if there is some difference between 0 and 1. > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From lagern at lafayette.edu Thu Sep 20 11:24:21 2012 From: lagern at lafayette.edu (Lager, Nathan T.) Date: Thu, 20 Sep 2012 07:24:21 -0400 (EDT) Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505A2C92.9070104@redhat.com> Message-ID: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> ----- Original Message ----- > From: "Rob Crittenden" > To: "Nathan Lager" > Cc: freeipa-users at redhat.com > Sent: Wednesday, September 19, 2012 4:35:30 PM > Subject: Re: [Freeipa-users] sudden ipa errors. > Nathan Lager wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > On 09/19/2012 03:47 PM, Rob Crittenden wrote: > >> Dmitri Pal wrote: > >>> > >>> Rob, keytab and kerberos part seems to be fine, ldap works too. > >>> Can it be one of the certs? May be some cert expired? > >> > >> No, the error is coming from GSSAPI, it is unfortunately > >> completely useless. I think we've pretty well narrowed down the > >> problem to httpd/mod_auth_kerb but I don't know yet if this is a > >> configuration issue or a bug. > >> > >> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? > > Sure, as far as I know its completely stock, aside from the krb > > password auth change. > > Yup, configuration looks fine. > > Ok, let's eliminate the ipa tool as the problem and try curl: > > Create a file test.json with these contents: > > {"method":"batch","params":[[ > {"method":"user_show","params":[["admin"],{"all":false}]} > ],{}],"id":1} > > then run this: > > curl -H "Content-Type:application/json" -H "Accept:application/json" > -H > "Accept-Language:en" -H "Referer: > https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert > /etc/ipa/ca.crt -d @test.json -X POST > https://caroline0.lafayette.edu/ipa/json > Seems to be running into the same trouble. [lagern at caroline0 PROD ~]$ curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" -H "Referer: https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X POST https://caroline0.lafayette.edu/ipa/json 500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, root at localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/2.2.15 (Red Hat) Server at caroline0.lafayette.edu Port 443
> This does the equivalent of an: ipa user-show admin > > rob From pieter.baele at gmail.com Thu Sep 20 12:05:35 2012 From: pieter.baele at gmail.com (Pieter Baele) Date: Thu, 20 Sep 2012 14:05:35 +0200 Subject: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError Message-ID: Hi, I have a known problem when using the migration tool. Is there already a solution for this? As in: https://www.redhat.com/archives/freeipa-users/2012-January/msg00200.html ipa migrate-ds ldap://x.x.x.x:389 --base-dn=xxx --group-container=ou=People --continue Password: ipa: ERROR: an internal error has occurred error_log [Thu Sep 20 13:52:27 2012] [error] ipa: INFO: admin at LINUX.x: migrate_ds(u'ldap://x.x.x.x:389', u'********', binddn=u'cn=directory manager', usercontainer=u'ou=people', groupcontainer=u'ou=People', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'dc=xxx', compat=False, exclude_groups=None, exclude_users=None): UnicodeDecodeError Sincerely, PieterB From rcritten at redhat.com Thu Sep 20 12:55:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 08:55:55 -0400 Subject: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError In-Reply-To: References: Message-ID: <505B125B.9070706@redhat.com> Pieter Baele wrote: > Hi, > > I have a known problem when using the migration tool. > Is there already a solution for this? > > As in: https://www.redhat.com/archives/freeipa-users/2012-January/msg00200.html > > ipa migrate-ds ldap://x.x.x.x:389 --base-dn=xxx > --group-container=ou=People --continue > Password: > ipa: ERROR: an internal error has occurred > > > error_log > [Thu Sep 20 13:52:27 2012] [error] ipa: INFO: admin at LINUX.x: > migrate_ds(u'ldap://x.x.x.x:389', u'********', binddn=u'cn=directory > manager', usercontainer=u'ou=people', groupcontainer=u'ou=People', > userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', > u'groupOfNames'), userignoreobjectclass=None, > userignoreattribute=None, groupignoreobjectclass=None, > groupignoreattribute=None, groupoverwritegid=False, > schema=u'RFC2307bis', continue=True, basedn=u'dc=xxx', compat=False, > exclude_groups=None, exclude_users=None): UnicodeDecodeError I'd need more context from the error log to confirm that the problem is the same. But if it is no, we don't have a solution other than the one suggested at the time. rob From mkosek at redhat.com Thu Sep 20 13:49:27 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 20 Sep 2012 15:49:27 +0200 Subject: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError In-Reply-To: <505B125B.9070706@redhat.com> References: <505B125B.9070706@redhat.com> Message-ID: <505B1EE7.30908@redhat.com> On 09/20/2012 02:55 PM, Rob Crittenden wrote: > Pieter Baele wrote: >> Hi, >> >> I have a known problem when using the migration tool. >> Is there already a solution for this? >> >> As in: https://www.redhat.com/archives/freeipa-users/2012-January/msg00200.html >> >> ipa migrate-ds ldap://x.x.x.x:389 --base-dn=xxx >> --group-container=ou=People --continue >> Password: >> ipa: ERROR: an internal error has occurred >> >> >> error_log >> [Thu Sep 20 13:52:27 2012] [error] ipa: INFO: admin at LINUX.x: >> migrate_ds(u'ldap://x.x.x.x:389', u'********', binddn=u'cn=directory >> manager', usercontainer=u'ou=people', groupcontainer=u'ou=People', >> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), userignoreobjectclass=None, >> userignoreattribute=None, groupignoreobjectclass=None, >> groupignoreattribute=None, groupoverwritegid=False, >> schema=u'RFC2307bis', continue=True, basedn=u'dc=xxx', compat=False, >> exclude_groups=None, exclude_users=None): UnicodeDecodeError > > I'd need more context from the error log to confirm that the problem is the > same. But if it is no, we don't have a solution other than the one suggested at > the time. > > rob > Since an Internal error was returned, there should at least be a traceback in /var/log/httpd/error_log. This should help us narrow down the root cause of this issue. Martin From ikaro at mit.edu Thu Sep 20 14:10:03 2012 From: ikaro at mit.edu (Ikaro Silva) Date: Thu, 20 Sep 2012 10:10:03 -0400 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version Message-ID: Hi Everyone, I am new to IPA and I am trying to start the IPA service but I get the following error message: ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Shutting down When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the following messages: [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin dependencies [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version Replication is not started [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication Plugin is not started [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster Replication Plugin is not started Has anyone experienced similar problems or have suggestions on how to fix these errors ? Thank you, -Ikaro From rmeggins at redhat.com Thu Sep 20 14:16:12 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 08:16:12 -0600 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: References: Message-ID: <505B252C.4020606@redhat.com> On 09/20/2012 08:10 AM, Ikaro Silva wrote: > Hi Everyone, > > > I am new to IPA and I am trying to start the IPA service but I get the > following error message: > > ipactl start > Starting Directory Service > Failed to read data from Directory Service: Unknown error when > retrieving list of services from LDAP: [Errno 111] Connection refused > Shutting down What platform? Did you upgrade from a previous version? Do you have another master that you could use to reinit this one from? > > When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the > following messages: > > [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up > [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which > should be added before the CoS Definition. > [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin dependencies > [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version > Replication is not started > [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication > Plugin is not started > [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster > Replication Plugin is not started > > > Has anyone experienced similar problems or have suggestions on how to > fix these errors ? > > > Thank you, > > -Ikaro > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ikaro at mit.edu Thu Sep 20 14:53:27 2012 From: ikaro at mit.edu (Ikaro Silva) Date: Thu, 20 Sep 2012 10:53:27 -0400 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: <505B252C.4020606@redhat.com> References: <505B252C.4020606@redhat.com> Message-ID: Hi Rich, We did not upgrade from a previous version, this is our original master server (but we do have 2 other replications of this one). The architecture is Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 i686 i386 GNU/Linux On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson wrote: > On 09/20/2012 08:10 AM, Ikaro Silva wrote: >> >> Hi Everyone, >> >> >> I am new to IPA and I am trying to start the IPA service but I get the >> following error message: >> >> ipactl start >> Starting Directory Service >> Failed to read data from Directory Service: Unknown error when >> retrieving list of services from LDAP: [Errno 111] Connection refused >> Shutting down > > What platform? Did you upgrade from a previous version? > Do you have another master that you could use to reinit this one from? >> >> >> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >> following messages: >> >> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >> starting up >> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >> should be added before the CoS Definition. >> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >> dependencies >> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >> Replication is not started >> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >> Plugin is not started >> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >> Replication Plugin is not started >> >> >> Has anyone experienced similar problems or have suggestions on how to >> fix these errors ? >> >> >> Thank you, >> >> -Ikaro >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From rmeggins at redhat.com Thu Sep 20 14:59:52 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 08:59:52 -0600 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: References: <505B252C.4020606@redhat.com> Message-ID: <505B2F68.1070906@redhat.com> On 09/20/2012 08:53 AM, Ikaro Silva wrote: > Hi Rich, > > We did not upgrade from a previous version, this is our original > master server (but we do have 2 other replications of this one). The > architecture is > > Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 > i686 i386 GNU/Linux ok - try this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line you will need to use db2ldif.pl -r to create a replica init ldif file from one of your good replicas, copy this file to the machine with the "bad" replica, and use ldif2db to reinitialize it. You use db2ldif.pl on the replica because you can perform this operation while the server is running. You use ldif2db on the bad replica because you can't start the server. Note that due to selinux restrictions, you have to use /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. > > > > On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson wrote: >> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>> Hi Everyone, >>> >>> >>> I am new to IPA and I am trying to start the IPA service but I get the >>> following error message: >>> >>> ipactl start >>> Starting Directory Service >>> Failed to read data from Directory Service: Unknown error when >>> retrieving list of services from LDAP: [Errno 111] Connection refused >>> Shutting down >> What platform? Did you upgrade from a previous version? >> Do you have another master that you could use to reinit this one from? >>> >>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>> following messages: >>> >>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>> starting up >>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >>> Directory Server was running, recovering database. >>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>> - cl5DBData2Entry: invalid data version >>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>> - cl5Open: failed to open changelog >>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>> - changelog5_init: failed to start changelog at >>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>> Multimaster Replication Plugin >>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>> - cl5DBData2Entry: invalid data version >>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>> - cl5Open: failed to open changelog >>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>> - changelog5_init: failed to start changelog at >>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>> Multimaster Replication Plugin >>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>> dependencies >>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >>> Replication is not started >>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >>> Plugin is not started >>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>> Replication Plugin is not started >>> >>> >>> Has anyone experienced similar problems or have suggestions on how to >>> fix these errors ? >>> >>> >>> Thank you, >>> >>> -Ikaro >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> From rcritten at redhat.com Thu Sep 20 15:43:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 11:43:25 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> References: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> Message-ID: <505B399D.9000309@redhat.com> Lager, Nathan T. wrote: > > ----- Original Message ----- >> From: "Rob Crittenden" >> To: "Nathan Lager" >> Cc: freeipa-users at redhat.com >> Sent: Wednesday, September 19, 2012 4:35:30 PM >> Subject: Re: [Freeipa-users] sudden ipa errors. >> Nathan Lager wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>> Dmitri Pal wrote: >>>>> >>>>> Rob, keytab and kerberos part seems to be fine, ldap works too. >>>>> Can it be one of the certs? May be some cert expired? >>>> >>>> No, the error is coming from GSSAPI, it is unfortunately >>>> completely useless. I think we've pretty well narrowed down the >>>> problem to httpd/mod_auth_kerb but I don't know yet if this is a >>>> configuration issue or a bug. >>>> >>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? >>> Sure, as far as I know its completely stock, aside from the krb >>> password auth change. >> >> Yup, configuration looks fine. >> >> Ok, let's eliminate the ipa tool as the problem and try curl: >> >> Create a file test.json with these contents: >> >> {"method":"batch","params":[[ >> {"method":"user_show","params":[["admin"],{"all":false}]} >> ],{}],"id":1} >> >> then run this: >> >> curl -H "Content-Type:application/json" -H "Accept:application/json" >> -H >> "Accept-Language:en" -H "Referer: >> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert >> /etc/ipa/ca.crt -d @test.json -X POST >> https://caroline0.lafayette.edu/ipa/json >> > Seems to be running into the same trouble. > > [lagern at caroline0 PROD ~]$ curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" -H "Referer: https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X POST https://caroline0.lafayette.edu/ipa/json > > > 500 Internal Server Error > >

Internal Server Error

>

The server encountered an internal error or > misconfiguration and was unable to complete > your request.

>

Please contact the server administrator, > root at localhost and inform them of the time the error occurred, > and anything you might have done that may have > caused the error.

>

More information about this error may be available > in the server error log.

>
>
Apache/2.2.15 (Red Hat) Server at caroline0.lafayette.edu Port 443
> Ok, need to gather some more info: # kvno HTTP/caroline0.lafayette.edu # klist -kt /etc/httpd/conf/ipa.keytab rob From jreg2k at gmail.com Thu Sep 20 16:30:49 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 18:30:49 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password Message-ID: Hi, I've done a migration from ldap to ipa. Everything works well but when I try to change my password in the ui (https://ipa.example.com/ipa/migration) I have this error message : We're Sorry *There was a problem with your request. Please, try again later.* If the problem persists, contact your administrator. In the log : Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed: Inappropriate authentication () Can somebody give me some help ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 20 16:48:59 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 12:48:59 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: Message-ID: <505B48FB.9090506@redhat.com> On 09/20/2012 12:30 PM, James James wrote: > Hi, > > I've done a migration from ldap to ipa. Everything works well but when > I try to change my password in the ui > (https://ipa.example.com/ipa/migration) I have this error message : > > > We're Sorry > > *There was a problem with your request. Please, try again later.* > > If the problem persists, contact your administrator. > > In the log : > > Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed: > Inappropriate authentication () > > Can somebody give me some help ? > > And I assume the migration is in fact enabled? # ipa config-mod --enable-migration=TRUE Can it be that you are hitting https://bugzilla.redhat.com/show_bug.cgi?id=822350 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 16:49:56 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 18:49:56 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B48FB.9090506@redhat.com> References: <505B48FB.9090506@redhat.com> Message-ID: Yes config mod is enabled 2012/9/20 Dmitri Pal > On 09/20/2012 12:30 PM, James James wrote: > > Hi, > > I've done a migration from ldap to ipa. Everything works well but when I > try to change my password in the ui (https://ipa.example.com/ipa/migration) > I have this error message : > We're Sorry > > *There was a problem with your request. Please, try again later.* > > If the problem persists, contact your administrator. > > In the log : > > Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed: > Inappropriate authentication () > > Can somebody give me some help ? > > > And I assume the migration is in fact enabled? > > # ipa config-mod --enable-migration=TRUE > > > > Can it be that you are hitting > https://bugzilla.redhat.com/show_bug.cgi?id=822350 > > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 16:50:26 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 18:50:26 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> Message-ID: Oups .. migration mode is enable ... 2012/9/20 James James > Yes config mod is enabled > > 2012/9/20 Dmitri Pal > >> On 09/20/2012 12:30 PM, James James wrote: >> >> Hi, >> >> I've done a migration from ldap to ipa. Everything works well but when I >> try to change my password in the ui ( >> https://ipa.example.com/ipa/migration) I have this error message : >> We're Sorry >> >> *There was a problem with your request. Please, try again later.* >> >> If the problem persists, contact your administrator. >> >> In the log : >> >> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed: >> Inappropriate authentication () >> >> Can somebody give me some help ? >> >> >> And I assume the migration is in fact enabled? >> >> # ipa config-mod --enable-migration=TRUE >> >> >> >> Can it be that you are hitting >> https://bugzilla.redhat.com/show_bug.cgi?id=822350 >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 20 17:01:38 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 13:01:38 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> Message-ID: <505B4BF2.6000600@redhat.com> On 09/20/2012 12:50 PM, James James wrote: > Oups .. migration mode is enable ... The ldap (access, error) and kerberos logs from the server would be helpful to troubleshoot. /var/log/dirsrv/... krb5kdc.log > > 2012/9/20 James James > > > Yes config mod is enabled > > 2012/9/20 Dmitri Pal > > > On 09/20/2012 12:30 PM, James James wrote: >> Hi, >> >> I've done a migration from ldap to ipa. Everything works well >> but when I try to change my password in the ui >> (https://ipa.example.com/ipa/migration) I have this error >> message : >> >> >> We're Sorry >> >> *There was a problem with your request. Please, try again >> later.* >> >> If the problem persists, contact your administrator. >> >> In the log : >> >> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind >> failed: Inappropriate authentication () >> >> Can somebody give me some help ? >> >> > And I assume the migration is in fact enabled? > > # ipa config-mod --enable-migration=TRUE > > > > Can it be that you are hitting > https://bugzilla.redhat.com/show_bug.cgi?id=822350 >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 20 17:07:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 13:07:21 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B4BF2.6000600@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> Message-ID: <505B4D49.7000007@redhat.com> Dmitri Pal wrote: > On 09/20/2012 12:50 PM, James James wrote: >> Oups .. migration mode is enable ... > > The ldap (access, error) and kerberos logs from the server would be > helpful to troubleshoot. > /var/log/dirsrv/... > krb5kdc.log This is usually seen when there is no password in LDAP. You can confirm this as Directory Manager: $ ldapsearch -x -D 'cn=Directory Manager' -W password -b cn=users,cn=accounts,dc=example,dc=com uid=migrated_user userPassword rob From jreg2k at gmail.com Thu Sep 20 17:07:20 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 19:07:20 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B4BF2.6000600@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> Message-ID: Thanks for your help. I've got in krb5kdc.log : Sep 20 17:00:47 ipa.example.com krb5kdc[14155](info): TGS_REQ (4 etypes {18 17 16 23}) 129.104.11.72: ISSUE: authtime 1348153247, etypes {rep=18 tkt=18 ses=18}, host/ elide.example.com at example.com for ldap/ipa.lix.polytechniqu e.fr at example.com Sep 20 17:00:56 ipa.example.com krb5kdc[14164](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.72: NEEDED_PREAUTH: regis at example.com for krbtgt/example.com at example.com, Additional pre-authentication required Sep 20 17:00:56 ipa.example.com krb5kdc[14169](info): preauth (timestamp) verify failure: No matching key in entry Sep 20 17:00:56 ipa.example.com krb5kdc[14169](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.72: PREAUTH_FAILED: regis at example.com for krbtgt/example.com at example.com, Preauthentication failed Sep 20 17:00:56 ipa.example.com krb5kdc[14161](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.72: NEEDED_PREAUTH: host/elide.example.com at example.com for krbtgt/example.com at example.com, Additional pre-auth entication required I have spent the whole day trying to debug my server. I will re-install and re-migrate to see if I have missed something .. 2012/9/20 Dmitri Pal > On 09/20/2012 12:50 PM, James James wrote: > > Oups .. migration mode is enable ... > > > The ldap (access, error) and kerberos logs from the server would be > helpful to troubleshoot. > /var/log/dirsrv/... > krb5kdc.log > > > > 2012/9/20 James James > >> Yes config mod is enabled >> >> 2012/9/20 Dmitri Pal >> >>> On 09/20/2012 12:30 PM, James James wrote: >>> >>> Hi, >>> >>> I've done a migration from ldap to ipa. Everything works well but when I >>> try to change my password in the ui ( >>> https://ipa.example.com/ipa/migration) I have this error message : >>> We're Sorry >>> >>> *There was a problem with your request. Please, try again later.* >>> >>> If the problem persists, contact your administrator. >>> >>> In the log : >>> >>> Thu Sep 20 18:29:54 2012] [error] ipa: ERROR: migration bind failed: >>> Inappropriate authentication () >>> >>> Can somebody give me some help ? >>> >>> >>> And I assume the migration is in fact enabled? >>> >>> # ipa config-mod --enable-migration=TRUE >>> >>> >>> >>> Can it be that you are hitting >>> https://bugzilla.redhat.com/show_bug.cgi?id=822350 >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 17:39:03 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 19:39:03 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B4D49.7000007@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> Message-ID: You 're right. The request return : Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=test # requesting: userPassword # # test, users, accounts, example.com dn: uid=test,cn=users,cn=accounts,dc=example,dc=com # search result search: 2 result: 0 Success Can you explain me what happens ? Is there a solution ? 2012/9/20 Rob Crittenden > Dmitri Pal wrote: > >> On 09/20/2012 12:50 PM, James James wrote: >> >>> Oups .. migration mode is enable ... >>> >> >> The ldap (access, error) and kerberos logs from the server would be >> helpful to troubleshoot. >> /var/log/dirsrv/... >> krb5kdc.log >> > > This is usually seen when there is no password in LDAP. > > You can confirm this as Directory Manager: > > $ ldapsearch -x -D 'cn=Directory Manager' -W password -b > cn=users,cn=accounts,dc=**example,dc=com uid=migrated_user userPassword > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 20 17:42:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 13:42:32 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> Message-ID: <505B5588.6060307@redhat.com> James James wrote: > You 're right. The request return : > > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: uid=test > # requesting: userPassword > # > > # test, users, accounts, example.com > dn: uid=test,cn=users,cn=accounts,dc=example,dc=com > > # search result > search: 2 > result: 0 Success > > Can you explain me what happens ? > > Is there a solution ? When migrating you need to bind as a user that has read permission on the userPassword attribute in the remote LDAP server. rob > > > > > 2012/9/20 Rob Crittenden > > > Dmitri Pal wrote: > > On 09/20/2012 12:50 PM, James James wrote: > > Oups .. migration mode is enable ... > > > The ldap (access, error) and kerberos logs from the server would be > helpful to troubleshoot. > /var/log/dirsrv/... > krb5kdc.log > > > This is usually seen when there is no password in LDAP. > > You can confirm this as Directory Manager: > > $ ldapsearch -x -D 'cn=Directory Manager' -W password -b > cn=users,cn=accounts,dc=__example,dc=com uid=migrated_user userPassword > > rob > > From lagern at lafayette.edu Thu Sep 20 18:25:09 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Thu, 20 Sep 2012 14:25:09 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505B399D.9000309@redhat.com> References: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> <505B399D.9000309@redhat.com> Message-ID: <505B5F85.4030907@lafayette.edu> On 09/20/2012 11:43 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> ----- Original Message ----- >>> From: "Rob Crittenden" To: "Nathan Lager" >>> Cc: freeipa-users at redhat.com Sent: >>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> >>>> >>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>> Dmitri Pal wrote: >>>>>> >>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>> works too. Can it be one of the certs? May be some cert >>>>>> expired? >>>>> >>>>> No, the error is coming from GSSAPI, it is unfortunately >>>>> completely useless. I think we've pretty well narrowed down >>>>> the problem to httpd/mod_auth_kerb but I don't know yet if >>>>> this is a configuration issue or a bug. >>>>> >>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? >>>> Sure, as far as I know its completely stock, aside from the >>>> krb password auth change. >>> >>> Yup, configuration looks fine. >>> >>> Ok, let's eliminate the ipa tool as the problem and try curl: >>> >>> Create a file test.json with these contents: >>> >>> {"method":"batch","params":[[ >>> {"method":"user_show","params":[["admin"],{"all":false}]} >>> ],{}],"id":1} >>> >>> then run this: >>> >>> curl -H "Content-Type:application/json" -H >>> "Accept:application/json" -H "Accept-Language:en" -H "Referer: >>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>> https://caroline0.lafayette.edu/ipa/json >>> >> Seems to be running into the same trouble. >> >> [lagern at caroline0 PROD ~]$ curl -H >> "Content-Type:application/json" -H "Accept:application/json" -H >> "Accept-Language:en" -H "Referer: >> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >> --cacert /etc/ipa/ca.crt -d @test.json -X POST >> https://caroline0.lafayette.edu/ipa/json > "-//IETF//DTD HTML 2.0//EN"> 500 Internal >> Server Error

Internal Server >> Error

The server encountered an internal error or >> misconfiguration and was unable to complete your request.

>>

Please contact the server administrator, root at localhost and >> inform them of the time the error occurred, and anything you >> might have done that may have caused the error.

More >> information about this error may be available in the server error >> log.

Apache/2.2.15 (Red Hat) Server at >> caroline0.lafayette.edu Port 443
> > Ok, need to gather some more info: > > # kvno HTTP/caroline0.lafayette.edu # klist -kt > /etc/httpd/conf/ipa.keytab > [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > rob -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 From rcritten at redhat.com Thu Sep 20 18:28:17 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 14:28:17 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505B5F85.4030907@lafayette.edu> References: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> <505B399D.9000309@redhat.com> <505B5F85.4030907@lafayette.edu> Message-ID: <505B6041.4090805@redhat.com> Nathan Lager wrote: > > > On 09/20/2012 11:43 AM, Rob Crittenden wrote: >> Lager, Nathan T. wrote: >>> >>> ----- Original Message ----- >>>> From: "Rob Crittenden" To: "Nathan Lager" >>>> Cc: freeipa-users at redhat.com Sent: >>>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re: >>>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> >>>>> >>>>> >>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>> Dmitri Pal wrote: >>>>>>> >>>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>>> works too. Can it be one of the certs? May be some cert >>>>>>> expired? >>>>>> >>>>>> No, the error is coming from GSSAPI, it is unfortunately >>>>>> completely useless. I think we've pretty well narrowed down >>>>>> the problem to httpd/mod_auth_kerb but I don't know yet if >>>>>> this is a configuration issue or a bug. >>>>>> >>>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? >>>>> Sure, as far as I know its completely stock, aside from the >>>>> krb password auth change. >>>> >>>> Yup, configuration looks fine. >>>> >>>> Ok, let's eliminate the ipa tool as the problem and try curl: >>>> >>>> Create a file test.json with these contents: >>>> >>>> {"method":"batch","params":[[ >>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>> ],{}],"id":1} >>>> >>>> then run this: >>>> >>>> curl -H "Content-Type:application/json" -H >>>> "Accept:application/json" -H "Accept-Language:en" -H "Referer: >>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>>> https://caroline0.lafayette.edu/ipa/json >>>> >>> Seems to be running into the same trouble. >>> >>> [lagern at caroline0 PROD ~]$ curl -H >>> "Content-Type:application/json" -H "Accept:application/json" -H >>> "Accept-Language:en" -H "Referer: >>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>> https://caroline0.lafayette.edu/ipa/json >> "-//IETF//DTD HTML 2.0//EN"> 500 Internal >>> Server Error

Internal Server >>> Error

The server encountered an internal error or >>> misconfiguration and was unable to complete your request.

>>>

Please contact the server administrator, root at localhost and >>> inform them of the time the error occurred, and anything you >>> might have done that may have caused the error.

More >>> information about this error may be available in the server error >>> log.

Apache/2.2.15 (Red Hat) Server at >>> caroline0.lafayette.edu Port 443
>> >> Ok, need to gather some more info: >> >> # kvno HTTP/caroline0.lafayette.edu # klist -kt >> /etc/httpd/conf/ipa.keytab >> > [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 > [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab > Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has only 4. Did you change the available encryption types? Can you re-run the klist command with -e as well? klist -ekt ... rob From dpal at redhat.com Thu Sep 20 18:30:13 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 14:30:13 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B5588.6060307@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> Message-ID: <505B60B5.1070201@redhat.com> On 09/20/2012 01:42 PM, Rob Crittenden wrote: > James James wrote: >> You 're right. The request return : >> >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: uid=test >> # requesting: userPassword >> # >> >> # test, users, accounts, example.com >> dn: uid=test,cn=users,cn=accounts,dc=example,dc=com >> >> # search result >> search: 2 >> result: 0 Success >> >> Can you explain me what happens ? >> >> Is there a solution ? > > When migrating you need to bind as a user that has read permission on > the userPassword attribute in the remote LDAP server. Rob should we check if we can read the userPassword attribute and if not fail migration? Should we open a ticket for this? Also I do not think we document the expectation that you vocalized above. > > rob > >> >> >> >> >> 2012/9/20 Rob Crittenden > > >> >> Dmitri Pal wrote: >> >> On 09/20/2012 12:50 PM, James James wrote: >> >> Oups .. migration mode is enable ... >> >> >> The ldap (access, error) and kerberos logs from the server >> would be >> helpful to troubleshoot. >> /var/log/dirsrv/... >> krb5kdc.log >> >> >> This is usually seen when there is no password in LDAP. >> >> You can confirm this as Directory Manager: >> >> $ ldapsearch -x -D 'cn=Directory Manager' -W password -b >> cn=users,cn=accounts,dc=__example,dc=com uid=migrated_user >> userPassword >> >> rob >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lagern at lafayette.edu Thu Sep 20 18:46:20 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Thu, 20 Sep 2012 14:46:20 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505B6041.4090805@redhat.com> References: <1828665393.2905790.1348140261453.JavaMail.root@zstore00.zprd.lafayette.edu> <505B399D.9000309@redhat.com> <505B5F85.4030907@lafayette.edu> <505B6041.4090805@redhat.com> Message-ID: <505B647C.7000705@lafayette.edu> On 09/20/2012 02:28 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> >> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>> Lager, Nathan T. wrote: >>>> >>>> ----- Original Message ----- >>>>> From: "Rob Crittenden" To: "Nathan >>>>> Lager" Cc: freeipa-users at redhat.com >>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject: >>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>> >>>>>> >>>>>> >>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>> Dmitri Pal wrote: >>>>>>>> >>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>>>> works too. Can it be one of the certs? May be some >>>>>>>> cert expired? >>>>>>> >>>>>>> No, the error is coming from GSSAPI, it is >>>>>>> unfortunately completely useless. I think we've pretty >>>>>>> well narrowed down the problem to httpd/mod_auth_kerb >>>>>>> but I don't know yet if this is a configuration issue >>>>>>> or a bug. >>>>>>> >>>>>>> Nathan, can you show me your >>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>> Sure, as far as I know its completely stock, aside from >>>>>> the krb password auth change. >>>>> >>>>> Yup, configuration looks fine. >>>>> >>>>> Ok, let's eliminate the ipa tool as the problem and try >>>>> curl: >>>>> >>>>> Create a file test.json with these contents: >>>>> >>>>> {"method":"batch","params":[[ >>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>> ],{}],"id":1} >>>>> >>>>> then run this: >>>>> >>>>> curl -H "Content-Type:application/json" -H >>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" >>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X >>>>> POST https://caroline0.lafayette.edu/ipa/json >>>>> >>>> Seems to be running into the same trouble. >>>> >>>> [lagern at caroline0 PROD ~]$ curl -H >>>> "Content-Type:application/json" -H "Accept:application/json" >>>> -H "Accept-Language:en" -H "Referer: >>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>>> https://caroline0.lafayette.edu/ipa/json >>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> 500 >>>> Internal Server Error

Internal >>>> Server Error

The server encountered an internal error >>>> or misconfiguration and was unable to complete your >>>> request.

Please contact the server administrator, >>>> root at localhost and inform them of the time the error >>>> occurred, and anything you might have done that may have >>>> caused the error.

More information about this error >>>> may be available in the server error log.

>>>>
Apache/2.2.15 (Red Hat) Server at >>>> caroline0.lafayette.edu Port 443
>>> >>> Ok, need to gather some more info: >>> >>> # kvno HTTP/caroline0.lafayette.edu # klist -kt >>> /etc/httpd/conf/ipa.keytab >>> >> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 >> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab >> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp >> Principal ---- ----------------- >> -------------------------------------------------------- 2 >> 02/03/12 16:31:27 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >> 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >> 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >> 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >> 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 >> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >> 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 >> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> > > It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has > only 4. Did you change the available encryption types? > I have not changed them, not intentionally anyway. Could it be that an update did so? I installed Ipa round rhel 6.1 or so, and have been updating it via yum periodically. > Can you re-run the klist command with -e as well? klist -ekt ... > [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-hmac-sha1) 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-cbc-md5) 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) > rob > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 From rcritten at redhat.com Thu Sep 20 19:01:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 15:01:36 -0400 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B60B5.1070201@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> <505B60B5.1070201@redhat.com> Message-ID: <505B6810.7050402@redhat.com> Dmitri Pal wrote: > On 09/20/2012 01:42 PM, Rob Crittenden wrote: >> James James wrote: >>> You 're right. The request return : >>> >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: uid=test >>> # requesting: userPassword >>> # >>> >>> # test, users, accounts, example.com >>> dn: uid=test,cn=users,cn=accounts,dc=example,dc=com >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> Can you explain me what happens ? >>> >>> Is there a solution ? >> >> When migrating you need to bind as a user that has read permission on >> the userPassword attribute in the remote LDAP server. > > Rob should we check if we can read the userPassword attribute and if not > fail migration? > Should we open a ticket for this? > Also I do not think we document the expectation that you vocalized above. I'll open a ticket to spell this out in the docs. Checking it in the command would be nice but I don't know about fatal. Still, I'll open a ticket for that as well. rob From sigbjorn at nixtra.com Thu Sep 20 19:59:34 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Sep 2012 21:59:34 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505A4262.6070708@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> <505A4262.6070708@redhat.com> Message-ID: <505B75A6.6060904@nixtra.com> On 09/20/2012 12:08 AM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 09/19/2012 11:05 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>>>> Sigbjorn Lie wrote: >>>>>> Hi, >>>>>> >>>>>> I noticed an updated krb5-server package today advertising that it's >>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>>>> installed it in my test environment, set SElinux back to >>>>>> enforcing in >>>>>> /etc/sysconfig/selinux and rebooted. >>>>>> >>>>>> The named daemon does not start now. The error below was logged in >>>>>> /var/log/messages: >>>>>> >>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>>>> failure. Minor code may provide more information (KDC returned >>>>>> error >>>>>> string: PROCESS_TGS) >>>>>> >>>>>> I am able to start named after setting SElinux in permissive mode >>>>>> (setenforce 0). >>>>>> >>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >>>>>> selinux >>>>>> (setenforce 1), and start the IPA services (ipactl start). A new >>>>>> error >>>>>> is logged in /var/log/messages: >>>>>> >>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: >>>>>> Invalid >>>>>> credentials >>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >>>>>> denied >>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>>>> >>>>>> >>>>>> From the /var/log/krb5kdc.log: >>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>> etypes >>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>> client> >>>>>> for , Cannot create replay cache file >>>>>> /var/tmp/krbtgt_0: >>>>>> File exists >>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>> etypes >>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>> client> >>>>>> for , Cannot create replay cache file >>>>>> /var/tmp/krbtgt_0: >>>>>> File exists >>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>> etypes >>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM, >>>>>> Additional pre-authentication required >>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>> etypes >>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>>>> >>>>>> /var/named/data/named.run logged nothing. >>>>>> >>>>>> >>>>>> >>>>>> Any suggestions for how to troubleshoot this issue? >>>>> >>>>> Pure guess, but: >>>>> >>>>> restorecon /var/tmp/krbtgt_0 >>>>> >>>>> rob >>>> Sorry, that did not help. There seem to be a new error in the messages >>>> file every time I attempt a named restart though. See below for the >>>> latest: >>>> >>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >>>> (IX.TEST.COM) does not match tkey-gssapi-credential >>>> (DNS/ipa01.ix.test.com) >>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) >>> >>> I'd continue to check /var/log/audit/audit.log for AVCs. >>> >>> rob >>> >> >> OK, I had a quick look before I'm off for today. :) >> >> There's a lot of these messages, denying named access to >> /var/tmp/DNS_25. >> >> >> >> type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for >> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348086955.398:42405): avc: denied { read write } >> for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for >> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for >> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for >> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for >> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for >> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for >> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for >> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for >> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for >> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for >> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for >> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for >> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088493.162:42450): avc: denied { read write } >> for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for >> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >> scontext=unconfined_u:system_r:named_t:s0 >> tcontext=system_u:object_r:tmp_t:s0 tclass=file >> >> >> >> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same >> before and after: >> >> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 > > Ok, I'm not sure. Perhaps selinux-policy has an update available too? > > You may want to consider temporarily setting selinux to permissive > while we sort this out if your system is otherwise unusable. > > rob > There is no more updates available for the system at all. I've set selinux to permissive for now. Please let me know when you know what else to troubleshoot. I have also updated my RH support case with this thread. Thanks. Regards, Siggi From rcritten at redhat.com Thu Sep 20 20:17:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 16:17:51 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505B75A6.6060904@nixtra.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> <505A4262.6070708@redhat.com> <505B75A6.6060904@nixtra.com> Message-ID: <505B79EF.1070806@redhat.com> Sigbjorn Lie wrote: > On 09/20/2012 12:08 AM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> On 09/19/2012 11:05 PM, Rob Crittenden wrote: >>>> Sigbjorn Lie wrote: >>>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>>>>> Sigbjorn Lie wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I noticed an updated krb5-server package today advertising that it's >>>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>>>>> installed it in my test environment, set SElinux back to >>>>>>> enforcing in >>>>>>> /etc/sysconfig/selinux and rebooted. >>>>>>> >>>>>>> The named daemon does not start now. The error below was logged in >>>>>>> /var/log/messages: >>>>>>> >>>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>>>>> failure. Minor code may provide more information (KDC returned >>>>>>> error >>>>>>> string: PROCESS_TGS) >>>>>>> >>>>>>> I am able to start named after setting SElinux in permissive mode >>>>>>> (setenforce 0). >>>>>>> >>>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >>>>>>> selinux >>>>>>> (setenforce 1), and start the IPA services (ipactl start). A new >>>>>>> error >>>>>>> is logged in /var/log/messages: >>>>>>> >>>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: >>>>>>> Invalid >>>>>>> credentials >>>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission >>>>>>> denied >>>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>>>>> >>>>>>> >>>>>>> From the /var/log/krb5kdc.log: >>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>>> etypes >>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>>> client> >>>>>>> for , Cannot create replay cache file >>>>>>> /var/tmp/krbtgt_0: >>>>>>> File exists >>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>>> etypes >>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>>> client> >>>>>>> for , Cannot create replay cache file >>>>>>> /var/tmp/krbtgt_0: >>>>>>> File exists >>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>>> etypes >>>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM, >>>>>>> Additional pre-authentication required >>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>>> etypes >>>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>>>>> >>>>>>> /var/named/data/named.run logged nothing. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Any suggestions for how to troubleshoot this issue? >>>>>> >>>>>> Pure guess, but: >>>>>> >>>>>> restorecon /var/tmp/krbtgt_0 >>>>>> >>>>>> rob >>>>> Sorry, that did not help. There seem to be a new error in the messages >>>>> file every time I attempt a named restart though. See below for the >>>>> latest: >>>>> >>>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >>>>> (IX.TEST.COM) does not match tkey-gssapi-credential >>>>> (DNS/ipa01.ix.test.com) >>>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >>>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >>>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) >>>> >>>> I'd continue to check /var/log/audit/audit.log for AVCs. >>>> >>>> rob >>>> >>> >>> OK, I had a quick look before I'm off for today. :) >>> >>> There's a lot of these messages, denying named access to >>> /var/tmp/DNS_25. >>> >>> >>> >>> type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for >>> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348086955.398:42405): avc: denied { read write } >>> for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for >>> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for >>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for >>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for >>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for >>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for >>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for >>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for >>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for >>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for >>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for >>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for >>> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088493.162:42450): avc: denied { read write } >>> for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for >>> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>> scontext=unconfined_u:system_r:named_t:s0 >>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>> >>> >>> >>> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same >>> before and after: >>> >>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 >> >> Ok, I'm not sure. Perhaps selinux-policy has an update available too? >> >> You may want to consider temporarily setting selinux to permissive >> while we sort this out if your system is otherwise unusable. >> >> rob >> > There is no more updates available for the system at all. > > I've set selinux to permissive for now. > > Please let me know when you know what else to troubleshoot. I have also > updated my RH support case with this thread. bind isn't my strongest suite. My guess is that this file is the ccache for bind. I'm guessing that 25 is the UID of the named user. If this is the case, then it should be safe to stop named, rename the file, and restart. Perhaps the contexts have changed so when this gets re-created it will get fixed automagically. rob From sigbjorn at nixtra.com Thu Sep 20 20:30:03 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Sep 2012 22:30:03 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505B79EF.1070806@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> <505A4262.6070708@redhat.com> <505B75A6.6060904@nixtra.com> <505B79EF.1070806@redhat.com> Message-ID: <505B7CCB.9000702@nixtra.com> On 09/20/2012 10:17 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 09/20/2012 12:08 AM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> On 09/19/2012 11:05 PM, Rob Crittenden wrote: >>>>> Sigbjorn Lie wrote: >>>>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>>>>>> Sigbjorn Lie wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I noticed an updated krb5-server package today advertising that >>>>>>>> it's >>>>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I >>>>>>>> installed it in my test environment, set SElinux back to >>>>>>>> enforcing in >>>>>>>> /etc/sysconfig/selinux and rebooted. >>>>>>>> >>>>>>>> The named daemon does not start now. The error below was logged in >>>>>>>> /var/log/messages: >>>>>>>> >>>>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS >>>>>>>> failure. Minor code may provide more information (KDC returned >>>>>>>> error >>>>>>>> string: PROCESS_TGS) >>>>>>>> >>>>>>>> I am able to start named after setting SElinux in permissive mode >>>>>>>> (setenforce 0). >>>>>>>> >>>>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled >>>>>>>> selinux >>>>>>>> (setenforce 1), and start the IPA services (ipactl start). A new >>>>>>>> error >>>>>>>> is logged in /var/log/messages: >>>>>>>> >>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: >>>>>>>> Invalid >>>>>>>> credentials >>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: >>>>>>>> permission >>>>>>>> denied >>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error) >>>>>>>> >>>>>>>> >>>>>>>> From the /var/log/krb5kdc.log: >>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>>>> etypes >>>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>>>> client> >>>>>>>> for , Cannot create replay cache file >>>>>>>> /var/tmp/krbtgt_0: >>>>>>>> File exists >>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 >>>>>>>> etypes >>>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, >>>>>>> client> >>>>>>>> for , Cannot create replay cache file >>>>>>>> /var/tmp/krbtgt_0: >>>>>>>> File exists >>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>>>> etypes >>>>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: >>>>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM, >>>>>>>> Additional pre-authentication required >>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 >>>>>>>> etypes >>>>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes >>>>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for >>>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM >>>>>>>> >>>>>>>> /var/named/data/named.run logged nothing. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Any suggestions for how to troubleshoot this issue? >>>>>>> >>>>>>> Pure guess, but: >>>>>>> >>>>>>> restorecon /var/tmp/krbtgt_0 >>>>>>> >>>>>>> rob >>>>>> Sorry, that did not help. There seem to be a new error in the >>>>>> messages >>>>>> file every time I attempt a named restart though. See below for the >>>>>> latest: >>>>>> >>>>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf >>>>>> (IX.TEST.COM) does not match tkey-gssapi-credential >>>>>> (DNS/ipa01.ix.test.com) >>>>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure >>>>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure >>>>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error) >>>>> >>>>> I'd continue to check /var/log/audit/audit.log for AVCs. >>>>> >>>>> rob >>>>> >>>> >>>> OK, I had a quick look before I'm off for today. :) >>>> >>>> There's a lot of these messages, denying named access to >>>> /var/tmp/DNS_25. >>>> >>>> >>>> >>>> type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } >>>> for >>>> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348086955.398:42405): avc: denied { read write } >>>> for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for >>>> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } >>>> for >>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for >>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } >>>> for >>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for >>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } >>>> for >>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for >>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } >>>> for >>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for >>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } >>>> for >>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for >>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } >>>> for >>>> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088493.162:42450): avc: denied { read write } >>>> for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for >>>> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140 >>>> scontext=unconfined_u:system_r:named_t:s0 >>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file >>>> >>>> >>>> >>>> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the >>>> same >>>> before and after: >>>> >>>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 >>> >>> Ok, I'm not sure. Perhaps selinux-policy has an update available too? >>> >>> You may want to consider temporarily setting selinux to permissive >>> while we sort this out if your system is otherwise unusable. >>> >>> rob >>> >> There is no more updates available for the system at all. >> >> I've set selinux to permissive for now. >> >> Please let me know when you know what else to troubleshoot. I have also >> updated my RH support case with this thread. > > bind isn't my strongest suite. > > My guess is that this file is the ccache for bind. I'm guessing that > 25 is the UID of the named user. If this is the case, then it should > be safe to stop named, rename the file, and restart. Perhaps the > contexts have changed so when this gets re-created it will get fixed > automagically. > > rob > You guessed well!! :) Stop named: # service named stop Enable selinux: # setenforce 1 Verify that error still exists: # service named start Starting named: [FAILED] Rename file: # cd /var/tmp # mv DNS_25 DNS_25_old Attempt to start named again: # service named start Starting named: [ OK ] Voila! A before and after shot: # ls -lZ DNS_25* -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old What's the odds that this was the entire issue and that named will now keep running safe and sound? Regards, Siggi From rcritten at redhat.com Thu Sep 20 20:34:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2012 16:34:36 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505B7CCB.9000702@nixtra.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> <505A4262.6070708@redhat.com> <505B75A6.6060904@nixtra.com> <505B79EF.1070806@redhat.com> <505B7CCB.9000702@nixtra.com> Message-ID: <505B7DDC.7030909@redhat.com> Sigbjorn Lie wrote: > On 09/20/2012 10:17 PM, Rob Crittenden wrote: >> bind isn't my strongest suite. >> >> My guess is that this file is the ccache for bind. I'm guessing that >> 25 is the UID of the named user. If this is the case, then it should >> be safe to stop named, rename the file, and restart. Perhaps the >> contexts have changed so when this gets re-created it will get fixed >> automagically. >> >> rob >> > You guessed well!! :) > > Stop named: > # service named stop > > Enable selinux: > # setenforce 1 > > Verify that error still exists: > # service named start > Starting named: [FAILED] > > Rename file: > # cd /var/tmp > # mv DNS_25 DNS_25_old > > Attempt to start named again: > # service named start > Starting named: [ OK ] > > Voila! > > A before and after shot: > # ls -lZ DNS_25* > -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 > -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old > > What's the odds that this was the entire issue and that named will now > keep running safe and sound? > Hard to say. Because restorecon didn't fix the bad context I suspect this isn't directly covered in policy. So if the file should get the wrong context again you could be back in this position. It is probably worth filing a bug. I'm not entirely sure whether it should be against bind or selinux, but it'll get to the right folks either way eventually. rob From sigbjorn at nixtra.com Thu Sep 20 20:35:11 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Sep 2012 22:35:11 +0200 Subject: [Freeipa-users] ipa host-add having both an IPv4 and an IPv6 address Message-ID: <505B7DFF.8080608@nixtra.com> Hi, I see that I can add hosts with either an IPv4 or an IPv6 address when using "ipa host-add --ip-address=". Is there a way to add a host specifying both an IPv4 and an IPv6 address at the same time? Adding the --ip-address option twice yells this error: ipa: ERROR: invalid 'ip_address': Only one value is allowed Regards, Siggi From Steven.Jones at vuw.ac.nz Thu Sep 20 20:43:38 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 20:43:38 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> Some comments on the win sync agreement syntax. Hi, I'd like that command ipa-replica-manage connect "improved" if possible, 1) A flag on --win-subtree not to include sub-directories under the specified OU= as I think it is why Ive picked up lots of disabled users and templates. Also the capability to specify more than one OU as I at least have 2 OU= with users in (maybe it can do that I just dont see it) 2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that any disabled users in AD are not transferred, I just transferred 7 years of ex-users and 200+ templates I would rather not have....now I think I have a huge cleanup task. Not just exclude, say location, so if I only want to sync users in one city (say) --include-only="LDAP Location'=Wellington Not sure if these are hugely useful but they would have helped me. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 2:48 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 12:15 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 20:44:26 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 20:44:26 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Thu Sep 20 20:44:56 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Sep 2012 22:44:56 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505B7DDC.7030909@redhat.com> References: <505A2D07.9030608@nixtra.com> <505A2FA8.4050007@redhat.com> <505A3322.9020601@nixtra.com> <505A339F.9060905@redhat.com> <505A3DEA.90407@nixtra.com> <505A4262.6070708@redhat.com> <505B75A6.6060904@nixtra.com> <505B79EF.1070806@redhat.com> <505B7CCB.9000702@nixtra.com> <505B7DDC.7030909@redhat.com> Message-ID: <505B8048.10508@nixtra.com> On 09/20/2012 10:34 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 09/20/2012 10:17 PM, Rob Crittenden wrote: >>> bind isn't my strongest suite. >>> >>> My guess is that this file is the ccache for bind. I'm guessing that >>> 25 is the UID of the named user. If this is the case, then it should >>> be safe to stop named, rename the file, and restart. Perhaps the >>> contexts have changed so when this gets re-created it will get fixed >>> automagically. >>> >>> rob >>> >> You guessed well!! :) >> >> Stop named: >> # service named stop >> >> Enable selinux: >> # setenforce 1 >> >> Verify that error still exists: >> # service named start >> Starting named: [FAILED] >> >> Rename file: >> # cd /var/tmp >> # mv DNS_25 DNS_25_old >> >> Attempt to start named again: >> # service named start >> Starting named: [ OK ] >> >> Voila! >> >> A before and after shot: >> # ls -lZ DNS_25* >> -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 >> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old >> >> What's the odds that this was the entire issue and that named will now >> keep running safe and sound? >> > > Hard to say. Because restorecon didn't fix the bad context I suspect > this isn't directly covered in policy. So if the file should get the > wrong context again you could be back in this position. It is probably > worth filing a bug. I'm not entirely sure whether it should be against > bind or selinux, but it'll get to the right folks either way eventually. > > rob Filed to the krb people for now. https://bugzilla.redhat.com/show_bug.cgi?id=859231 Regards, Siggi From dpal at redhat.com Thu Sep 20 20:53:22 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 16:53:22 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505B8242.4090503@redhat.com> On 09/20/2012 04:44 PM, Steven Jones wrote: > I have hundreds of disable users in IPA now transferred from AD, is > there a quick/clean way to purge them from IPA? using ldapsearch to test the list and then ldapmodify to remove. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 20 20:53:58 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 14:53:58 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505B8266.9000208@redhat.com> On 09/20/2012 02:43 PM, Steven Jones wrote: > Some comments on the win sync agreement syntax. > > Hi, > > I'd like that command ipa-replica-manage connect "improved" if possible, > > 1) A flag on --win-subtree not to include sub-directories under the > specified OU= as I think it is why Ive picked up lots of disabled > users and templates. Also the capability to specify more than one OU > as I at least have 2 OU= with users in (maybe it can do that I just > dont see it) https://fedorahosted.org/389/ticket/460 > > 2) A flag something like --exclude='LDAP criteria/attribute'=disabled > such that any disabled users in AD are not transferred, I just > transferred 7 years of ex-users and 200+ templates I would rather not > have....now I think I have a huge cleanup task. Not just exclude, say > location, so if I only want to sync users in one city (say) > --include-only="LDAP Location'=Wellington https://fedorahosted.org/389/ticket/460 > > Not sure if these are hugely useful but they would have helped me. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Steven Jones > [Steven.Jones at vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 2:48 p.m. > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > it isnt, > > Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working > except Im also getting some "rubbish" so its looking like the import > script/query to AD isnt right. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Steven Jones > [Steven.Jones at vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 12:15 p.m. > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I have -win-subtree cn= etc I take it that cn= is fine and that ou= > and cn= are the same thing? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Thursday, 20 September 2012 11:03 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/19/2012 04:55 PM, Steven Jones wrote: >> Hi, >> >> >> Sample of errors log, >> >> ========= >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f7000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> ruv_add_csn_inprogress: successfully inserted csn >> 504d01f8000000110000 into pending list >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >> information from entry >> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN >> 504d42c5000000040000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f8000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> ========= > > Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? > >> >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/17/2012 07:10 PM, Steven Jones wrote: >>> Hi, >>> >>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>> >>> So the Q is why I am losing users in the --win-subtree >>> cn=VUW_Staff,dc= etc >> >> >> >>> >>> This I dont understand.... >>> >>> I have the -v already, anyway to make it very verbose? >> >> http://port389.org/wiki/FAQ#Troubleshooting >> Use the replication log level 8192 >> I'd like to see the directory server errors log >> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >> under the --win-subtree cn=VUW_Staff,dc= etc >> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> The first time missed the --win-subtree settings so I wiped the >>>> admins in the IPA admin group and users as they were not in >>>> cn=users as per the bug. The second time as far as I can tell I >>>> specified the correct cn via win-subtree flag but I still appear to >>>> have lost the users in IPA.....now I expected to lose the admins >>>> but the loss of users as well confounds me. >>>> >>>> I did a ldapsearch as per checking and its seems to be saying the >>>> right folder/ou/cn but IPA is empty. >>>> >>>> Hence I was wondering if there was a log recording what the update >>>> was doing so I could try and figure out the mistake. Ive tried >>>> greping cant find any indication. >>>> >>>> I will re-try with -v, verbose. >>> >>> It is not clear from the manuals, but no matter what -win-subtree >>> you specify, winsync will search AD starting from the dc=domain >>> suffix. So, for example, if you have >>> cn=mystaff,cn=staff,dc=example,dc=com >>> and you specify >>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>> winsync will still search starting from dc=example,dc=com and will >>> hit ticket/355 if there are any users outside of >>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as >>> a user in IPA. >>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I just tried to do a winsync agreement with specifying the AD >>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>> users are not in the users folder but the VUW_Staff folder (at the >>>>> same level) and it wiped all IPA users that are also in AD. >>>> >>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>>> #355 winsync should not delete entry that appears to be out of >>>> scope >>>> >>>>> While doing the actual update does this get verbosly logged >>>>> anywhere as opposed to "update in progress" dumped to the screen? >>>>> Something went badly wrong, I just dont know what. >>>> >>>> You are seeing something different than #355? >>>> >>>>> >>>>> :/ >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 20 20:54:48 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 16:54:48 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505B8298.2090101@redhat.com> On 09/20/2012 04:43 PM, Steven Jones wrote: > Some comments on the win sync agreement syntax. > > Hi, > > I'd like that command ipa-replica-manage connect "improved" if possible, > > 1) A flag on --win-subtree not to include sub-directories under the > specified OU= as I think it is why Ive picked up lots of disabled > users and templates. Also the capability to specify more than one OU > as I at least have 2 OU= with users in (maybe it can do that I just > dont see it) > > 2) A flag something like --exclude='LDAP criteria/attribute'=disabled > such that any disabled users in AD are not transferred, I just > transferred 7 years of ex-users and 200+ templates I would rather not > have....now I think I have a huge cleanup task. Not just exclude, say > location, so if I only want to sync users in one city (say) > --include-only="LDAP Location'=Wellington > > Not sure if these are hugely useful but they would have helped me. Thank you for the feedback. Would you mind filing BZs or trac tickets? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Steven Jones > [Steven.Jones at vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 2:48 p.m. > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > it isnt, > > Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working > except Im also getting some "rubbish" so its looking like the import > script/query to AD isnt right. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Steven Jones > [Steven.Jones at vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 12:15 p.m. > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I have -win-subtree cn= etc I take it that cn= is fine and that ou= > and cn= are the same thing? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Thursday, 20 September 2012 11:03 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/19/2012 04:55 PM, Steven Jones wrote: >> Hi, >> >> >> Sample of errors log, >> >> ========= >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f7000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> ruv_add_csn_inprogress: successfully inserted csn >> 504d01f8000000110000 into pending list >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >> information from entry >> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN >> 504d42c5000000040000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f8000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> ========= > > Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? > >> >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/17/2012 07:10 PM, Steven Jones wrote: >>> Hi, >>> >>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>> >>> So the Q is why I am losing users in the --win-subtree >>> cn=VUW_Staff,dc= etc >> >> >> >>> >>> This I dont understand.... >>> >>> I have the -v already, anyway to make it very verbose? >> >> http://port389.org/wiki/FAQ#Troubleshooting >> Use the replication log level 8192 >> I'd like to see the directory server errors log >> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >> under the --win-subtree cn=VUW_Staff,dc= etc >> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> The first time missed the --win-subtree settings so I wiped the >>>> admins in the IPA admin group and users as they were not in >>>> cn=users as per the bug. The second time as far as I can tell I >>>> specified the correct cn via win-subtree flag but I still appear to >>>> have lost the users in IPA.....now I expected to lose the admins >>>> but the loss of users as well confounds me. >>>> >>>> I did a ldapsearch as per checking and its seems to be saying the >>>> right folder/ou/cn but IPA is empty. >>>> >>>> Hence I was wondering if there was a log recording what the update >>>> was doing so I could try and figure out the mistake. Ive tried >>>> greping cant find any indication. >>>> >>>> I will re-try with -v, verbose. >>> >>> It is not clear from the manuals, but no matter what -win-subtree >>> you specify, winsync will search AD starting from the dc=domain >>> suffix. So, for example, if you have >>> cn=mystaff,cn=staff,dc=example,dc=com >>> and you specify >>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>> winsync will still search starting from dc=example,dc=com and will >>> hit ticket/355 if there are any users outside of >>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as >>> a user in IPA. >>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I just tried to do a winsync agreement with specifying the AD >>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>> users are not in the users folder but the VUW_Staff folder (at the >>>>> same level) and it wiped all IPA users that are also in AD. >>>> >>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>>> #355 winsync should not delete entry that appears to be out of >>>> scope >>>> >>>>> While doing the actual update does this get verbosly logged >>>>> anywhere as opposed to "update in progress" dumped to the screen? >>>>> Something went badly wrong, I just dont know what. >>>> >>>> You are seeing something different than #355? >>>> >>>>> >>>>> :/ >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 20 20:56:12 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Sep 2012 16:56:12 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505B8298.2090101@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> <505B8298.2090101@redhat.com> Message-ID: <505B82EC.9060601@redhat.com> On 09/20/2012 04:54 PM, Dmitri Pal wrote: > On 09/20/2012 04:43 PM, Steven Jones wrote: >> Some comments on the win sync agreement syntax. >> >> Hi, >> >> I'd like that command ipa-replica-manage connect "improved" if possible, >> >> 1) A flag on --win-subtree not to include sub-directories under the >> specified OU= as I think it is why Ive picked up lots of disabled >> users and templates. Also the capability to specify more than one OU >> as I at least have 2 OU= with users in (maybe it can do that I just >> dont see it) >> >> 2) A flag something like --exclude='LDAP criteria/attribute'=disabled >> such that any disabled users in AD are not transferred, I just >> transferred 7 years of ex-users and 200+ templates I would rather not >> have....now I think I have a huge cleanup task. Not just exclude, >> say location, so if I only want to sync users in one city (say) >> --include-only="LDAP Location'=Wellington >> >> Not sure if these are hugely useful but they would have helped me. > > Thank you for the feedback. > Would you mind filing BZs or trac tickets? NM. Rich bit me. > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >> [Steven.Jones at vuw.ac.nz] >> *Sent:* Thursday, 20 September 2012 2:48 p.m. >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> it isnt, >> >> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly >> working except Im also getting some "rubbish" so its looking like the >> import script/query to AD isnt right. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >> [Steven.Jones at vuw.ac.nz] >> *Sent:* Thursday, 20 September 2012 12:15 p.m. >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> Hi, >> >> I have -win-subtree cn= etc I take it that cn= is fine and that ou= >> and cn= are the same thing? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Thursday, 20 September 2012 11:03 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/19/2012 04:55 PM, Steven Jones wrote: >>> Hi, >>> >>> >>> Sample of errors log, >>> >>> ========= >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >>> successfully committed csn 504d01f7000000110000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> ruv_add_csn_inprogress: successfully inserted csn >>> 504d01f8000000110000 into pending list >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >>> information from entry >>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to >>> CSN 504d42c5000000040000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >>> successfully committed csn 504d01f8000000110000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>> State: stop_fatal_error -> stop_fatal_error >>> ========= >> >> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? >> >>> >>> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 07:10 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>>> >>>> So the Q is why I am losing users in the --win-subtree >>>> cn=VUW_Staff,dc= etc >>> >>> >>> >>>> >>>> This I dont understand.... >>>> >>>> I have the -v already, anyway to make it very verbose? >>> >>> http://port389.org/wiki/FAQ#Troubleshooting >>> Use the replication log level 8192 >>> I'd like to see the directory server errors log >>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >>> under the --win-subtree cn=VUW_Staff,dc= etc >>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> The first time missed the --win-subtree settings so I wiped the >>>>> admins in the IPA admin group and users as they were not in >>>>> cn=users as per the bug. The second time as far as I can tell I >>>>> specified the correct cn via win-subtree flag but I still appear >>>>> to have lost the users in IPA.....now I expected to lose the >>>>> admins but the loss of users as well confounds me. >>>>> >>>>> I did a ldapsearch as per checking and its seems to be saying the >>>>> right folder/ou/cn but IPA is empty. >>>>> >>>>> Hence I was wondering if there was a log recording what the update >>>>> was doing so I could try and figure out the mistake. Ive tried >>>>> greping cant find any indication. >>>>> >>>>> I will re-try with -v, verbose. >>>> >>>> It is not clear from the manuals, but no matter what -win-subtree >>>> you specify, winsync will search AD starting from the dc=domain >>>> suffix. So, for example, if you have >>>> cn=mystaff,cn=staff,dc=example,dc=com >>>> and you specify >>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>>> winsync will still search starting from dc=example,dc=com and will >>>> hit ticket/355 if there are any users outside of >>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username >>>> as a user in IPA. >>>> >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>>> *To:* Steven Jones >>>>> *Cc:* freeipa-users at redhat.com >>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>> >>>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> I just tried to do a winsync agreement with specifying the AD >>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>>> users are not in the users folder but the VUW_Staff folder (at >>>>>> the same level) and it wiped all IPA users that are also in AD. >>>>> >>>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>>>> #355 winsync should not delete entry that appears to be out of >>>>> scope >>>>> >>>>>> While doing the actual update does this get verbosly logged >>>>>> anywhere as opposed to "update in progress" dumped to the >>>>>> screen? Something went badly wrong, I just dont know what. >>>>> >>>>> You are seeing something different than #355? >>>>> >>>>>> >>>>>> :/ >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 21:08:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 21:08:45 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505B8242.4090503@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505B8242.4090503@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF983@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yeah thought that was going to be my way.....probably quicker if I just delete them by hand...LOL. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, 21 September 2012 8:53 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 04:44 PM, Steven Jones wrote: I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? using ldapsearch to test the list and then ldapmodify to remove. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 21:07:34 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 21:07:34 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505B82EC.9060601@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> <505B8298.2090101@redhat.com>,<505B82EC.9060601@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CF978@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am happy to do BZs if you want...or is it moot? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, 21 September 2012 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 04:54 PM, Dmitri Pal wrote: On 09/20/2012 04:43 PM, Steven Jones wrote: Some comments on the win sync agreement syntax. Hi, I'd like that command ipa-replica-manage connect "improved" if possible, 1) A flag on --win-subtree not to include sub-directories under the specified OU= as I think it is why Ive picked up lots of disabled users and templates. Also the capability to specify more than one OU as I at least have 2 OU= with users in (maybe it can do that I just dont see it) 2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that any disabled users in AD are not transferred, I just transferred 7 years of ex-users and 200+ templates I would rather not have....now I think I have a huge cleanup task. Not just exclude, say location, so if I only want to sync users in one city (say) --include-only="LDAP Location'=Wellington Not sure if these are hugely useful but they would have helped me. Thank you for the feedback. Would you mind filing BZs or trac tickets? NM. Rich bit me. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 2:48 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 12:15 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 21:33:50 2012 From: jreg2k at gmail.com (James James) Date: Thu, 20 Sep 2012 23:33:50 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: <505B6810.7050402@redhat.com> References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> <505B60B5.1070201@redhat.com> <505B6810.7050402@redhat.com> Message-ID: It will be fine to have this info in the doc. 2012/9/20 Rob Crittenden > Dmitri Pal wrote: > >> On 09/20/2012 01:42 PM, Rob Crittenden wrote: >> >>> James James wrote: >>> >>>> You 're right. The request return : >>>> >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree >>>> # filter: uid=test >>>> # requesting: userPassword >>>> # >>>> >>>> # test, users, accounts, example.com >>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> Can you explain me what happens ? >>>> >>>> Is there a solution ? >>>> >>> >>> When migrating you need to bind as a user that has read permission on >>> the userPassword attribute in the remote LDAP server. >>> >> >> Rob should we check if we can read the userPassword attribute and if not >> fail migration? >> Should we open a ticket for this? >> Also I do not think we document the expectation that you vocalized above. >> > > I'll open a ticket to spell this out in the docs. > > Checking it in the command would be nice but I don't know about fatal. > Still, I'll open a ticket for that as well. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 21:52:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 21:52:08 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have imported users, but there are 5700 of them but I only have 2000 which corresponds to the view that AD gives you by default. This makes me think that that limit is all the AD is allowing the query to see? Is there a way to expand it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 21 September 2012 8:44 a.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 21:59:47 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 21:59:47 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505B82EC.9060601@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> <505B8298.2090101@redhat.com>,<505B82EC.9060601@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CFA3A@STAWINCOX10MBX1.staff.vuw.ac.nz> uh....I just deleted the ad user templates but it puts them back, also the disabled users are in a sub-container and when I delete them in IPA they re-appear a few minutes later.. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, 21 September 2012 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 04:54 PM, Dmitri Pal wrote: On 09/20/2012 04:43 PM, Steven Jones wrote: Some comments on the win sync agreement syntax. Hi, I'd like that command ipa-replica-manage connect "improved" if possible, 1) A flag on --win-subtree not to include sub-directories under the specified OU= as I think it is why Ive picked up lots of disabled users and templates. Also the capability to specify more than one OU as I at least have 2 OU= with users in (maybe it can do that I just dont see it) 2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that any disabled users in AD are not transferred, I just transferred 7 years of ex-users and 200+ templates I would rather not have....now I think I have a huge cleanup task. Not just exclude, say location, so if I only want to sync users in one city (say) --include-only="LDAP Location'=Wellington Not sure if these are hugely useful but they would have helped me. Thank you for the feedback. Would you mind filing BZs or trac tickets? NM. Rich bit me. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 2:48 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 12:15 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 22:09:55 2012 From: jreg2k at gmail.com (James James) Date: Fri, 21 Sep 2012 00:09:55 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> <505B60B5.1070201@redhat.com> <505B6810.7050402@redhat.com> Message-ID: Now, I can read the userPassword field (after the migration process) but I still can't change my password from the ui. I just got : kerberos ticket is no longer valid. 2012/9/20 James James > It will be fine to have this info in the doc. > > > 2012/9/20 Rob Crittenden > >> Dmitri Pal wrote: >> >>> On 09/20/2012 01:42 PM, Rob Crittenden wrote: >>> >>>> James James wrote: >>>> >>>>> You 're right. The request return : >>>>> >>>>> Enter LDAP Password: >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base with scope subtree >>>>> # filter: uid=test >>>>> # requesting: userPassword >>>>> # >>>>> >>>>> # test, users, accounts, example.com >>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com >>>>> >>>>> # search result >>>>> search: 2 >>>>> result: 0 Success >>>>> >>>>> Can you explain me what happens ? >>>>> >>>>> Is there a solution ? >>>>> >>>> >>>> When migrating you need to bind as a user that has read permission on >>>> the userPassword attribute in the remote LDAP server. >>>> >>> >>> Rob should we check if we can read the userPassword attribute and if not >>> fail migration? >>> Should we open a ticket for this? >>> Also I do not think we document the expectation that you vocalized above. >>> >> >> I'll open a ticket to spell this out in the docs. >> >> Checking it in the command would be nice but I don't know about fatal. >> Still, I'll open a ticket for that as well. >> >> rob >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Thu Sep 20 22:18:37 2012 From: jreg2k at gmail.com (James James) Date: Fri, 21 Sep 2012 00:18:37 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> <505B60B5.1070201@redhat.com> <505B6810.7050402@redhat.com> Message-ID: This is my krb5kdc.log ... Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test at LIX.POLYTECHN IQUE.FR for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has expired Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: test at EXAMPLE.COM for kadmin/ changepw at EXAMPLE.COM, Additional pre-authentication required Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18 ses=18}, test at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/ ipa.example.com at EXAMPLE.COM Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ... CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/ ipa.example.com at EXAMPLE.COM Thanks 2012/9/21 James James > Now, I can read the userPassword field (after the migration process) but I > still can't change my password from the ui. I just got : > > kerberos ticket is no longer valid. > > > > 2012/9/20 James James > >> It will be fine to have this info in the doc. >> >> >> 2012/9/20 Rob Crittenden >> >>> Dmitri Pal wrote: >>> >>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote: >>>> >>>>> James James wrote: >>>>> >>>>>> You 're right. The request return : >>>>>> >>>>>> Enter LDAP Password: >>>>>> # extended LDIF >>>>>> # >>>>>> # LDAPv3 >>>>>> # base with scope subtree >>>>>> # filter: uid=test >>>>>> # requesting: userPassword >>>>>> # >>>>>> >>>>>> # test, users, accounts, example.com >>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com >>>>>> >>>>>> # search result >>>>>> search: 2 >>>>>> result: 0 Success >>>>>> >>>>>> Can you explain me what happens ? >>>>>> >>>>>> Is there a solution ? >>>>>> >>>>> >>>>> When migrating you need to bind as a user that has read permission on >>>>> the userPassword attribute in the remote LDAP server. >>>>> >>>> >>>> Rob should we check if we can read the userPassword attribute and if not >>>> fail migration? >>>> Should we open a ticket for this? >>>> Also I do not think we document the expectation that you vocalized >>>> above. >>>> >>> >>> I'll open a ticket to spell this out in the docs. >>> >>> Checking it in the command would be nice but I don't know about fatal. >>> Still, I'll open a ticket for that as well. >>> >>> rob >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 20 23:24:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2012 23:24:51 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505B8266.9000208@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505B8266.9000208@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546CFAD4@STAWINCOX10MBX1.staff.vuw.ac.nz> disabled may not be logical as then once a user becomes disabled in AD, IPA will remove it rather than act and disable it. The way I read this winsync is its running the same command as I did initially by hand every 5mins... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 21 September 2012 8:53 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 02:43 PM, Steven Jones wrote: Some comments on the win sync agreement syntax. Hi, I'd like that command ipa-replica-manage connect "improved" if possible, 1) A flag on --win-subtree not to include sub-directories under the specified OU= as I think it is why Ive picked up lots of disabled users and templates. Also the capability to specify more than one OU as I at least have 2 OU= with users in (maybe it can do that I just dont see it) https://fedorahosted.org/389/ticket/460 2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that any disabled users in AD are not transferred, I just transferred 7 years of ex-users and 200+ templates I would rather not have....now I think I have a huge cleanup task. Not just exclude, say location, so if I only want to sync users in one city (say) --include-only="LDAP Location'=Wellington https://fedorahosted.org/389/ticket/460 Not sure if these are hugely useful but they would have helped me. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 2:48 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 20 September 2012 12:15 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 20 September 2012 11:03 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, ========= [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error ========= Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 19 September 2012 12:32 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand.... I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 20 23:35:29 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 17:35:29 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CFAD4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505B8266.9000208@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CFAD4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505BA841.7020603@redhat.com> On 09/20/2012 05:24 PM, Steven Jones wrote: > disabled may not be logical as then once a user becomes disabled in > AD, IPA will remove it rather than act and disable it. ? > > The way I read this winsync is its running the same command as I did > initially by hand every 5mins... The way you read what? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Friday, 21 September 2012 8:53 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/20/2012 02:43 PM, Steven Jones wrote: >> Some comments on the win sync agreement syntax. >> >> Hi, >> >> I'd like that command ipa-replica-manage connect "improved" if possible, >> >> 1) A flag on --win-subtree not to include sub-directories under the >> specified OU= as I think it is why Ive picked up lots of disabled >> users and templates. Also the capability to specify more than one OU >> as I at least have 2 OU= with users in (maybe it can do that I just >> dont see it) > https://fedorahosted.org/389/ticket/460 >> >> 2) A flag something like --exclude='LDAP criteria/attribute'=disabled >> such that any disabled users in AD are not transferred, I just >> transferred 7 years of ex-users and 200+ templates I would rather not >> have....now I think I have a huge cleanup task. Not just exclude, >> say location, so if I only want to sync users in one city (say) >> --include-only="LDAP Location'=Wellington > https://fedorahosted.org/389/ticket/460 >> >> Not sure if these are hugely useful but they would have helped me. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >> [Steven.Jones at vuw.ac.nz] >> *Sent:* Thursday, 20 September 2012 2:48 p.m. >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> it isnt, >> >> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly >> working except Im also getting some "rubbish" so its looking like the >> import script/query to AD isnt right. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >> [Steven.Jones at vuw.ac.nz] >> *Sent:* Thursday, 20 September 2012 12:15 p.m. >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> Hi, >> >> I have -win-subtree cn= etc I take it that cn= is fine and that ou= >> and cn= are the same thing? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Thursday, 20 September 2012 11:03 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/19/2012 04:55 PM, Steven Jones wrote: >>> Hi, >>> >>> >>> Sample of errors log, >>> >>> ========= >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >>> successfully committed csn 504d01f7000000110000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> ruv_add_csn_inprogress: successfully inserted csn >>> 504d01f8000000110000 into pending list >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >>> information from entry >>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to >>> CSN 504d42c5000000040000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>> database >>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >>> successfully committed csn 504d01f8000000110000 >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>> State: stop_fatal_error -> stop_fatal_error >>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>> State: stop_fatal_error -> stop_fatal_error >>> ========= >> >> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? >> >>> >>> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 07:10 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>>> >>>> So the Q is why I am losing users in the --win-subtree >>>> cn=VUW_Staff,dc= etc >>> >>> >>> >>>> >>>> This I dont understand.... >>>> >>>> I have the -v already, anyway to make it very verbose? >>> >>> http://port389.org/wiki/FAQ#Troubleshooting >>> Use the replication log level 8192 >>> I'd like to see the directory server errors log >>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >>> under the --win-subtree cn=VUW_Staff,dc= etc >>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> The first time missed the --win-subtree settings so I wiped the >>>>> admins in the IPA admin group and users as they were not in >>>>> cn=users as per the bug. The second time as far as I can tell I >>>>> specified the correct cn via win-subtree flag but I still appear >>>>> to have lost the users in IPA.....now I expected to lose the >>>>> admins but the loss of users as well confounds me. >>>>> >>>>> I did a ldapsearch as per checking and its seems to be saying the >>>>> right folder/ou/cn but IPA is empty. >>>>> >>>>> Hence I was wondering if there was a log recording what the update >>>>> was doing so I could try and figure out the mistake. Ive tried >>>>> greping cant find any indication. >>>>> >>>>> I will re-try with -v, verbose. >>>> >>>> It is not clear from the manuals, but no matter what -win-subtree >>>> you specify, winsync will search AD starting from the dc=domain >>>> suffix. So, for example, if you have >>>> cn=mystaff,cn=staff,dc=example,dc=com >>>> and you specify >>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>>> winsync will still search starting from dc=example,dc=com and will >>>> hit ticket/355 if there are any users outside of >>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username >>>> as a user in IPA. >>>> >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>>> *To:* Steven Jones >>>>> *Cc:* freeipa-users at redhat.com >>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>> >>>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> I just tried to do a winsync agreement with specifying the AD >>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>>> users are not in the users folder but the VUW_Staff folder (at >>>>>> the same level) and it wiped all IPA users that are also in AD. >>>>> >>>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>>>> #355 winsync should not delete entry that appears to be out of >>>>> scope >>>>> >>>>>> While doing the actual update does this get verbosly logged >>>>>> anywhere as opposed to "update in progress" dumped to the >>>>>> screen? Something went badly wrong, I just dont know what. >>>>> >>>>> You are seeing something different than #355? >>>>> >>>>>> >>>>>> :/ >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 20 23:37:02 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 17:37:02 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CFA3A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz> <505B8298.2090101@redhat.com>, <505B82EC.9060601@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CFA3A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505BA89E.3000101@redhat.com> On 09/20/2012 03:59 PM, Steven Jones wrote: > uh....I just deleted the ad user templates but it puts them back, also > the disabled users are in a sub-container and when I delete them in > IPA they re-appear a few minutes later.. "ad user templates"? I wonder if IPA is not setting the /|ntUserDeleteAccount|/ https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html > > :( > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal > [dpal at redhat.com] > *Sent:* Friday, 21 September 2012 8:56 a.m. > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/20/2012 04:54 PM, Dmitri Pal wrote: >> On 09/20/2012 04:43 PM, Steven Jones wrote: >>> Some comments on the win sync agreement syntax. >>> >>> Hi, >>> >>> I'd like that command ipa-replica-manage connect "improved" if >>> possible, >>> >>> 1) A flag on --win-subtree not to include sub-directories under the >>> specified OU= as I think it is why Ive picked up lots of disabled >>> users and templates. Also the capability to specify more than one OU >>> as I at least have 2 OU= with users in (maybe it can do that I just >>> dont see it) >>> >>> 2) A flag something like --exclude='LDAP >>> criteria/attribute'=disabled such that any disabled users in AD are >>> not transferred, I just transferred 7 years of ex-users and 200+ >>> templates I would rather not have....now I think I have a huge >>> cleanup task. Not just exclude, say location, so if I only want to >>> sync users in one city (say) --include-only="LDAP Location'=Wellington >>> >>> Not sure if these are hugely useful but they would have helped me. >> >> Thank you for the feedback. >> Would you mind filing BZs or trac tickets? > > NM. Rich bit me. > > > >> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* freeipa-users-bounces at redhat.com >>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >>> [Steven.Jones at vuw.ac.nz] >>> *Sent:* Thursday, 20 September 2012 2:48 p.m. >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> it isnt, >>> >>> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly >>> working except Im also getting some "rubbish" so its looking like >>> the import script/query to AD isnt right. >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* freeipa-users-bounces at redhat.com >>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones >>> [Steven.Jones at vuw.ac.nz] >>> *Sent:* Thursday, 20 September 2012 12:15 p.m. >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> Hi, >>> >>> I have -win-subtree cn= etc I take it that cn= is fine and that ou= >>> and cn= are the same thing? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Thursday, 20 September 2012 11:03 a.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/19/2012 04:55 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> >>>> Sample of errors log, >>>> >>>> ========= >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>>> database >>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>>> database >>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> ruv_update_ruv: successfully committed csn 504d01f7000000110000 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>>> State: stop_fatal_error -> stop_fatal_error >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>>> State: stop_fatal_error -> stop_fatal_error >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> ruv_add_csn_inprogress: successfully inserted csn >>>> 504d01f8000000110000 into pending list >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >>>> information from entry >>>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to >>>> CSN 504d42c5000000040000 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>>> database >>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >>>> database >>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> ruv_update_ruv: successfully committed csn 504d01f8000000110000 >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >>>> State: stop_fatal_error -> stop_fatal_error >>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >>>> State: stop_fatal_error -> stop_fatal_error >>>> ========= >>> >>> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? >>> >>>> >>>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 07:10 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>>>> >>>>> So the Q is why I am losing users in the --win-subtree >>>>> cn=VUW_Staff,dc= etc >>>> >>>> >>>> >>>>> >>>>> This I dont understand.... >>>>> >>>>> I have the -v already, anyway to make it very verbose? >>>> >>>> http://port389.org/wiki/FAQ#Troubleshooting >>>> Use the replication log level 8192 >>>> I'd like to see the directory server errors log >>>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >>>> under the --win-subtree cn=VUW_Staff,dc= etc >>>> >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>>>> *To:* Steven Jones >>>>> *Cc:* freeipa-users at redhat.com >>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>> >>>>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> The first time missed the --win-subtree settings so I wiped the >>>>>> admins in the IPA admin group and users as they were not in >>>>>> cn=users as per the bug. The second time as far as I can tell I >>>>>> specified the correct cn via win-subtree flag but I still appear >>>>>> to have lost the users in IPA.....now I expected to lose the >>>>>> admins but the loss of users as well confounds me. >>>>>> >>>>>> I did a ldapsearch as per checking and its seems to be saying the >>>>>> right folder/ou/cn but IPA is empty. >>>>>> >>>>>> Hence I was wondering if there was a log recording what the >>>>>> update was doing so I could try and figure out the mistake. Ive >>>>>> tried greping cant find any indication. >>>>>> >>>>>> I will re-try with -v, verbose. >>>>> >>>>> It is not clear from the manuals, but no matter what -win-subtree >>>>> you specify, winsync will search AD starting from the dc=domain >>>>> suffix. So, for example, if you have >>>>> cn=mystaff,cn=staff,dc=example,dc=com >>>>> and you specify >>>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>>>> winsync will still search starting from dc=example,dc=com and will >>>>> hit ticket/355 if there are any users outside of >>>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username >>>>> as a user in IPA. >>>>> >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I just tried to do a winsync agreement with specifying the AD >>>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>>>> users are not in the users folder but the VUW_Staff folder (at >>>>>>> the same level) and it wiped all IPA users that are also in AD. >>>>>> >>>>>> Yes, this is what happens with >>>>>> https://fedorahosted.org/389/ticket/355 >>>>>> #355 winsync should not delete entry that appears to be out >>>>>> of scope >>>>>> >>>>>>> While doing the actual update does this get verbosly logged >>>>>>> anywhere as opposed to "update in progress" dumped to the >>>>>>> screen? Something went badly wrong, I just dont know what. >>>>>> >>>>>> You are seeing something different than #355? >>>>>> >>>>>>> >>>>>>> :/ >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> Freeipa-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>> >>>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 20 23:38:20 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Sep 2012 17:38:20 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505BA8EC.3030200@redhat.com> On 09/20/2012 03:52 PM, Steven Jones wrote: > Hi, > > I have imported users, but there are 5700 of them but I only have 2000 > which corresponds to the view that AD gives you by default. This > makes me think that that limit is all the AD is allowing the query to see? You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test what winsync sees when it searches. > > Is there a way to expand it? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Steven Jones > [Steven.Jones at vuw.ac.nz] > *Sent:* Friday, 21 September 2012 8:44 a.m. > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > I have hundreds of disable users in IPA now transferred from AD, is > there a quick/clean way to purge them from IPA? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From lagern at lafayette.edu Fri Sep 21 02:01:56 2012 From: lagern at lafayette.edu (Lager, Nathan T.) Date: Thu, 20 Sep 2012 22:01:56 -0400 (EDT) Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505B647C.7000705@lafayette.edu> Message-ID: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> Well, after all of this, RedHat support just resolved my issue! It came down the the domain_realm definitions in /etc/krb5.conf. They had me change: [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU To: [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU lafayette.edu = SYSTEMS.LAFAYETTE.EDU After doing so, i restarted IPA, and my commands are working properly now! Now, to get my replica back in order... ----- Original Message ----- > From: "Nathan Lager" > To: "Rob Crittenden" > Cc: freeipa-users at redhat.com > Sent: Thursday, September 20, 2012 2:46:20 PM > Subject: Re: [Freeipa-users] sudden ipa errors. > On 09/20/2012 02:28 PM, Rob Crittenden wrote: > > Nathan Lager wrote: > >> > >> > >> On 09/20/2012 11:43 AM, Rob Crittenden wrote: > >>> Lager, Nathan T. wrote: > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Rob Crittenden" To: "Nathan > >>>>> Lager" Cc: freeipa-users at redhat.com > >>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject: > >>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote: > >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: > >>>>>>> Dmitri Pal wrote: > >>>>>>>> > >>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap > >>>>>>>> works too. Can it be one of the certs? May be some > >>>>>>>> cert expired? > >>>>>>> > >>>>>>> No, the error is coming from GSSAPI, it is > >>>>>>> unfortunately completely useless. I think we've pretty > >>>>>>> well narrowed down the problem to httpd/mod_auth_kerb > >>>>>>> but I don't know yet if this is a configuration issue > >>>>>>> or a bug. > >>>>>>> > >>>>>>> Nathan, can you show me your > >>>>>>> /etc/httpd/conf.d/ipa.conf? > >>>>>> Sure, as far as I know its completely stock, aside from > >>>>>> the krb password auth change. > >>>>> > >>>>> Yup, configuration looks fine. > >>>>> > >>>>> Ok, let's eliminate the ipa tool as the problem and try > >>>>> curl: > >>>>> > >>>>> Create a file test.json with these contents: > >>>>> > >>>>> {"method":"batch","params":[[ > >>>>> {"method":"user_show","params":[["admin"],{"all":false}]} > >>>>> ],{}],"id":1} > >>>>> > >>>>> then run this: > >>>>> > >>>>> curl -H "Content-Type:application/json" -H > >>>>> "Accept:application/json" -H "Accept-Language:en" -H > >>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" > >>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X > >>>>> POST https://caroline0.lafayette.edu/ipa/json > >>>>> > >>>> Seems to be running into the same trouble. > >>>> > >>>> [lagern at caroline0 PROD ~]$ curl -H > >>>> "Content-Type:application/json" -H "Accept:application/json" > >>>> -H "Accept-Language:en" -H "Referer: > >>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : > >>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST > >>>> https://caroline0.lafayette.edu/ipa/json >>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> 500 > >>>> Internal Server Error

Internal > >>>> Server Error

The server encountered an internal error > >>>> or misconfiguration and was unable to complete your > >>>> request.

Please contact the server administrator, > >>>> root at localhost and inform them of the time the error > >>>> occurred, and anything you might have done that may have > >>>> caused the error.

More information about this error > >>>> may be available in the server error log.

> >>>>
Apache/2.2.15 (Red Hat) Server at > >>>> caroline0.lafayette.edu Port 443
> >>> > >>> Ok, need to gather some more info: > >>> > >>> # kvno HTTP/caroline0.lafayette.edu # klist -kt > >>> /etc/httpd/conf/ipa.keytab > >>> > >> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 > >> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab > >> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp > >> Principal ---- ----------------- > >> -------------------------------------------------------- 2 > >> 02/03/12 16:31:27 > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 > >> 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >> 02/03/12 16:31:28 > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 > >> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >> 02/03/12 16:31:28 > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 > >> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >> 09/19/12 15:33:53 > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 > >> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >> 09/19/12 15:33:53 > >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 > >> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >> > > > > It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has > > only 4. Did you change the available encryption types? > > > I have not changed them, not intentionally anyway. Could it be that > an update did so? I installed Ipa round rhel 6.1 or so, and have been > updating it via yum periodically. > > > Can you re-run the klist command with -e as well? klist -ekt ... > > > [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab > Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 02/03/12 16:31:27 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > (aes256-cts-hmac-sha1-96) > 2 02/03/12 16:31:27 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > (aes128-cts-hmac-sha1-96) > 2 02/03/12 16:31:28 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) > 2 02/03/12 16:31:28 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) > 2 02/03/12 16:31:28 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-hmac-sha1) > 2 02/03/12 16:31:28 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-cbc-md5) > 3 09/19/12 15:33:53 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > (aes256-cts-hmac-sha1-96) > 3 09/19/12 15:33:53 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > (aes128-cts-hmac-sha1-96) > 3 09/19/12 15:33:53 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) > 3 09/19/12 15:33:53 > HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) > > > > rob > > > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Nathan Lager, RHCSA, RHCE (#110-011-426) > System Administrator > 11 Pardee Hall > Lafayette College, Easton, PA 18042 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ssorce at redhat.com Fri Sep 21 02:36:21 2012 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2012 22:36:21 -0400 (EDT) Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505B7DDC.7030909@redhat.com> Message-ID: <788048016.3581337.1348194981258.JavaMail.root@redhat.com> ----- Original Message ----- > Sigbjorn Lie wrote: > > On 09/20/2012 10:17 PM, Rob Crittenden wrote: > >> bind isn't my strongest suite. > >> > >> My guess is that this file is the ccache for bind. I'm guessing > >> that > >> 25 is the UID of the named user. If this is the case, then it > >> should > >> be safe to stop named, rename the file, and restart. Perhaps the > >> contexts have changed so when this gets re-created it will get > >> fixed > >> automagically. > >> > >> rob > >> > > You guessed well!! :) > > > > Stop named: > > # service named stop > > > > Enable selinux: > > # setenforce 1 > > > > Verify that error still exists: > > # service named start > > Starting named: [FAILED] > > > > Rename file: > > # cd /var/tmp > > # mv DNS_25 DNS_25_old > > > > Attempt to start named again: > > # service named start > > Starting named: [ OK ] > > > > Voila! > > > > A before and after shot: > > # ls -lZ DNS_25* > > -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 > > -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old > > > > What's the odds that this was the entire issue and that named will > > now > > keep running safe and sound? > > > > Hard to say. Because restorecon didn't fix the bad context I suspect > this isn't directly covered in policy. So if the file should get the > wrong context again you could be back in this position. It is > probably > worth filing a bug. I'm not entirely sure whether it should be > against > bind or selinux, but it'll get to the right folks either way > eventually. That file is the reply-cache, and it's context is set at runtime by the krb5 library. It did get out of sync because selinux was disabled, and restorecon, can't fix the label because the file is in a tmp directory, so it just takes the tmp_t context by default. If selinux is not completely disable this shouldn't happen anymore, however, should it happen you can simply remove the file, it is not vital and will get recreated after you restart named. Simo. -- Simo Sorce * Red Hat, Inc. * New York From Steven.Jones at vuw.ac.nz Fri Sep 21 02:43:42 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 21 Sep 2012 02:43:42 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505BA8EC.3030200@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, It seems IPA has some sort of limit of searching it will only show the first 2k of user entries? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 21 September 2012 11:38 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 03:52 PM, Steven Jones wrote: Hi, I have imported users, but there are 5700 of them but I only have 2000 which corresponds to the view that AD gives you by default. This makes me think that that limit is all the AD is allowing the query to see? You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test what winsync sees when it searches. Is there a way to expand it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 21 September 2012 8:44 a.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.baele at gmail.com Fri Sep 21 08:23:18 2012 From: pieter.baele at gmail.com (Pieter Baele) Date: Fri, 21 Sep 2012 10:23:18 +0200 Subject: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError In-Reply-To: <505B1EE7.30908@redhat.com> References: <505B125B.9070706@redhat.com> <505B1EE7.30908@redhat.com> Message-ID: On Thu, Sep 20, 2012 at 3:49 PM, Martin Kosek wrote: > Since an Internal error was returned, there should at least be a traceback in > /var/log/httpd/error_log. This should help us narrow down the root cause of > this issue. > > Martin > Oops, I only sent to Rob. ==== So that's temporarily copying schema from the old ldap right? Which one? If I can migrate this data, it's a big benefit (we've still to decide between FreeIPA and an OpenLDAP solution...) Thx a lot! the other errors related.... [Thu Sep 20 15:02:21 2012] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0xea in position 10: unexpected end of data [Thu Sep 20 15:02:21 2012] [error] Traceback (most recent call last): [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 320, in wsgi_execute [Thu Sep 20 15:02:21 2012] [error] result = self.Command[name](*args, **options) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__ [Thu Sep 20 15:02:21 2012] [error] ret = self.run(*args, **options) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 716, in run [Thu Sep 20 15:02:21 2012] [error] return self.execute(*args, **options) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 791, in execute [Thu Sep 20 15:02:21 2012] [error] ldap, config, ds_ldap, ds_base_dn, options [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 635, in migrate [Thu Sep 20 15:02:21 2012] [error] search_refs=True # migrated DS may contain search references [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 190, in new_f [Thu Sep 20 15:02:21 2012] [error] return f(*new_args, **kwargs) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 201, in new_f [Thu Sep 20 15:02:21 2012] [error] return args[0].decode(f(*args, **kwargs)) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in decode [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 139, in decode [Thu Sep 20 15:02:21 2012] [error] return [self.decode(m) for m in var] [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in decode [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 159, in decode [Thu Sep 20 15:02:21 2012] [error] dct[k] = self._decode_dict_val(k, v) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 66, in _decode_dict_val [Thu Sep 20 15:02:21 2012] [error] return self.decode(val) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 139, in decode [Thu Sep 20 15:02:21 2012] [error] return [self.decode(m) for m in var] [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 134, in decode [Thu Sep 20 15:02:21 2012] [error] var.decode(self.encoder_settings.decode_from) [Thu Sep 20 15:02:21 2012] [error] File "/usr/lib64/python2.6/encodings/utf_8.py", line 16, in decode [Thu Sep 20 15:02:21 2012] [error] return codecs.utf_8_decode(input, errors, True) [Thu Sep 20 15:02:21 2012] [error] UnicodeDecodeError: 'utf8' codec can't decode byte 0xea in position 10: unexpected end of data From mkosek at redhat.com Fri Sep 21 08:29:03 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Sep 2012 10:29:03 +0200 Subject: [Freeipa-users] ipa host-add having both an IPv4 and an IPv6 address In-Reply-To: <505B7DFF.8080608@nixtra.com> References: <505B7DFF.8080608@nixtra.com> Message-ID: <505C254F.30304@redhat.com> On 09/20/2012 10:35 PM, Sigbjorn Lie wrote: > Hi, > > I see that I can add hosts with either an IPv4 or an IPv6 address when using > "ipa host-add --ip-address=". > > Is there a way to add a host specifying both an IPv4 and an IPv6 address at the > same time? > > Adding the --ip-address option twice yells this error: > > ipa: ERROR: invalid 'ip_address': Only one value is allowed > > > > Regards, > Siggi Hello Signbjorn, Unfortunately, host-add only accepts one IP address to be specified for the given host. But allowing more addresses is a reasonable request, I filed an upstream ticket: https://fedorahosted.org/freeipa/ticket/3101 Until the ticket is addresses, you can manually add host IP addresses via dnsrecord-add command: # ipa host-add foo.example.com --ip-address 10.16.78.101 ---------------------------- Added host "foo.example.com" ---------------------------- Host name: foo.example.com Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM Password: False Keytab: False Managed by: foo.example.com # ipa dnsrecord-add example.com foo --a-rec=10.16.78.111 --a-create-reverse Record name: foo A record: 10.16.78.101, 10.16.78.111 # ipa dnsrecord-add example.com foo --aaaa-rec=2620:52:0:104c:21a:4aff:fe10:4e06 --aaaa-create-reverse Record name: foo A record: 10.16.78.101, 10.16.78.111 AAAA record: 2620:52:0:104c:21a:4aff:fe10:4e06 # host foo.example.com foo.example.com has address 10.16.78.111 foo.example.com has address 10.16.78.101 foo.example.com has IPv6 address 2620:52:0:104c:21a:4aff:fe10:4e06 HTH, Martin From pspacek at redhat.com Fri Sep 21 08:45:54 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 21 Sep 2012 10:45:54 +0200 Subject: [Freeipa-users] Do we need ipa-client-update script? Message-ID: <505C2942.5090001@redhat.com> Hello users, we have a question for client machine administrators: On 09/21/2012 10:12 AM, Martin Kosek wrote: > ..., that it may be useful to implement a script > like "ipa-client-update" which would be capable of updating client information > (and could be entered in a cron for example) without a need to re-enroll > client. Such script could for example: > * update SSH keys of the client > * update a list of IPA DNS servers in #3095 > * ... > > Martin Would it be useful at all? What other information should updater maintain? Ad https://fedorahosted.org/freeipa/ticket/3095: IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't it? -- Petr^2 Spacek From jcholast at redhat.com Fri Sep 21 09:46:30 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 21 Sep 2012 11:46:30 +0200 Subject: [Freeipa-users] Do we need ipa-client-update script? In-Reply-To: <505C2942.5090001@redhat.com> References: <505C2942.5090001@redhat.com> Message-ID: <505C3776.8050604@redhat.com> Dne 21.9.2012 10:45, Petr Spacek napsal(a): > Hello users, > > we have a question for client machine administrators: > > On 09/21/2012 10:12 AM, Martin Kosek wrote: > > > ..., that it may be useful to implement a script > > like "ipa-client-update" which would be capable of updating client > information > > (and could be entered in a cron for example) without a need to re-enroll > > client. Such script could for example: > > * update SSH keys of the client > > * update a list of IPA DNS servers in #3095 > > * ... > > > > Martin > > Would it be useful at all? What other information should updater maintain? > > Ad https://fedorahosted.org/freeipa/ticket/3095: > IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't it? > There is a couple of tickets that are related to this issue: Honza -- Jan Cholasta From mkosek at redhat.com Fri Sep 21 11:21:01 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Sep 2012 13:21:01 +0200 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <505C4D9D.10404@redhat.com> When using bare ldapsearch, you are hitting 389-ds limits - in your case nsslapd-sizelimit. This can be increased either globally or (this seems as a more secure solution) for a user you bind as: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html Martin On 09/21/2012 04:43 AM, Steven Jones wrote: > Hi, > > It seems IPA has some sort of limit of searching it will only show the first 2k > of user entries? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------------- > *From:* Rich Megginson [rmeggins at redhat.com] > *Sent:* Friday, 21 September 2012 11:38 a.m. > *To:* Steven Jones > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/20/2012 03:52 PM, Steven Jones wrote: >> Hi, >> >> I have imported users, but there are 5700 of them but I only have 2000 which >> corresponds to the view that AD gives you by default. This makes me think >> that that limit is all the AD is allowing the query to see? > > You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test > what winsync sees when it searches. >> >> Is there a way to expand it? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------------- >> *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] >> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> *Sent:* Friday, 21 September 2012 8:44 a.m. >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> I have hundreds of disable users in IPA now transferred from AD, is there a >> quick/clean way to purge them from IPA? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> From jreg2k at gmail.com Fri Sep 21 11:27:15 2012 From: jreg2k at gmail.com (James James) Date: Fri, 21 Sep 2012 13:27:15 +0200 Subject: [Freeipa-users] Ipa migration, from ui cannot change password In-Reply-To: References: <505B48FB.9090506@redhat.com> <505B4BF2.6000600@redhat.com> <505B4D49.7000007@redhat.com> <505B5588.6060307@redhat.com> <505B60B5.1070201@redhat.com> <505B6810.7050402@redhat.com> Message-ID: I was mistaken. The password change from the ui works well. Thanks again for your help. 2012/9/21 James James > This is my krb5kdc.log ... > > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test at LIX.POLYTECHN > IQUE.FR for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has expired > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: test at EXAMPLE.COM for kadmin/ > changepw at EXAMPLE.COM, Additional pre-authentication required > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 > tkt=18 ses=18}, test at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM > Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 > tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/ > ipa.example.com at EXAMPLE.COM > Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM > Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 > tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/ > ipa.example.com at EXAMPLE.COM > > > Thanks > > > 2012/9/21 James James > >> Now, I can read the userPassword field (after the migration process) but >> I still can't change my password from the ui. I just got : >> >> kerberos ticket is no longer valid. >> >> >> >> 2012/9/20 James James >> >>> It will be fine to have this info in the doc. >>> >>> >>> 2012/9/20 Rob Crittenden >>> >>>> Dmitri Pal wrote: >>>> >>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote: >>>>> >>>>>> James James wrote: >>>>>> >>>>>>> You 're right. The request return : >>>>>>> >>>>>>> Enter LDAP Password: >>>>>>> # extended LDIF >>>>>>> # >>>>>>> # LDAPv3 >>>>>>> # base with scope subtree >>>>>>> # filter: uid=test >>>>>>> # requesting: userPassword >>>>>>> # >>>>>>> >>>>>>> # test, users, accounts, example.com >>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com >>>>>>> >>>>>>> # search result >>>>>>> search: 2 >>>>>>> result: 0 Success >>>>>>> >>>>>>> Can you explain me what happens ? >>>>>>> >>>>>>> Is there a solution ? >>>>>>> >>>>>> >>>>>> When migrating you need to bind as a user that has read permission on >>>>>> the userPassword attribute in the remote LDAP server. >>>>>> >>>>> >>>>> Rob should we check if we can read the userPassword attribute and if >>>>> not >>>>> fail migration? >>>>> Should we open a ticket for this? >>>>> Also I do not think we document the expectation that you vocalized >>>>> above. >>>>> >>>> >>>> I'll open a ticket to spell this out in the docs. >>>> >>>> Checking it in the command would be nice but I don't know about fatal. >>>> Still, I'll open a ticket for that as well. >>>> >>>> rob >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 21 12:47:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2012 08:47:28 -0400 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <788048016.3581337.1348194981258.JavaMail.root@redhat.com> References: <788048016.3581337.1348194981258.JavaMail.root@redhat.com> Message-ID: <505C61E0.7090807@redhat.com> Simo Sorce wrote: > ----- Original Message ----- >> Sigbjorn Lie wrote: >>> On 09/20/2012 10:17 PM, Rob Crittenden wrote: >>>> bind isn't my strongest suite. >>>> >>>> My guess is that this file is the ccache for bind. I'm guessing >>>> that >>>> 25 is the UID of the named user. If this is the case, then it >>>> should >>>> be safe to stop named, rename the file, and restart. Perhaps the >>>> contexts have changed so when this gets re-created it will get >>>> fixed >>>> automagically. >>>> >>>> rob >>>> >>> You guessed well!! :) >>> >>> Stop named: >>> # service named stop >>> >>> Enable selinux: >>> # setenforce 1 >>> >>> Verify that error still exists: >>> # service named start >>> Starting named: [FAILED] >>> >>> Rename file: >>> # cd /var/tmp >>> # mv DNS_25 DNS_25_old >>> >>> Attempt to start named again: >>> # service named start >>> Starting named: [ OK ] >>> >>> Voila! >>> >>> A before and after shot: >>> # ls -lZ DNS_25* >>> -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 >>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old >>> >>> What's the odds that this was the entire issue and that named will >>> now >>> keep running safe and sound? >>> >> >> Hard to say. Because restorecon didn't fix the bad context I suspect >> this isn't directly covered in policy. So if the file should get the >> wrong context again you could be back in this position. It is >> probably >> worth filing a bug. I'm not entirely sure whether it should be >> against >> bind or selinux, but it'll get to the right folks either way >> eventually. > > That file is the reply-cache, and it's context is set at runtime by the > krb5 library. It did get out of sync because selinux was disabled, and > restorecon, can't fix the label because the file is in a tmp directory, > so it just takes the tmp_t context by default. > > If selinux is not completely disable this shouldn't happen anymore, however, > should it happen you can simply remove the file, it is not vital and will > get recreated after you restart named. > > Simo. > AFAIK he never disabled SELinux. He put it into permissive temporarily to get going again while we diagnosed this but before and after the krb5-server upgrade he was in enforcing mode. I wonder if the krb5-server upgrade caused a filesystem relabel and this is what hosed the /var/tmp entry. rob From rmeggins at redhat.com Fri Sep 21 13:23:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Sep 2012 07:23:59 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C4D9D.10404@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> Message-ID: <505C6A6F.8060004@redhat.com> On 09/21/2012 05:21 AM, Martin Kosek wrote: > When using bare ldapsearch, you are hitting 389-ds limits - in your case > nsslapd-sizelimit. This can be increased either globally or (this seems as a > more secure solution) for a user you bind as: > > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html Steven, are you saying that winsync only pulled over 2000 out of 5700 users from AD into IPA? If so, then that's a limit on the winsync user that must be increased in AD. > > Martin > > On 09/21/2012 04:43 AM, Steven Jones wrote: >> Hi, >> >> It seems IPA has some sort of limit of searching it will only show the first 2k >> of user entries? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------------- >> *From:* Rich Megginson [rmeggins at redhat.com] >> *Sent:* Friday, 21 September 2012 11:38 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/20/2012 03:52 PM, Steven Jones wrote: >>> Hi, >>> >>> I have imported users, but there are 5700 of them but I only have 2000 which >>> corresponds to the view that AD gives you by default. This makes me think >>> that that limit is all the AD is allowing the query to see? >> You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >> what winsync sees when it searches. >>> Is there a way to expand it? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------------- >>> *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] >>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> I have hundreds of disable users in IPA now transferred from AD, is there a >>> quick/clean way to purge them from IPA? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Fri Sep 21 14:18:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2012 10:18:51 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> Message-ID: <505C774B.1050506@redhat.com> Lager, Nathan T. wrote: > Well, after all of this, RedHat support just resolved my issue! > > It came down the the domain_realm definitions in /etc/krb5.conf. > > They had me change: > > [domain_realm] > .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > > To: > [domain_realm] > .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > .lafayette.edu = SYSTEMS.LAFAYETTE.EDU > lafayette.edu = SYSTEMS.LAFAYETTE.EDU > > After doing so, i restarted IPA, and my commands are working properly now! > > Now, to get my replica back in order... Wow. OK, I'm glad it's working. Do we have any idea how this file changed? Is it wrong on all your clients or only on this one master? rob > > > ----- Original Message ----- >> From: "Nathan Lager" >> To: "Rob Crittenden" >> Cc: freeipa-users at redhat.com >> Sent: Thursday, September 20, 2012 2:46:20 PM >> Subject: Re: [Freeipa-users] sudden ipa errors. >> On 09/20/2012 02:28 PM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> >>>> >>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>>>> Lager, Nathan T. wrote: >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Rob Crittenden" To: "Nathan >>>>>>> Lager" Cc: freeipa-users at redhat.com >>>>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject: >>>>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>>>> Dmitri Pal wrote: >>>>>>>>>> >>>>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>>>>>> works too. Can it be one of the certs? May be some >>>>>>>>>> cert expired? >>>>>>>>> >>>>>>>>> No, the error is coming from GSSAPI, it is >>>>>>>>> unfortunately completely useless. I think we've pretty >>>>>>>>> well narrowed down the problem to httpd/mod_auth_kerb >>>>>>>>> but I don't know yet if this is a configuration issue >>>>>>>>> or a bug. >>>>>>>>> >>>>>>>>> Nathan, can you show me your >>>>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>>>> Sure, as far as I know its completely stock, aside from >>>>>>>> the krb password auth change. >>>>>>> >>>>>>> Yup, configuration looks fine. >>>>>>> >>>>>>> Ok, let's eliminate the ipa tool as the problem and try >>>>>>> curl: >>>>>>> >>>>>>> Create a file test.json with these contents: >>>>>>> >>>>>>> {"method":"batch","params":[[ >>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>>>> ],{}],"id":1} >>>>>>> >>>>>>> then run this: >>>>>>> >>>>>>> curl -H "Content-Type:application/json" -H >>>>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" >>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X >>>>>>> POST https://caroline0.lafayette.edu/ipa/json >>>>>>> >>>>>> Seems to be running into the same trouble. >>>>>> >>>>>> [lagern at caroline0 PROD ~]$ curl -H >>>>>> "Content-Type:application/json" -H "Accept:application/json" >>>>>> -H "Accept-Language:en" -H "Referer: >>>>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>>>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>>>>> https://caroline0.lafayette.edu/ipa/json >>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> 500 >>>>>> Internal Server Error

Internal >>>>>> Server Error

The server encountered an internal error >>>>>> or misconfiguration and was unable to complete your >>>>>> request.

Please contact the server administrator, >>>>>> root at localhost and inform them of the time the error >>>>>> occurred, and anything you might have done that may have >>>>>> caused the error.

More information about this error >>>>>> may be available in the server error log.

>>>>>>
Apache/2.2.15 (Red Hat) Server at >>>>>> caroline0.lafayette.edu Port 443
>>>>> >>>>> Ok, need to gather some more info: >>>>> >>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt >>>>> /etc/httpd/conf/ipa.keytab >>>>> >>>> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 >>>> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab >>>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp >>>> Principal ---- ----------------- >>>> -------------------------------------------------------- 2 >>>> 02/03/12 16:31:27 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >>>> 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>> 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >>>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>> 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12 >>>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>> 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 >>>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>> 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12 >>>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> >>> >>> It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has >>> only 4. Did you change the available encryption types? >>> >> I have not changed them, not intentionally anyway. Could it be that >> an update did so? I installed Ipa round rhel 6.1 or so, and have been >> updating it via yum periodically. >> >>> Can you re-run the klist command with -e as well? klist -ekt ... >>> >> [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab >> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 02/03/12 16:31:27 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> (aes256-cts-hmac-sha1-96) >> 2 02/03/12 16:31:27 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> (aes128-cts-hmac-sha1-96) >> 2 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) >> 2 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) >> 2 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-hmac-sha1) >> 2 02/03/12 16:31:28 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-cbc-md5) >> 3 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> (aes256-cts-hmac-sha1-96) >> 3 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> (aes128-cts-hmac-sha1-96) >> 3 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1) >> 3 09/19/12 15:33:53 >> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac) >> >> >>> rob >>> >> >> -- >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> Nathan Lager, RHCSA, RHCE (#110-011-426) >> System Administrator >> 11 Pardee Hall >> Lafayette College, Easton, PA 18042 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Fri Sep 21 15:04:28 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Sep 2012 11:04:28 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C6A6F.8060004@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> Message-ID: <505C81FC.9080701@redhat.com> On 09/21/2012 09:23 AM, Rich Megginson wrote: > On 09/21/2012 05:21 AM, Martin Kosek wrote: >> When using bare ldapsearch, you are hitting 389-ds limits - in your case >> nsslapd-sizelimit. This can be increased either globally or (this >> seems as a >> more secure solution) for a user you bind as: >> >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >> > > Steven, are you saying that winsync only pulled over 2000 out of 5700 > users from AD into IPA? If so, then that's a limit on the winsync user > that must be increased in AD. > Rich, it seems that it might make sense to file an RFE for the winsync to support paging control. > >> >> Martin >> >> On 09/21/2012 04:43 AM, Steven Jones wrote: >>> Hi, >>> >>> It seems IPA has some sort of limit of searching it will only show >>> the first 2k >>> of user entries? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------------- >>> >>> *From:* Rich Megginson [rmeggins at redhat.com] >>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I have imported users, but there are 5700 of them but I only have >>>> 2000 which >>>> corresponds to the view that AD gives you by default. This makes >>>> me think >>>> that that limit is all the AD is allowing the query to see? >>> You can use >>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>> what winsync sees when it searches. >>>> Is there a way to expand it? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------------- >>>> >>>> *From:* freeipa-users-bounces at redhat.com >>>> [freeipa-users-bounces at redhat.com] >>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> I have hundreds of disable users in IPA now transferred from AD, is >>>> there a >>>> quick/clean way to purge them from IPA? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lagern at lafayette.edu Fri Sep 21 15:07:33 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 21 Sep 2012 11:07:33 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C774B.1050506@redhat.com> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> Message-ID: <505C82B5.1030609@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2012 10:18 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> Well, after all of this, RedHat support just resolved my issue! >> >> It came down the the domain_realm definitions in /etc/krb5.conf. >> >> They had me change: >> >> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> >> To: [domain_realm] .systems.lafayette.edu = >> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = >> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> >> After doing so, i restarted IPA, and my commands are working >> properly now! >> >> Now, to get my replica back in order... > > Wow. OK, I'm glad it's working. Do we have any idea how this file > changed? Is it wrong on all your clients or only on this one > master? > It appears wrong on my replica as well, caroline1. There are no clients currently, other than RHEV. I only have one lingering issue, aside from my replica being broken. I still cant reset admin's password. It gives me the same error it was before. [root at caroline0 PROD ~]# kinit admin Password for admin at SYSTEMS.LAFAYETTE.EDU: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials > rob > >> >> >> ----- Original Message ----- >>> From: "Nathan Lager" To: "Rob >>> Crittenden" Cc: freeipa-users at redhat.com >>> Sent: Thursday, September 20, 2012 2:46:20 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. On 09/20/2012 02:28 PM, Rob >>> Crittenden wrote: >>>> Nathan Lager wrote: >>>>> >>>>> >>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>>>>> Lager, Nathan T. wrote: >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Rob Crittenden" To: >>>>>>>> "Nathan Lager" Cc: >>>>>>>> freeipa-users at redhat.com Sent: Wednesday, September >>>>>>>> 19, 2012 4:35:30 PM Subject: Re: [Freeipa-users] >>>>>>>> sudden ipa errors. Nathan Lager wrote: >>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>>>>> Dmitri Pal wrote: >>>>>>>>>>> >>>>>>>>>>> Rob, keytab and kerberos part seems to be fine, >>>>>>>>>>> ldap works too. Can it be one of the certs? May >>>>>>>>>>> be some cert expired? >>>>>>>>>> >>>>>>>>>> No, the error is coming from GSSAPI, it is >>>>>>>>>> unfortunately completely useless. I think we've >>>>>>>>>> pretty well narrowed down the problem to >>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if this >>>>>>>>>> is a configuration issue or a bug. >>>>>>>>>> >>>>>>>>>> Nathan, can you show me your >>>>>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>>>>> Sure, as far as I know its completely stock, aside >>>>>>>>> from the krb password auth change. >>>>>>>> >>>>>>>> Yup, configuration looks fine. >>>>>>>> >>>>>>>> Ok, let's eliminate the ipa tool as the problem and >>>>>>>> try curl: >>>>>>>> >>>>>>>> Create a file test.json with these contents: >>>>>>>> >>>>>>>> {"method":"batch","params":[[ >>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>>>>> >>>>>>>> ],{}],"id":1} >>>>>>>> >>>>>>>> then run this: >>>>>>>> >>>>>>>> curl -H "Content-Type:application/json" -H >>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" >>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d >>>>>>>> @test.json -X POST >>>>>>>> https://caroline0.lafayette.edu/ipa/json >>>>>>>> >>>>>>> Seems to be running into the same trouble. >>>>>>> >>>>>>> [lagern at caroline0 PROD ~]$ curl -H >>>>>>> "Content-Type:application/json" -H >>>>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" >>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json >>>>>>> -X POST https://caroline0.lafayette.edu/ipa/json >>>>>>> >>>>>>> 500 Internal Server Error >>>>>>>

Internal Server Error

The >>>>>>> server encountered an internal error or >>>>>>> misconfiguration and was unable to complete your >>>>>>> request.

Please contact the server >>>>>>> administrator, root at localhost and inform them of the >>>>>>> time the error occurred, and anything you might have >>>>>>> done that may have caused the error.

More >>>>>>> information about this error may be available in the >>>>>>> server error log.

Apache/2.2.15 (Red >>>>>>> Hat) Server at caroline0.lafayette.edu Port >>>>>>> 443
>>>>>> >>>>>> Ok, need to gather some more info: >>>>>> >>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt >>>>>> /etc/httpd/conf/ipa.keytab >>>>>> >>>>> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = >>>>> 3 [root at caroline0 PROD ~]# klist -kt >>>>> /etc/httpd/conf/ipa.keytab Keytab name: >>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal >>>>> ---- ----------------- >>>>> -------------------------------------------------------- 2 >>>>> 02/03/12 16:31:27 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>> 02/03/12 16:31:27 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>> 02/03/12 16:31:28 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>> 02/03/12 16:31:28 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>> 02/03/12 16:31:28 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>> 02/03/12 16:31:28 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>> 09/19/12 15:33:53 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>> 09/19/12 15:33:53 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>> 09/19/12 15:33:53 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>> 09/19/12 15:33:53 >>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>>> >>>> >>>> It may be nothing, but I wonder why kvno 2 has 6 keys and 3 >>>> has only 4. Did you change the available encryption types? >>>> >>> I have not changed them, not intentionally anyway. Could it be >>> that an update did so? I installed Ipa round rhel 6.1 or so, >>> and have been updating it via yum periodically. >>> >>>> Can you re-run the klist command with -e as well? klist -ekt >>>> ... >>>> >>> [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab >>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp >>> Principal ---- ----------------- >>> -------------------------------------------------------- 2 >>> 02/03/12 16:31:27 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (des3-cbc-sha1) 2 02/03/12 16:31:28 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (arcfour-hmac) 2 02/03/12 16:31:28 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (des-hmac-sha1) 2 02/03/12 16:31:28 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (des-cbc-md5) 3 09/19/12 15:33:53 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (des3-cbc-sha1) 3 09/19/12 15:33:53 >>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> (arcfour-hmac) >>> >>> >>>> rob >>>> >>> >>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, >>> RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall >>> Lafayette College, Easton, PA 18042 >>> >>> _______________________________________________ Freeipa-users >>> mailing list Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBcgrUACgkQsZqG4IN3sul3SACfdzbDnaCmS5KMCwycHfhzUTok jWcAn1ROnFUFmGKNLug9oI2RtK4F3aH4 =dQZ+ -----END PGP SIGNATURE----- From rmeggins at redhat.com Fri Sep 21 15:07:55 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Sep 2012 09:07:55 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C81FC.9080701@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> Message-ID: <505C82CB.2010201@redhat.com> On 09/21/2012 09:04 AM, Dmitri Pal wrote: > On 09/21/2012 09:23 AM, Rich Megginson wrote: >> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>> When using bare ldapsearch, you are hitting 389-ds limits - in your case >>> nsslapd-sizelimit. This can be increased either globally or (this >>> seems as a >>> more secure solution) for a user you bind as: >>> >>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>> >> Steven, are you saying that winsync only pulled over 2000 out of 5700 >> users from AD into IPA? If so, then that's a limit on the winsync user >> that must be increased in AD. >> > Rich, it seems that it might make sense to file an RFE for the winsync > to support paging control. AD supports the paging control? And this allows you to get around the search limit? > >>> Martin >>> >>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>> Hi, >>>> >>>> It seems IPA has some sort of limit of searching it will only show >>>> the first 2k >>>> of user entries? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------------- >>>> >>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users at redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I have imported users, but there are 5700 of them but I only have >>>>> 2000 which >>>>> corresponds to the view that AD gives you by default. This makes >>>>> me think >>>>> that that limit is all the AD is allowing the query to see? >>>> You can use >>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>> what winsync sees when it searches. >>>>> Is there a way to expand it? >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ------------------------------------------------------------------------------- >>>>> >>>>> *From:* freeipa-users-bounces at redhat.com >>>>> [freeipa-users-bounces at redhat.com] >>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>> *Cc:* freeipa-users at redhat.com >>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>> >>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>> there a >>>>> quick/clean way to purge them from IPA? >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Fri Sep 21 15:13:16 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2012 11:13:16 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C82B5.1030609@lafayette.edu> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> <505C82B5.1030609@lafayette.edu> Message-ID: <505C840C.9020601@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 09/21/2012 10:18 AM, Rob Crittenden wrote: >> Lager, Nathan T. wrote: >>> Well, after all of this, RedHat support just resolved my issue! >>> >>> It came down the the domain_realm definitions in /etc/krb5.conf. >>> >>> They had me change: >>> >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> To: [domain_realm] .systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> After doing so, i restarted IPA, and my commands are working >>> properly now! >>> >>> Now, to get my replica back in order... >> >> Wow. OK, I'm glad it's working. Do we have any idea how this file >> changed? Is it wrong on all your clients or only on this one >> master? >> > It appears wrong on my replica as well, caroline1. There are no > clients currently, other than RHEV. > > I only have one lingering issue, aside from my replica being broken. > > I still cant reset admin's password. It gives me the same error it was > before. > > [root at caroline0 PROD ~]# kinit admin > Password for admin at SYSTEMS.LAFAYETTE.EDU: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Password has expired while getting initial credentials Can you try kpasswd to reset the admin password? rob From lagern at lafayette.edu Fri Sep 21 15:13:59 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 21 Sep 2012 11:13:59 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C82B5.1030609@lafayette.edu> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> <505C82B5.1030609@lafayette.edu> Message-ID: <505C8437.2030001@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2012 11:07 AM, Nathan Lager wrote: > > > On 09/21/2012 10:18 AM, Rob Crittenden wrote: >> Lager, Nathan T. wrote: >>> Well, after all of this, RedHat support just resolved my >>> issue! >>> >>> It came down the the domain_realm definitions in >>> /etc/krb5.conf. >>> >>> They had me change: >>> >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> To: [domain_realm] .systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> After doing so, i restarted IPA, and my commands are working >>> properly now! >>> >>> Now, to get my replica back in order... > >> Wow. OK, I'm glad it's working. Do we have any idea how this file >> changed? Is it wrong on all your clients or only on this one >> master? > > It appears wrong on my replica as well, caroline1. There are no > clients currently, other than RHEV. > > I only have one lingering issue, aside from my replica being > broken. > > I still cant reset admin's password. It gives me the same error it > was before. > > [root at caroline0 PROD ~]# kinit admin Password for > admin at SYSTEMS.LAFAYETTE.EDU: Password expired. You must change it > now. Enter new password: Enter it again: kinit: Password has > expired while getting initial credentials > > Fixed this, on a hunch. When the password expired, the pwpolicy was set to 90 days. RedHat Support had me change it to 9999 days to effectively disable it so others wouldnt expire (because no one could change passwords). I had a hunch that because the policy was now set greater than the time its been since admin last changed his password, that ipa was getting confused when i attempted to change the expired pass. So i set it back to 90. It let me change the expired password. That, might be worthy of a bug report. > > >> rob > >>> >>> >>> ----- Original Message ----- >>>> From: "Nathan Lager" To: "Rob >>>> Crittenden" Cc: >>>> freeipa-users at redhat.com Sent: Thursday, September 20, 2012 >>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On >>>> 09/20/2012 02:28 PM, Rob Crittenden wrote: >>>>> Nathan Lager wrote: >>>>>> >>>>>> >>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>>>>>> Lager, Nathan T. wrote: >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Rob Crittenden" To: >>>>>>>>> "Nathan Lager" Cc: >>>>>>>>> freeipa-users at redhat.com Sent: Wednesday, >>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re: >>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager >>>>>>>>> wrote: >>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>>>>>> Dmitri Pal wrote: >>>>>>>>>>>> >>>>>>>>>>>> Rob, keytab and kerberos part seems to be >>>>>>>>>>>> fine, ldap works too. Can it be one of the >>>>>>>>>>>> certs? May be some cert expired? >>>>>>>>>>> >>>>>>>>>>> No, the error is coming from GSSAPI, it is >>>>>>>>>>> unfortunately completely useless. I think >>>>>>>>>>> we've pretty well narrowed down the problem to >>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if >>>>>>>>>>> this is a configuration issue or a bug. >>>>>>>>>>> >>>>>>>>>>> Nathan, can you show me your >>>>>>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>>>>>> Sure, as far as I know its completely stock, >>>>>>>>>> aside from the krb password auth change. >>>>>>>>> >>>>>>>>> Yup, configuration looks fine. >>>>>>>>> >>>>>>>>> Ok, let's eliminate the ipa tool as the problem >>>>>>>>> and try curl: >>>>>>>>> >>>>>>>>> Create a file test.json with these contents: >>>>>>>>> >>>>>>>>> {"method":"batch","params":[[ >>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>>>>>> >>>>>>>>> > >>>>>>>>> ],{}],"id":1} >>>>>>>>> >>>>>>>>> then run this: >>>>>>>>> >>>>>>>>> curl -H "Content-Type:application/json" -H >>>>>>>>> "Accept:application/json" -H "Accept-Language:en" >>>>>>>>> -H "Referer: >>>>>>>>> https://caroline0.lafayette.edu/ipa/xml" >>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d >>>>>>>>> @test.json -X POST >>>>>>>>> https://caroline0.lafayette.edu/ipa/json >>>>>>>>> >>>>>>>> Seems to be running into the same trouble. >>>>>>>> >>>>>>>> [lagern at caroline0 PROD ~]$ curl -H >>>>>>>> "Content-Type:application/json" -H >>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" >>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d >>>>>>>> @test.json -X POST >>>>>>>> https://caroline0.lafayette.edu/ipa/json >>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>>>>>>> 500 Internal Server Error >>>>>>>>

Internal Server Error

The >>>>>>>> server encountered an internal error or >>>>>>>> misconfiguration and was unable to complete your >>>>>>>> request.

Please contact the server >>>>>>>> administrator, root at localhost and inform them of the >>>>>>>> time the error occurred, and anything you might have >>>>>>>> done that may have caused the error.

More >>>>>>>> information about this error may be available in the >>>>>>>> server error log.

Apache/2.2.15 >>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port >>>>>>>> 443
>>>>>>> >>>>>>> Ok, need to gather some more info: >>>>>>> >>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt >>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>> >>>>>> [root at caroline0 PROD ~]# kvno >>>>>> HTTP/caroline0.lafayette.edu >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno >>>>>> = 3 [root at caroline0 PROD ~]# klist -kt >>>>>> /etc/httpd/conf/ipa.keytab Keytab name: >>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp >>>>>> Principal ---- ----------------- >>>>>> -------------------------------------------------------- >>>>>> 2 02/03/12 16:31:27 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>>> 02/03/12 16:31:27 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>>> 02/03/12 16:31:28 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>>> 02/03/12 16:31:28 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>>> 02/03/12 16:31:28 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 >>>>>> 02/03/12 16:31:28 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>>> 09/19/12 15:33:53 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>>> 09/19/12 15:33:53 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>>> 09/19/12 15:33:53 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 >>>>>> 09/19/12 15:33:53 >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>>>> >>>>> >>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and >>>>> 3 has only 4. Did you change the available encryption >>>>> types? >>>>> >>>> I have not changed them, not intentionally anyway. Could it >>>> be that an update did so? I installed Ipa round rhel 6.1 or >>>> so, and have been updating it via yum periodically. >>>> >>>>> Can you re-run the klist command with -e as well? klist >>>>> -ekt ... >>>>> >>>> [root at caroline0 PROD ~]# klist -kte >>>> /etc/httpd/conf/ipa.keytab Keytab name: >>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- 2 >>>> 02/03/12 16:31:27 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (des3-cbc-sha1) 2 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (arcfour-hmac) 2 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (des-hmac-sha1) 2 02/03/12 16:31:28 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (des-cbc-md5) 3 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (des3-cbc-sha1) 3 09/19/12 15:33:53 >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> (arcfour-hmac) >>>> >>>> >>>>> rob >>>>> >>>> >>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan >>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 >>>> Pardee Hall Lafayette College, Easton, PA 18042 >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ Freeipa-users > mailing list Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBchDYACgkQsZqG4IN3sukxCQCfeOoaiy3JIRfG10SgCcYYVvpj mQMAoJzEiG0DZorcweyIhYwUPB9opHT9 =HM3I -----END PGP SIGNATURE----- From dpal at redhat.com Fri Sep 21 15:15:05 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Sep 2012 11:15:05 -0400 Subject: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError In-Reply-To: References: <505B125B.9070706@redhat.com> <505B1EE7.30908@redhat.com> Message-ID: <505C8479.1030405@redhat.com> On 09/21/2012 04:23 AM, Pieter Baele wrote: > On Thu, Sep 20, 2012 at 3:49 PM, Martin Kosek wrote: > >> Since an Internal error was returned, there should at least be a traceback in >> /var/log/httpd/error_log. This should help us narrow down the root cause of >> this issue. >> >> Martin >> > Oops, I only sent to Rob. > > ==== > > > So that's temporarily copying schema from the old ldap right? Which one? > If I can migrate this data, it's a big benefit (we've still to decide > between FreeIPA and an OpenLDAP solution...) > > Thx a lot! > > the other errors related.... > > [Thu Sep 20 15:02:21 2012] [error] ipa: ERROR: non-public: > UnicodeDecodeError: 'utf8' codec can't decode byte 0xea in position > 10: unexpected end of data > [Thu Sep 20 15:02:21 2012] [error] Traceback (most recent call last): > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 320, > in wsgi_execute > [Thu Sep 20 15:02:21 2012] [error] result = > self.Command[name](*args, **options) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in > __call__ > [Thu Sep 20 15:02:21 2012] [error] ret = self.run(*args, **options) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 716, in > run > [Thu Sep 20 15:02:21 2012] [error] return self.execute(*args, **options) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line > 791, in execute > [Thu Sep 20 15:02:21 2012] [error] ldap, config, ds_ldap, > ds_base_dn, options > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line > 635, in migrate > [Thu Sep 20 15:02:21 2012] [error] search_refs=True # migrated > DS may contain search references > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 190, in > new_f > [Thu Sep 20 15:02:21 2012] [error] return f(*new_args, **kwargs) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 201, in > new_f > [Thu Sep 20 15:02:21 2012] [error] return args[0].decode(f(*args, **kwargs)) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in > decode > [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in > > [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 139, in > decode > [Thu Sep 20 15:02:21 2012] [error] return [self.decode(m) for m in var] > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in > decode > [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 141, in > > [Thu Sep 20 15:02:21 2012] [error] return tuple(self.decode(m) for m in var) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 159, in > decode > [Thu Sep 20 15:02:21 2012] [error] dct[k] = self._decode_dict_val(k, v) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 66, in > _decode_dict_val > [Thu Sep 20 15:02:21 2012] [error] return self.decode(val) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 139, in > decode > [Thu Sep 20 15:02:21 2012] [error] return [self.decode(m) for m in var] > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 134, in > decode > [Thu Sep 20 15:02:21 2012] [error] > var.decode(self.encoder_settings.decode_from) > [Thu Sep 20 15:02:21 2012] [error] File > "/usr/lib64/python2.6/encodings/utf_8.py", line 16, in decode > [Thu Sep 20 15:02:21 2012] [error] return > codecs.utf_8_decode(input, errors, True) > [Thu Sep 20 15:02:21 2012] [error] UnicodeDecodeError: 'utf8' codec > can't decode byte 0xea in position 10: unexpected end of data > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users It seems that we are choking on the attribute that we expected to be a string and it is not. But I do not see which one. Is there anything in the log that would give a hint? We should probably: 1) Catch such issues 2) If the attribute is optional warn and move on 3) If the attribute is required skip the user, report the error and move on We should file a ticket about it. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 21 15:18:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Sep 2012 11:18:23 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C82CB.2010201@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> Message-ID: <505C853F.2090003@redhat.com> On 09/21/2012 11:07 AM, Rich Megginson wrote: > On 09/21/2012 09:04 AM, Dmitri Pal wrote: >> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>> case >>>> nsslapd-sizelimit. This can be increased either globally or (this >>>> seems as a >>>> more secure solution) for a user you bind as: >>>> >>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>> >>>> >>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>> users from AD into IPA? If so, then that's a limit on the winsync user >>> that must be increased in AD. >>> >> Rich, it seems that it might make sense to file an RFE for the winsync >> to support paging control. > > AD supports the paging control? And this allows you to get around the > search limit? > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx The default usually 2K BTW. >> >>>> Martin >>>> >>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> It seems IPA has some sort of limit of searching it will only show >>>>> the first 2k >>>>> of user entries? >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ------------------------------------------------------------------------------- >>>>> >>>>> >>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>> *To:* Steven Jones >>>>> *Cc:* freeipa-users at redhat.com >>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>> >>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> I have imported users, but there are 5700 of them but I only have >>>>>> 2000 which >>>>>> corresponds to the view that AD gives you by default. This makes >>>>>> me think >>>>>> that that limit is all the AD is allowing the query to see? >>>>> You can use >>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>> what winsync sees when it searches. >>>>>> Is there a way to expand it? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>> [freeipa-users-bounces at redhat.com] >>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>> there a >>>>>> quick/clean way to purge them from IPA? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Sep 21 15:19:40 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Sep 2012 11:19:40 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C8437.2030001@lafayette.edu> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> <505C82B5.1030609@lafayette.edu> <505C8437.2030001@lafayette.edu> Message-ID: <505C858C.4090804@redhat.com> On 09/21/2012 11:13 AM, Nathan Lager wrote: > > > On 09/21/2012 11:07 AM, Nathan Lager wrote: > > > > On 09/21/2012 10:18 AM, Rob Crittenden wrote: > >> Lager, Nathan T. wrote: > >>> Well, after all of this, RedHat support just resolved my > >>> issue! > >>> > >>> It came down the the domain_realm definitions in > >>> /etc/krb5.conf. > >>> > >>> They had me change: > >>> > >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> > >>> To: [domain_realm] .systems.lafayette.edu = > >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = > >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> > >>> After doing so, i restarted IPA, and my commands are working > >>> properly now! > >>> > >>> Now, to get my replica back in order... > > >> Wow. OK, I'm glad it's working. Do we have any idea how this file > >> changed? Is it wrong on all your clients or only on this one > >> master? > > > It appears wrong on my replica as well, caroline1. There are no > > clients currently, other than RHEV. > > > I only have one lingering issue, aside from my replica being > > broken. > > > I still cant reset admin's password. It gives me the same error it > > was before. > > > [root at caroline0 PROD ~]# kinit admin Password for > > admin at SYSTEMS.LAFAYETTE.EDU: Password expired. You must change it > > now. Enter new password: Enter it again: kinit: Password has > > expired while getting initial credentials > > > Fixed this, on a hunch. When the password expired, the pwpolicy was > set to 90 days. RedHat Support had me change it to 9999 days to > effectively disable it so others wouldnt expire (because no one could > change passwords). > > I had a hunch that because the policy was now set greater than the > time its been since admin last changed his password, that ipa was > getting confused when i attempted to change the expired pass. So i > set it back to 90. It let me change the expired password. > > That, might be worthy of a bug report. > > Can you please file one? > > > >> rob > > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Nathan Lager" To: "Rob > >>>> Crittenden" Cc: > >>>> freeipa-users at redhat.com Sent: Thursday, September 20, 2012 > >>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On > >>>> 09/20/2012 02:28 PM, Rob Crittenden wrote: > >>>>> Nathan Lager wrote: > >>>>>> > >>>>>> > >>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: > >>>>>>> Lager, Nathan T. wrote: > >>>>>>>> > >>>>>>>> ----- Original Message ----- > >>>>>>>>> From: "Rob Crittenden" To: > >>>>>>>>> "Nathan Lager" Cc: > >>>>>>>>> freeipa-users at redhat.com Sent: Wednesday, > >>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re: > >>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager > >>>>>>>>> wrote: > >>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: > >>>>>>>>>>> Dmitri Pal wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Rob, keytab and kerberos part seems to be > >>>>>>>>>>>> fine, ldap works too. Can it be one of the > >>>>>>>>>>>> certs? May be some cert expired? > >>>>>>>>>>> > >>>>>>>>>>> No, the error is coming from GSSAPI, it is > >>>>>>>>>>> unfortunately completely useless. I think > >>>>>>>>>>> we've pretty well narrowed down the problem to > >>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if > >>>>>>>>>>> this is a configuration issue or a bug. > >>>>>>>>>>> > >>>>>>>>>>> Nathan, can you show me your > >>>>>>>>>>> /etc/httpd/conf.d/ipa.conf? > >>>>>>>>>> Sure, as far as I know its completely stock, > >>>>>>>>>> aside from the krb password auth change. > >>>>>>>>> > >>>>>>>>> Yup, configuration looks fine. > >>>>>>>>> > >>>>>>>>> Ok, let's eliminate the ipa tool as the problem > >>>>>>>>> and try curl: > >>>>>>>>> > >>>>>>>>> Create a file test.json with these contents: > >>>>>>>>> > >>>>>>>>> {"method":"batch","params":[[ > >>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} > >>>>>>>>> > >>>>>>>>> > > >>>>>>>>> > ],{}],"id":1} > >>>>>>>>> > >>>>>>>>> then run this: > >>>>>>>>> > >>>>>>>>> curl -H "Content-Type:application/json" -H > >>>>>>>>> "Accept:application/json" -H "Accept-Language:en" > >>>>>>>>> -H "Referer: > >>>>>>>>> https://caroline0.lafayette.edu/ipa/xml" > >>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d > >>>>>>>>> @test.json -X POST > >>>>>>>>> https://caroline0.lafayette.edu/ipa/json > >>>>>>>>> > >>>>>>>> Seems to be running into the same trouble. > >>>>>>>> > >>>>>>>> [lagern at caroline0 PROD ~]$ curl -H > >>>>>>>> "Content-Type:application/json" -H > >>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H > >>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" > >>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d > >>>>>>>> @test.json -X POST > >>>>>>>> https://caroline0.lafayette.edu/ipa/json >>>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > >>>>>>>> 500 Internal Server Error > >>>>>>>>

Internal Server Error

The > >>>>>>>> server encountered an internal error or > >>>>>>>> misconfiguration and was unable to complete your > >>>>>>>> request.

Please contact the server > >>>>>>>> administrator, root at localhost and inform them of the > >>>>>>>> time the error occurred, and anything you might have > >>>>>>>> done that may have caused the error.

More > >>>>>>>> information about this error may be available in the > >>>>>>>> server error log.

Apache/2.2.15 > >>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port > >>>>>>>> 443
> >>>>>>> > >>>>>>> Ok, need to gather some more info: > >>>>>>> > >>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt > >>>>>>> /etc/httpd/conf/ipa.keytab > >>>>>>> > >>>>>> [root at caroline0 PROD ~]# kvno > >>>>>> HTTP/caroline0.lafayette.edu > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno > >>>>>> = 3 [root at caroline0 PROD ~]# klist -kt > >>>>>> /etc/httpd/conf/ipa.keytab Keytab name: > >>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp > >>>>>> Principal ---- ----------------- > >>>>>> -------------------------------------------------------- > >>>>>> 2 02/03/12 16:31:27 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >>>>>> 02/03/12 16:31:27 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>>>> > >>>>> > >>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and > >>>>> 3 has only 4. Did you change the available encryption > >>>>> types? > >>>>> > >>>> I have not changed them, not intentionally anyway. Could it > >>>> be that an update did so? I installed Ipa round rhel 6.1 or > >>>> so, and have been updating it via yum periodically. > >>>> > >>>>> Can you re-run the klist command with -e as well? klist > >>>>> -ekt ... > >>>>> > >>>> [root at caroline0 PROD ~]# klist -kte > >>>> /etc/httpd/conf/ipa.keytab Keytab name: > >>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal > >>>> ---- ----------------- > >>>> -------------------------------------------------------- 2 > >>>> 02/03/12 16:31:27 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (des3-cbc-sha1) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (arcfour-hmac) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (des-hmac-sha1) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (des-cbc-md5) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (des3-cbc-sha1) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > >>>> (arcfour-hmac) > >>>> > >>>> > >>>>> rob > >>>>> > >>>> > >>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan > >>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 > >>>> Pardee Hall Lafayette College, Easton, PA 18042 > >>>> > >>>> _______________________________________________ > >>>> Freeipa-users mailing list Freeipa-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ Freeipa-users > > mailing list Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 21 15:46:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Sep 2012 09:46:59 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C853F.2090003@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om> Message-ID: <505C8BF3.60604@redhat.com> On 09/21/2012 09:18 AM, Dmitri Pal wrote: > On 09/21/2012 11:07 AM, Rich Megginson wrote: >> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>> case >>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>> seems as a >>>>> more secure solution) for a user you bind as: >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>> that must be increased in AD. >>>> >>> Rich, it seems that it might make sense to file an RFE for the winsync >>> to support paging control. >> AD supports the paging control? And this allows you to get around the >> search limit? >> > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx > The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 > >>>>> Martin >>>>> >>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>> the first 2k >>>>>> of user entries? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>> 2000 which >>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>> me think >>>>>>> that that limit is all the AD is allowing the query to see? >>>>>> You can use >>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>> what winsync sees when it searches. >>>>>>> Is there a way to expand it? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>> there a >>>>>>> quick/clean way to purge them from IPA? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > From lagern at lafayette.edu Fri Sep 21 15:53:31 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 21 Sep 2012 11:53:31 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C858C.4090804@redhat.com> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> <505C82B5.1030609@lafayette.edu> <505C8437.2030001@lafayette.edu> <505C858C.4090804@redhat.com> Message-ID: <505C8D7B.3020203@lafayette.edu> Sure thing, can you point me to where i'd do so? I usually have this sort of thing taken care of via a RedHat support ticket. And the support rep creates the bug report. On 09/21/2012 11:19 AM, Dmitri Pal wrote: >> That, might be worthy of a bug report. >> >> > Can you please file one? > From sigbjorn at nixtra.com Fri Sep 21 17:52:01 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 21 Sep 2012 19:52:01 +0200 Subject: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing In-Reply-To: <505C61E0.7090807@redhat.com> References: <788048016.3581337.1348194981258.JavaMail.root@redhat.com> <505C61E0.7090807@redhat.com> Message-ID: <505CA941.3030308@nixtra.com> On 09/21/2012 02:47 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> ----- Original Message ----- >>> Sigbjorn Lie wrote: >>>> On 09/20/2012 10:17 PM, Rob Crittenden wrote: >>>>> bind isn't my strongest suite. >>>>> >>>>> My guess is that this file is the ccache for bind. I'm guessing >>>>> that >>>>> 25 is the UID of the named user. If this is the case, then it >>>>> should >>>>> be safe to stop named, rename the file, and restart. Perhaps the >>>>> contexts have changed so when this gets re-created it will get >>>>> fixed >>>>> automagically. >>>>> >>>>> rob >>>>> >>>> You guessed well!! :) >>>> >>>> Stop named: >>>> # service named stop >>>> >>>> Enable selinux: >>>> # setenforce 1 >>>> >>>> Verify that error still exists: >>>> # service named start >>>> Starting named: [FAILED] >>>> >>>> Rename file: >>>> # cd /var/tmp >>>> # mv DNS_25 DNS_25_old >>>> >>>> Attempt to start named again: >>>> # service named start >>>> Starting named: [ OK ] >>>> >>>> Voila! >>>> >>>> A before and after shot: >>>> # ls -lZ DNS_25* >>>> -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 >>>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old >>>> >>>> What's the odds that this was the entire issue and that named will >>>> now >>>> keep running safe and sound? >>>> >>> >>> Hard to say. Because restorecon didn't fix the bad context I suspect >>> this isn't directly covered in policy. So if the file should get the >>> wrong context again you could be back in this position. It is >>> probably >>> worth filing a bug. I'm not entirely sure whether it should be >>> against >>> bind or selinux, but it'll get to the right folks either way >>> eventually. >> >> That file is the reply-cache, and it's context is set at runtime by the >> krb5 library. It did get out of sync because selinux was disabled, and >> restorecon, can't fix the label because the file is in a tmp directory, >> so it just takes the tmp_t context by default. >> >> If selinux is not completely disable this shouldn't happen anymore, >> however, >> should it happen you can simply remove the file, it is not vital and >> will >> get recreated after you restart named. >> >> Simo. >> > > AFAIK he never disabled SELinux. He put it into permissive temporarily > to get going again while we diagnosed this but before and after the > krb5-server upgrade he was in enforcing mode. > > I wonder if the krb5-server upgrade caused a filesystem relabel and > this is what hosed the /var/tmp entry. > > rob This is my test environment, and I disabled SElinux completely after the upgrade to 2.2 as I got annoyed with how slow it was. The "yum upgrade" occured while SElinux was in disabled mode. I then set selinux=enforcing in /etc/sysconfig/selinux and rebooted after yum upgrade completed. I then set SElinux to permissive during the troubleshooting we did a few days ago. My production environment still got SElinux set to enforcing, and the krb5-server has not yet been upgraded until these issues has been clarified. I'm sorry for the confusion. Is the conclusion that I'm having this issue in the first place because SElinux was disabled when I did "yum upgrade" ? Regards, Siggi From sigbjorn at nixtra.com Fri Sep 21 17:56:38 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 21 Sep 2012 19:56:38 +0200 Subject: [Freeipa-users] ipa host-add having both an IPv4 and an IPv6 address In-Reply-To: <505C254F.30304@redhat.com> References: <505B7DFF.8080608@nixtra.com> <505C254F.30304@redhat.com> Message-ID: <505CAA56.1020507@nixtra.com> On 09/21/2012 10:29 AM, Martin Kosek wrote: > On 09/20/2012 10:35 PM, Sigbjorn Lie wrote: >> Hi, >> >> I see that I can add hosts with either an IPv4 or an IPv6 address when using >> "ipa host-add --ip-address=". >> >> Is there a way to add a host specifying both an IPv4 and an IPv6 address at the >> same time? >> >> Adding the --ip-address option twice yells this error: >> >> ipa: ERROR: invalid 'ip_address': Only one value is allowed >> >> >> >> Regards, >> Siggi > Hello Signbjorn, > > Unfortunately, host-add only accepts one IP address to be specified for the > given host. But allowing more addresses is a reasonable request, I filed an > upstream ticket: > https://fedorahosted.org/freeipa/ticket/3101 > > Until the ticket is addresses, you can manually add host IP addresses via > dnsrecord-add command: > > # ipa host-add foo.example.com --ip-address 10.16.78.101 > ---------------------------- > Added host "foo.example.com" > ---------------------------- > Host name: foo.example.com > Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM > Password: False > Keytab: False > Managed by: foo.example.com > # ipa dnsrecord-add example.com foo --a-rec=10.16.78.111 --a-create-reverse > Record name: foo > A record: 10.16.78.101, 10.16.78.111 > # ipa dnsrecord-add example.com foo > --aaaa-rec=2620:52:0:104c:21a:4aff:fe10:4e06 --aaaa-create-reverse > Record name: foo > A record: 10.16.78.101, 10.16.78.111 > AAAA record: 2620:52:0:104c:21a:4aff:fe10:4e06 > # host foo.example.com > foo.example.com has address 10.16.78.111 > foo.example.com has address 10.16.78.101 > foo.example.com has IPv6 address 2620:52:0:104c:21a:4aff:fe10:4e06 > > HTH, > Martin Thank you. I know of the dnsrecord-add options, however I was looking for a way to do it during host-add. Less typing. :) Regards, Siggi From sigbjorn at nixtra.com Fri Sep 21 23:22:25 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 22 Sep 2012 01:22:25 +0200 Subject: [Freeipa-users] Do we need ipa-client-update script? In-Reply-To: <505C2942.5090001@redhat.com> References: <505C2942.5090001@redhat.com> Message-ID: <505CF6B1.1000307@nixtra.com> On 09/21/2012 10:45 AM, Petr Spacek wrote: > Hello users, > > we have a question for client machine administrators: > > On 09/21/2012 10:12 AM, Martin Kosek wrote: > > > ..., that it may be useful to implement a script > > like "ipa-client-update" which would be capable of updating client > information > > (and could be entered in a cron for example) without a need to > re-enroll > > client. Such script could for example: > > * update SSH keys of the client > > * update a list of IPA DNS servers in #3095 > > * ... > > > > Martin > > Would it be useful at all? What other information should updater > maintain? > > Ad https://fedorahosted.org/freeipa/ticket/3095: > IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't > it? > A client update script for SSH keys setup etc has crossed my mind too. Such a script would be useful, however the various updates should be available as separate options to the command so the admin can choose between applying some options or all options. A --update-all could be used as a place holder for updating the whole collection of options. As far as #3095 goes, updating the DNS client configuration is a job for DHCP or Puppet/CFengine. SSSD is very much dependent on DNS to work. I don't see why SSSD should be able to change the systems DNS servers, possibly rendering itself useless. Regards, Siggi From Steven.Jones at vuw.ac.nz Sun Sep 23 19:35:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 23 Sep 2012 19:35:19 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C8BF3.60604@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>,<505C8BF3.60604@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D1170@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Actually I am unable to see more than 2000 users in IPA, it seems to be a limit in IPA which coincides with AD's display limit....hence I was confused. So it just happens that there is a default windows limit of 2000 users to display when you search. I am however fairly sure it stopped the complete sync, I need to double check, but Im pretty sure as I think I did searches in IPA and some users were not there initially (I then set the user's search to 20000 and it seemed to have all users there). However while wondering what was wrong I realised that I should be able to see 2028 in IPA (28 non-AD users), I couldnt, I still cant, I can only see 2000. I found a setting saying 100 "somethings" pages? (sorry I forget and Im at home with no VPN right now) in IPA but when I try to increase it a selinux problem / config stops me, happens at the command line as well.So I have a case with RH support to fix that.... NB Once its fixed I will re-set the AD user to 2000 and backout the snapshot on the IPA master and re-test to make sure what I have said above is correct. In which case, yes you need to mention it in the docs, though maybe its only a win2k3r2 issue. Its not a biggee as you can set the user to show 20,000, at the very least that will work. I will re-test / double check all this before you commit time pls. The other thing is when users come across they seem to have lost their IPA user group settings? again I need to check this as I was asked to urgently setup a rsync so left it before I'd looked in detail at that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: > On 09/21/2012 11:07 AM, Rich Megginson wrote: >> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>> case >>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>> seems as a >>>>> more secure solution) for a user you bind as: >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>> that must be increased in AD. >>>> >>> Rich, it seems that it might make sense to file an RFE for the winsync >>> to support paging control. >> AD supports the paging control? And this allows you to get around the >> search limit? >> > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx > The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 > >>>>> Martin >>>>> >>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>> the first 2k >>>>>> of user entries? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>> 2000 which >>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>> me think >>>>>>> that that limit is all the AD is allowing the query to see? >>>>>> You can use >>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>> what winsync sees when it searches. >>>>>>> Is there a way to expand it? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>> there a >>>>>>> quick/clean way to purge them from IPA? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From mkosek at redhat.com Mon Sep 24 06:48:38 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 24 Sep 2012 08:48:38 +0200 Subject: [Freeipa-users] Do we need ipa-client-update script? In-Reply-To: <505CF6B1.1000307@nixtra.com> References: <505C2942.5090001@redhat.com> <505CF6B1.1000307@nixtra.com> Message-ID: <50600246.1010007@redhat.com> On 09/22/2012 01:22 AM, Sigbjorn Lie wrote: > On 09/21/2012 10:45 AM, Petr Spacek wrote: >> Hello users, >> >> we have a question for client machine administrators: >> >> On 09/21/2012 10:12 AM, Martin Kosek wrote: >> >> > ..., that it may be useful to implement a script >> > like "ipa-client-update" which would be capable of updating client information >> > (and could be entered in a cron for example) without a need to re-enroll >> > client. Such script could for example: >> > * update SSH keys of the client >> > * update a list of IPA DNS servers in #3095 >> > * ... >> > >> > Martin >> >> Would it be useful at all? What other information should updater maintain? >> >> Ad https://fedorahosted.org/freeipa/ticket/3095: >> IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't it? >> > > A client update script for SSH keys setup etc has crossed my mind too. Such a > script would be useful, however the various updates should be available as > separate options to the command so the admin can choose between applying some > options or all options. A --update-all could be used as a place holder for > updating the whole collection of options. Right, this would be preferred way to implement the CLI. > As far as #3095 goes, updating the DNS client configuration is a job for DHCP > or Puppet/CFengine. SSSD is very much dependent on DNS to work. I don't see why > SSSD should be able to change the systems DNS servers, possibly rendering > itself useless. The idea was to implement a script that would could be used for example in cron on client machines, i.e. not related to sssd. The script would be able to pull a list of IPA DNS servers just by querying the LDAP. Though, you may be right that is would rather be a job for DHCP/Puppet/CFEngine. Martin From mkosek at redhat.com Mon Sep 24 09:59:36 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 24 Sep 2012 11:59:36 +0200 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <505C8D7B.3020203@lafayette.edu> References: <1279809961.2927691.1348192916917.JavaMail.root@zstore00.zprd.lafayette.edu> <505C774B.1050506@redhat.com> <505C82B5.1030609@lafayette.edu> <505C8437.2030001@lafayette.edu> <505C858C.4090804@redhat.com> <505C8D7B.3020203@lafayette.edu> Message-ID: <50602F08.5070201@redhat.com> Hello Nathan, you can file the bug on Red Hat Bugzilla (bugzilla.redhat.com), you can use this link: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206 Thanks in advance! Martin On 09/21/2012 05:53 PM, Nathan Lager wrote: > Sure thing, can you point me to where i'd do so? I usually have this > sort of thing taken care of via a RedHat support ticket. And the > support rep creates the bug report. > > > On 09/21/2012 11:19 AM, Dmitri Pal wrote: >>> That, might be worthy of a bug report. >>> >>> >> Can you please file one? >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From ikaro at mit.edu Mon Sep 24 13:51:13 2012 From: ikaro at mit.edu (Ikaro Silva) Date: Mon, 24 Sep 2012 09:51:13 -0400 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: <505B2F68.1070906@redhat.com> References: <505B252C.4020606@redhat.com> <505B2F68.1070906@redhat.com> Message-ID: Hi Rich, Thanks for the help. We have tried your suggestion below, however the problem still persists: systemctl status dirsrv.service dirsrv.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [root at fileserver2 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Any other suggestions/advice would be greatly appreaciated. Thank you, -Ikaro On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson wrote: > On 09/20/2012 08:53 AM, Ikaro Silva wrote: >> >> Hi Rich, >> >> We did not upgrade from a previous version, this is our original >> master server (but we do have 2 other replications of this one). The >> architecture is >> >> Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 >> i686 i386 GNU/Linux > > ok - try this: > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line > > you will need to use db2ldif.pl -r to create a replica init ldif file from > one of your good replicas, copy this file to the machine with the "bad" > replica, and use ldif2db to reinitialize it. > > You use db2ldif.pl on the replica because you can perform this operation > while the server is running. > > You use ldif2db on the bad replica because you can't start the server. > > Note that due to selinux restrictions, you have to use > /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. > >> >> >> >> On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson >> wrote: >>> >>> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>>> >>>> Hi Everyone, >>>> >>>> >>>> I am new to IPA and I am trying to start the IPA service but I get the >>>> following error message: >>>> >>>> ipactl start >>>> Starting Directory Service >>>> Failed to read data from Directory Service: Unknown error when >>>> retrieving list of services from LDAP: [Errno 111] Connection refused >>>> Shutting down >>> >>> What platform? Did you upgrade from a previous version? >>> Do you have another master that you could use to reinit this one from? >>>> >>>> >>>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>>> following messages: >>>> >>>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>>> starting up >>>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >>>> Directory Server was running, recovering database. >>>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>> - cl5DBData2Entry: invalid data version >>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>> - cl5Open: failed to open changelog >>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>> - changelog5_init: failed to start changelog at >>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>>> Multimaster Replication Plugin >>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>> - cl5DBData2Entry: invalid data version >>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>> - cl5Open: failed to open changelog >>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>> - changelog5_init: failed to start changelog at >>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>>> Multimaster Replication Plugin >>>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>>> dependencies >>>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >>>> Replication is not started >>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >>>> Plugin is not started >>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>>> Replication Plugin is not started >>>> >>>> >>>> Has anyone experienced similar problems or have suggestions on how to >>>> fix these errors ? >>>> >>>> >>>> Thank you, >>>> >>>> -Ikaro >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> > From jhrozek at redhat.com Mon Sep 24 14:18:17 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Sep 2012 16:18:17 +0200 Subject: [Freeipa-users] errors when one ipa server down In-Reply-To: <5059F26D.2060505@redhat.com> References: <504B5E46.1020002@redhat.com> <504DA634.8010903@redhat.com> <50573F1B.7050100@redhat.com> <20120918080308.GB31442@hendrix.brq.redhat.com> <6403B493-B1B6-4684-A986-6AC26F3B344F@gmail.com> <20120918200327.GO31442@hendrix.brq.redhat.com> <20120919161117.GL15999@hendrix.brq.redhat.com> <5059F26D.2060505@redhat.com> Message-ID: <20120924141817.GR22783@hendrix.brq.redhat.com> On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote: > On 09/19/2012 12:11 PM, Jakub Hrozek wrote: > > On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: > >> On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: > >> > >>> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: > >>>> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > >>>> > >>>>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > >>>>>>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > >>>>>>> > >>>>>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>>>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>>>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] > >>>>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > >>>>>>> [sssd_krb5_locator] [172.16.112.8] used > >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_init called > >>>>>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > >>>>>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] > >>>>>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > >>>>>>> [sssd_krb5_locator] [172.16.112.8] used > >>>>>>> [sssd_krb5_locator] sssd_krb5_locator_close called > >>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials > >>>>>> Jakub, does this make sense to you? > >>>>>> > >>>>> As stated elsewhere in this thread, bare kinit does not contact the SSSD > >>>>> at all. You want to go through the PAM stack (with "su - mike" or "ssh > >>>>> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes > >>>>> the file. > >>>>> > >>>>> Does using "su - mike" refresh the file? > >>>> When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. > >>>> > >>>> e.g. > >>>> > >>>> [root at ipaclient sssd]# su - mike > >>> ^^ Sorry, but can you re-run the test again and either su from another > >>> non-root user or ssh into the client for instance? The reason is that > >>> performing su as root would not contact the SSSD at all either. The > >>> default PAM configuration for su includes "pam_rootok.so" which just > >>> returns PAM_SUCCESS if the user who performs su has UID=0. > >> Hello, > >> > >> [mike at ipaclient ~]$ su - eric > >> Password: # NOTE: no delay > >> [eric at ipaclient ~]$ exit > >> logout > >> > >> [root at ipaserver ~]ifdown eth0 > >> > >> [mike at ipaclient ~]$ su - eric > >> Password: # NOTE: there is a delay here, ~5 seconds > >> [eric at ipaclient ~]$ exit > >> logout > >> > >> [root at ipaserver ~]ifup eth0 > >> > >> [root at ipaserver2 ~]ifdown eth0 > >> > >> [mike at ipaclient ~]$ su - eric > >> Password: # NOTE: no delay > >> [eric at ipaclient ~]$exit > >> logout > >> > >> [root at ipaserver ~]ifdown eth0 > >> > >> [root at ipaserver2 ~]ifup eth0 > >> > >> [mike at ipaclient ~]$ su - eric > >> Password: # NOTE: no delay > >> [eric at ipaclient ~]$ exit > >> logout > >> > >> There does not appear to be any problems when doing an su -. > >> > > I agree. I think that the SSSD fails over just fine. > > > >> An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. > > The unlock (if perfomed through GDM at least) would trigger an auth and > > by extension going online/offline. > > > > What I suspect was happening is that the kinit just contacted a KDC that was > > present in the kdcinfo files, but down without the Kerberos libraries > > knowing it was down -- and without a mechanism to tell the SSSD to go > > and try another server. We're tracking this as a future enhancement.. > > Do you have a ticket handy? We discussed doing it as part of https://fedorahosted.org/sssd/ticket/941 which might add a new responder. > > > > > Thank you for testing, Mike! > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From abokovoy at redhat.com Mon Sep 24 14:26:29 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 24 Sep 2012 17:26:29 +0300 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: References: <505B252C.4020606@redhat.com> <505B2F68.1070906@redhat.com> Message-ID: <20120924142629.GC17454@redhat.com> On Mon, 24 Sep 2012, Ikaro Silva wrote: >Hi Rich, > >Thanks for the help. We have tried your suggestion below, however the >problem still persists: > >systemctl status dirsrv.service There is no dirsrv.service. dirsrv instances are arranged in following setup: - there is dirsrv.target that is used to start and stop all instances at the same time - there are dirsrv at INSTANCE-NAME.service services for specific instances where INSTANCE-NAME is REALM with dots replaced by -. IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you want to start/stop them all, use systemctl stop dirsrv.target systemctl start dirsrv.target For status you need to check specific instances. systemctl status dirsrv@.service # systemctl status dirsrv at IPA-LOCAL.service dirsrv at IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. Loaded: loaded (/lib/systemd/system/dirsrv at .service; enabled) Active: active (running) since Mon, 24 Sep 2012 11:53:04 +0300; 5h 31min ago Process: 684 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 688 (ns-slapd) CGroup: name=systemd:/system/dirsrv at .service/IPA-LOCAL ? 688 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOCAL -i /var/run/dirsrv/slapd-IPA-LOCAL.pid -w /var/run/dirs... >dirsrv.service > Loaded: error (Reason: No such file or directory) > Active: inactive (dead) >[root at fileserver2 ~]# ipactl status >Directory Service: STOPPED >Unknown error when retrieving list of services from LDAP: [Errno 111] >Connection refused > > >Any other suggestions/advice would be greatly appreaciated. > >Thank you, > >-Ikaro > >On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson wrote: >> On 09/20/2012 08:53 AM, Ikaro Silva wrote: >>> >>> Hi Rich, >>> >>> We did not upgrade from a previous version, this is our original >>> master server (but we do have 2 other replications of this one). The >>> architecture is >>> >>> Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 >>> i686 i386 GNU/Linux >> >> ok - try this: >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >> >> you will need to use db2ldif.pl -r to create a replica init ldif file from >> one of your good replicas, copy this file to the machine with the "bad" >> replica, and use ldif2db to reinitialize it. >> >> You use db2ldif.pl on the replica because you can perform this operation >> while the server is running. >> >> You use ldif2db on the bad replica because you can't start the server. >> >> Note that due to selinux restrictions, you have to use >> /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. >> >>> >>> >>> >>> On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson >>> wrote: >>>> >>>> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>>>> >>>>> Hi Everyone, >>>>> >>>>> >>>>> I am new to IPA and I am trying to start the IPA service but I get the >>>>> following error message: >>>>> >>>>> ipactl start >>>>> Starting Directory Service >>>>> Failed to read data from Directory Service: Unknown error when >>>>> retrieving list of services from LDAP: [Errno 111] Connection refused >>>>> Shutting down >>>> >>>> What platform? Did you upgrade from a previous version? >>>> Do you have another master that you could use to reinit this one from? >>>>> >>>>> >>>>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>>>> following messages: >>>>> >>>>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>>>> starting up >>>>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >>>>> Directory Server was running, recovering database. >>>>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>>>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >>>>> should be added before the CoS Definition. >>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>> - cl5DBData2Entry: invalid data version >>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>> - cl5Open: failed to open changelog >>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>> - changelog5_init: failed to start changelog at >>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>>>> Multimaster Replication Plugin >>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>> - cl5DBData2Entry: invalid data version >>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>> - cl5Open: failed to open changelog >>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>> - changelog5_init: failed to start changelog at >>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>>>> Multimaster Replication Plugin >>>>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>>>> dependencies >>>>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >>>>> Replication is not started >>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >>>>> Plugin is not started >>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>>>> Replication Plugin is not started >>>>> >>>>> >>>>> Has anyone experienced similar problems or have suggestions on how to >>>>> fix these errors ? >>>>> >>>>> >>>>> Thank you, >>>>> >>>>> -Ikaro >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >> > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From qchang at sri.utoronto.ca Mon Sep 24 18:51:05 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Mon, 24 Sep 2012 14:51:05 -0400 Subject: [Freeipa-users] Migration from OpenLDAP to IPA: reset expired password in IPA UI Message-ID: <5060AB99.7070303@sri.utoronto.ca> Using https://IPA/ipa/migration, users can migrate their password to their Kerberos principals successfully, a subsequent login to /ui gives them interface to change attrs to their account. But if their LDAP password is shorter than the default policy of 8 letter (IPA migrate the password but set it as expired,) they have no chance to reset it to meet the policy through the UI. I had to help them login in with a ssh session to a IPA client machine to do this, although the majority of my users do not need the ability to have interactive ssh sessions. Is there a possibility to enable users to change or reset expired password in the UI? Thanks, Qing Chang From dpal at redhat.com Mon Sep 24 21:30:27 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Sep 2012 17:30:27 -0400 Subject: [Freeipa-users] Migration from OpenLDAP to IPA: reset expired password in IPA UI In-Reply-To: <5060AB99.7070303@sri.utoronto.ca> References: <5060AB99.7070303@sri.utoronto.ca> Message-ID: <5060D0F3.5040805@redhat.com> On 09/24/2012 02:51 PM, Qing Chang wrote: > Using https://IPA/ipa/migration, users can migrate their password to > their Kerberos > principals successfully, a subsequent login to /ui gives them > interface to change attrs > to their account. > > But if their LDAP password is shorter than the default policy of 8 > letter (IPA migrate > the password but set it as expired,) they have no chance to reset it > to meet the policy > through the UI. I had to help them login in with a ssh session to a > IPA client machine > to do this, although the majority of my users do not need the ability > to have interactive > ssh sessions. > > Is there a possibility to enable users to change or reset expired > password in the UI? > This is coming in IPA 3.0. > Thanks, > > Qing Chang > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jreg2k at gmail.com Mon Sep 24 22:17:47 2012 From: jreg2k at gmail.com (James James) Date: Tue, 25 Sep 2012 00:17:47 +0200 Subject: [Freeipa-users] Easy deployment Message-ID: Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients .... Any hints is welcome ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 24 22:22:17 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 24 Sep 2012 22:22:17 +0000 Subject: [Freeipa-users] Easy deployment In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D3557@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I did a while back ask if this could be "automated" in some way into RH satellite. So future roadmap thing. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of James James [jreg2k at gmail.com] Sent: Tuesday, 25 September 2012 10:17 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Easy deployment Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients .... Any hints is welcome ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Mon Sep 24 22:28:49 2012 From: jreg2k at gmail.com (James James) Date: Tue, 25 Sep 2012 00:28:49 +0200 Subject: [Freeipa-users] Easy deployment In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D3557@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40546D3557@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Ok Thanks .. 2012/9/25 Steven Jones > Hi, > > I did a while back ask if this could be "automated" in some way into RH > satellite. So future roadmap thing. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of James James [jreg2k at gmail.com] > *Sent:* Tuesday, 25 September 2012 10:17 a.m. > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Easy deployment > > Hi guys, > > we are planning to install 150 freeipa clients and I was wondering if > there is a way to easily install (from kickstart) nfsv4 client. > > I can add host with > > # ipa host-add --password=secret > > But to get the keytab (host and service), I have to log into the machine, > launch kinit and get the keytab. > > This will be very painful for 150 clients .... > > Any hints is welcome ... > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 24 22:50:29 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Sep 2012 18:50:29 -0400 Subject: [Freeipa-users] Easy deployment In-Reply-To: References: Message-ID: <5060E3B5.3050205@redhat.com> On 09/24/2012 06:17 PM, James James wrote: > Hi guys, > > we are planning to install 150 freeipa clients and I was wondering if > there is a way to easily install (from kickstart) nfsv4 client. > > I can add host with > > # ipa host-add --password=secret This was exactly intended for the bulk provisioning. The idea was that you execute this command and then have kickstart files seeded or parameterized with this password so you will have 150 kickstart files that differ in the password value fanned out or you have one kickstart file and the password is passed as a parameter. This was the vision. It definitely require some collaboration with tools like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but hope that those projects would be able to use parametarized or seeded kickstart files. > > But to get the keytab (host and service), I have to log into the > machine, launch kinit and get the keytab. > > This will be very painful for 150 clients .... > > Any hints is welcome ... > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 25 03:17:43 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 25 Sep 2012 03:17:43 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <505C8BF3.60604@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>,<505C8BF3.60604@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying to run this and getting search exceeded. ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: > On 09/21/2012 11:07 AM, Rich Megginson wrote: >> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>> case >>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>> seems as a >>>>> more secure solution) for a user you bind as: >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>> that must be increased in AD. >>>> >>> Rich, it seems that it might make sense to file an RFE for the winsync >>> to support paging control. >> AD supports the paging control? And this allows you to get around the >> search limit? >> > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx > The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 > >>>>> Martin >>>>> >>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>> the first 2k >>>>>> of user entries? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>> 2000 which >>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>> me think >>>>>>> that that limit is all the AD is allowing the query to see? >>>>>> You can use >>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>> what winsync sees when it searches. >>>>>>> Is there a way to expand it? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>> there a >>>>>>> quick/clean way to purge them from IPA? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Sep 25 03:19:36 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 25 Sep 2012 03:19:36 +0000 Subject: [Freeipa-users] Easy deployment In-Reply-To: <5060E3B5.3050205@redhat.com> References: , <5060E3B5.3050205@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D36C6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, So maybe I should or would you like me to raise this as a feature request for Satellite? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 25 September 2012 10:50 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Easy deployment On 09/24/2012 06:17 PM, James James wrote: Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret This was exactly intended for the bulk provisioning. The idea was that you execute this command and then have kickstart files seeded or parameterized with this password so you will have 150 kickstart files that differ in the password value fanned out or you have one kickstart file and the password is passed as a parameter. This was the vision. It definitely require some collaboration with tools like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but hope that those projects would be able to use parametarized or seeded kickstart files. But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients .... Any hints is welcome ... _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 25 03:49:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 25 Sep 2012 03:49:45 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057B455.7040006@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA6574@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5057C49F.6040304@redhat.com> <833D8E48405E064EBC54C84EC6B36E4053CA65A5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im confused here, has no one tried to winsync 2000+ users before? Are there any docs on working around this limit? Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 25 September 2012 3:17 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I am trying to run this and getting search exceeded. ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: > On 09/21/2012 11:07 AM, Rich Megginson wrote: >> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>> case >>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>> seems as a >>>>> more secure solution) for a user you bind as: >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>> that must be increased in AD. >>>> >>> Rich, it seems that it might make sense to file an RFE for the winsync >>> to support paging control. >> AD supports the paging control? And this allows you to get around the >> search limit? >> > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx > The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 > >>>>> Martin >>>>> >>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>> the first 2k >>>>>> of user entries? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users at redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>> 2000 which >>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>> me think >>>>>>> that that limit is all the AD is allowing the query to see? >>>>>> You can use >>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>> what winsync sees when it searches. >>>>>>> Is there a way to expand it? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>> there a >>>>>>> quick/clean way to purge them from IPA? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From chorn at fluxcoil.net Tue Sep 25 12:35:09 2012 From: chorn at fluxcoil.net (Christian Horn) Date: Tue, 25 Sep 2012 14:35:09 +0200 Subject: [Freeipa-users] Easy deployment In-Reply-To: References: Message-ID: <20120925123509.GA8485@fluxcoil.net> Hi, On Tue, Sep 25, 2012 at 12:17:47AM +0200, James James wrote: > > we are planning to install 150 freeipa clients and I was wondering if there > is a way to easily install (from kickstart) nfsv4 client. > > I can add host with > > # ipa host-add --password=secret > > But to get the keytab (host and service), I have to log into the machine, > launch kinit and get the keytab. I am probably missing something.. but what prevents you from directly on a single system (might be an IPA server itself) to get the keytab and then deliver it to the client, i.e. using scp? Christian From rcritten at redhat.com Tue Sep 25 12:46:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2012 08:46:48 -0400 Subject: [Freeipa-users] Easy deployment In-Reply-To: <5060E3B5.3050205@redhat.com> References: <5060E3B5.3050205@redhat.com> Message-ID: <5061A7B8.5030404@redhat.com> Dmitri Pal wrote: > On 09/24/2012 06:17 PM, James James wrote: >> Hi guys, >> >> we are planning to install 150 freeipa clients and I was wondering if >> there is a way to easily install (from kickstart) nfsv4 client. >> >> I can add host with >> >> # ipa host-add --password=secret > > This was exactly intended for the bulk provisioning. > > The idea was that you execute this command and then have kickstart files > seeded or parameterized with this password so you will have 150 > kickstart files that differ in the password value fanned out or you have > one kickstart file and the password is passed as a parameter. > > This was the vision. It definitely require some collaboration with tools > like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but > hope that those projects would be able to use parametarized or seeded > kickstart files. I'm having a hard time following what you are trying to do. Are you not enrolling the host using ipa-client-install? Or are you just adding the host and manually getting the keytab? The password option on a host is specifically to do kickstart enrollment. The idea is you pass it into the ipa-client-install script and the host enrolls itself. rob From rmeggins at redhat.com Tue Sep 25 14:47:34 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Sep 2012 08:47:34 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5061C406.6050700@redhat.com> On 09/24/2012 09:49 PM, Steven Jones wrote: > Hi, > > Im confused here, has no one tried to winsync 2000+ users before? You are the first one to run into this problem. > > Are there any docs on working around this limit? In AD? > > Ive up'd the user to 20000 How? What exactly did you do? > but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Tuesday, 25 September 2012 3:17 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I am trying to run this and getting search exceeded. > > ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn> ad.dns.txt > > Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] > Sent: Saturday, 22 September 2012 3:46 a.m. > To: dpal at redhat.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/21/2012 09:18 AM, Dmitri Pal wrote: >> On 09/21/2012 11:07 AM, Rich Megginson wrote: >>> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>>> case >>>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>>> seems as a >>>>>> more secure solution) for a user you bind as: >>>>>> >>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>>> >>>>>> >>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>>> that must be increased in AD. >>>>> >>>> Rich, it seems that it might make sense to file an RFE for the winsync >>>> to support paging control. >>> AD supports the paging control? And this allows you to get around the >>> search limit? >>> >> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx >> The default usually 2K BTW. > https://fedorahosted.org/389/ticket/472 >>>>>> Martin >>>>>> >>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>>> the first 2k >>>>>>> of user entries? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>>> *To:* Steven Jones >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>>> 2000 which >>>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>>> me think >>>>>>>> that that limit is all the AD is allowing the query to see? >>>>>>> You can use >>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>>> what winsync sees when it searches. >>>>>>>> Is there a way to expand it? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>> >>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>>> there a >>>>>>>> quick/clean way to purge them from IPA? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Tue Sep 25 17:39:20 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 25 Sep 2012 13:39:20 -0400 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: <20120924142629.GC17454@redhat.com> References: <505B252C.4020606@redhat.com> <505B2F68.1070906@redhat.com> <20120924142629.GC17454@redhat.com> Message-ID: Hi, We've tried starting the service properly - the dirsrv process still won't start properly: [25/Sep/2012:13:28:10 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [25/Sep/2012:13:28:10 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Sep/2012:13:28:42 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [25/Sep/2012:13:28:42 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Sep/2012:13:28:48 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [25/Sep/2012:13:29:01 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [25/Sep/2012:13:29:02 -0400] - Failed to start object plugin Multimaster Replication Plugin [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [25/Sep/2012:13:29:03 -0400] - Failed to start object plugin Multimaster Replication Plugin [25/Sep/2012:13:29:03 -0400] - Error: Failed to resolve plugin dependencies [25/Sep/2012:13:29:03 -0400] - Error: preoperation plugin IPA Version Replication is not started [25/Sep/2012:13:29:03 -0400] - Error: object plugin Legacy Replication Plugin is not started [25/Sep/2012:13:29:03 -0400] - Error: object plugin Multimaster Replication Plugin is not started [25/Sep/2012:13:37:37 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [25/Sep/2012:13:37:37 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Sep/2012:13:37:40 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [25/Sep/2012:13:37:42 -0400] - Failed to start object plugin Multimaster Replication Plugin [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [25/Sep/2012:13:37:43 -0400] - Failed to start object plugin Multimaster Replication Plugin [25/Sep/2012:13:37:43 -0400] - Error: Failed to resolve plugin dependencies [25/Sep/2012:13:37:43 -0400] - Error: preoperation plugin IPA Version Replication is not started [25/Sep/2012:13:37:43 -0400] - Error: object plugin Legacy Replication Plugin is not started [25/Sep/2012:13:37:43 -0400] - Error: object plugin Multimaster Replication Plugin is not started We've been through Rich's suggested procedure to manually initialize the consumer, but still get the message above. Any ideas? Thanks, Dan On Mon, Sep 24, 2012 at 10:26 AM, Alexander Bokovoy wrote: > On Mon, 24 Sep 2012, Ikaro Silva wrote: >> >> Hi Rich, >> >> Thanks for the help. We have tried your suggestion below, however the >> problem still persists: >> >> systemctl status dirsrv.service > > There is no dirsrv.service. dirsrv instances are arranged in > following setup: > > - there is dirsrv.target that is used to start and stop all instances at > the same time > > - there are dirsrv at INSTANCE-NAME.service services for specific instances > where INSTANCE-NAME is REALM with dots replaced by -. > > IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you > want to > start/stop them all, use > > systemctl stop dirsrv.target > systemctl start dirsrv.target > > For status you need to check specific instances. > > systemctl status dirsrv@.service > > # systemctl status dirsrv at IPA-LOCAL.service > dirsrv at IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. > Loaded: loaded (/lib/systemd/system/dirsrv at .service; enabled) > Active: active (running) since Mon, 24 Sep 2012 11:53:04 +0300; 5h > 31min ago > Process: 684 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i > -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=0/SUCCESS) > Main PID: 688 (ns-slapd) > CGroup: name=systemd:/system/dirsrv at .service/IPA-LOCAL > ? 688 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOCAL -i > /var/run/dirsrv/slapd-IPA-LOCAL.pid -w /var/run/dirs... > > >> dirsrv.service >> Loaded: error (Reason: No such file or directory) >> Active: inactive (dead) >> [root at fileserver2 ~]# ipactl status >> Directory Service: STOPPED >> Unknown error when retrieving list of services from LDAP: [Errno 111] >> Connection refused >> >> >> Any other suggestions/advice would be greatly appreaciated. >> >> Thank you, >> >> -Ikaro >> >> On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson >> wrote: >>> >>> On 09/20/2012 08:53 AM, Ikaro Silva wrote: >>>> >>>> >>>> Hi Rich, >>>> >>>> We did not upgrade from a previous version, this is our original >>>> master server (but we do have 2 other replications of this one). The >>>> architecture is >>>> >>>> Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 >>>> i686 i386 GNU/Linux >>> >>> >>> ok - try this: >>> >>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>> >>> you will need to use db2ldif.pl -r to create a replica init ldif file >>> from >>> one of your good replicas, copy this file to the machine with the "bad" >>> replica, and use ldif2db to reinitialize it. >>> >>> You use db2ldif.pl on the replica because you can perform this operation >>> while the server is running. >>> >>> You use ldif2db on the bad replica because you can't start the server. >>> >>> Note that due to selinux restrictions, you have to use >>> /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. >>> >>>> >>>> >>>> >>>> On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson >>>> wrote: >>>>> >>>>> >>>>> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>>>>> >>>>>> >>>>>> Hi Everyone, >>>>>> >>>>>> >>>>>> I am new to IPA and I am trying to start the IPA service but I get the >>>>>> following error message: >>>>>> >>>>>> ipactl start >>>>>> Starting Directory Service >>>>>> Failed to read data from Directory Service: Unknown error when >>>>>> retrieving list of services from LDAP: [Errno 111] Connection refused >>>>>> Shutting down >>>>> >>>>> >>>>> What platform? Did you upgrade from a previous version? >>>>> Do you have another master that you could use to reinit this one from? >>>>>> >>>>>> >>>>>> >>>>>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>>>>> following messages: >>>>>> >>>>>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>>>>> starting up >>>>>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >>>>>> Directory Server was running, recovering database. >>>>>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>>>>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >>>>>> should be added before the CoS Definition. >>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>> - cl5DBData2Entry: invalid data version >>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>> - cl5Open: failed to open changelog >>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>> - changelog5_init: failed to start changelog at >>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>>>>> Multimaster Replication Plugin >>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>> - cl5DBData2Entry: invalid data version >>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>> - cl5Open: failed to open changelog >>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>> - changelog5_init: failed to start changelog at >>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>>>>> Multimaster Replication Plugin >>>>>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>>>>> dependencies >>>>>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >>>>>> Replication is not started >>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >>>>>> Plugin is not started >>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>>>>> Replication Plugin is not started >>>>>> >>>>>> >>>>>> Has anyone experienced similar problems or have suggestions on how to >>>>>> fix these errors ? >>>>>> >>>>>> >>>>>> Thank you, >>>>>> >>>>>> -Ikaro >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > / Alexander Bokovoy > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Sep 25 19:39:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 25 Sep 2012 15:39:15 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50620863.4030801@redhat.com> On 09/24/2012 11:49 PM, Steven Jones wrote: > Hi, > > Im confused here, has no one tried to winsync 2000+ users before? > > Are there any docs on working around this limit? > > Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present. According to our gurus: The limit is in AD, which has a sizelimit of 2000 by default. There are two ways around this: 1) Go into AD and set the sizelimit for the sync user to be greater than the number of entries. 2) Have DS winsync use simple paged results - this is a code change on our side and we are tracking it for one of the upcoming releases https://fedorahosted.org/389/ticket/472 > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Tuesday, 25 September 2012 3:17 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I am trying to run this and getting search exceeded. > > ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt > > Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] > Sent: Saturday, 22 September 2012 3:46 a.m. > To: dpal at redhat.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/21/2012 09:18 AM, Dmitri Pal wrote: >> On 09/21/2012 11:07 AM, Rich Megginson wrote: >>> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>>> case >>>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>>> seems as a >>>>>> more secure solution) for a user you bind as: >>>>>> >>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>>> >>>>>> >>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>>> that must be increased in AD. >>>>> >>>> Rich, it seems that it might make sense to file an RFE for the winsync >>>> to support paging control. >>> AD supports the paging control? And this allows you to get around the >>> search limit? >>> >> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx >> The default usually 2K BTW. > https://fedorahosted.org/389/ticket/472 >>>>>> Martin >>>>>> >>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>>> the first 2k >>>>>>> of user entries? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>>> *To:* Steven Jones >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>>> 2000 which >>>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>>> me think >>>>>>>> that that limit is all the AD is allowing the query to see? >>>>>>> You can use >>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>>> what winsync sees when it searches. >>>>>>>> Is there a way to expand it? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>> >>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>>> there a >>>>>>>> quick/clean way to purge them from IPA? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Sep 25 20:18:00 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 25 Sep 2012 22:18:00 +0200 Subject: [Freeipa-users] Easy deployment In-Reply-To: References: Message-ID: <50621178.7080208@nixtra.com> On 09/25/2012 12:17 AM, James James wrote: > Hi guys, > > we are planning to install 150 freeipa clients and I was wondering if > there is a way to easily install (from kickstart) nfsv4 client. > > I can add host with > > # ipa host-add --password=secret > > But to get the keytab (host and service), I have to log into the > machine, launch kinit and get the keytab. > > This will be very painful for 150 clients .... > > Any hints is welcome ... > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I am working on integrating what you are asking for into OneClickKick. OneClickKick which is a web based GUI for managing DHCP server and PXE booting. The current version can read the host objects from IPA's LDAP, and you can use these to generate PXE boot files for kickstarting RHEL/Fedora, preseeding Debian/Ubuntu installations, do BIOS upgrades, run LIVE environments, etc. What I have done in the past is to add a line like this to the post section of the kickstart: /usr/sbin/ipa-client-install --domain="ix.test.com" --principal="ipajoinuser" --password="somepassword" -U -f This is not ideal even though the kickstart is saved in a database and only made available dynamically trough a php script to the host that's enabled for kickstarting. It is not saved in a text file on the disk. The next version will include tighter integration with IPA where a One Time Password is set for the host being kickstarted at the time it's enabled for kickstarting, and this password is seeded dynamically when the host is served it's kickstart file. The next version will also have the PXE Enrollment boot image updated to supporting adding new hosts directly into IPA. The PXE Enrollment is support for adding a new host simply to PXE booting it, logging on, and giving it a hostname and assigning it with a kickstart profile to load the machine directly from the console of the new machine. Adding of machines directly to IPA from the web UI will also be available in the next version. This allows you to do everything from adding the host, to selecting the kickstart profile group, and enabling for PXE installation/kickstart in 1 step. It can also search trough the /var/log/messages file to find new hosts that's unknown to it's naming sources and directly add these. You can also select a group of machine to install, so if you have your 150 machines in one group you can select the entire group for installation. See the project website or contact me for more information: http://sourceforge.net/projects/oneclickkick/ Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 25 20:29:25 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Sep 2012 14:29:25 -0600 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: References: <505B252C.4020606@redhat.com> <505B2F68.1070906@redhat.com> <20120924142629.GC17454@redhat.com> Message-ID: <50621425.2040102@redhat.com> On 09/25/2012 11:39 AM, Dan Scott wrote: > Hi, > > We've tried starting the service properly - the dirsrv process still > won't start properly: > > [25/Sep/2012:13:28:10 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up > [25/Sep/2012:13:28:10 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [25/Sep/2012:13:28:42 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up > [25/Sep/2012:13:28:42 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [25/Sep/2012:13:28:48 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which > should be added before the CoS Definition. > [25/Sep/2012:13:29:01 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [25/Sep/2012:13:29:02 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [25/Sep/2012:13:29:03 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [25/Sep/2012:13:29:03 -0400] - Error: Failed to resolve plugin dependencies > [25/Sep/2012:13:29:03 -0400] - Error: preoperation plugin IPA Version > Replication is not started > [25/Sep/2012:13:29:03 -0400] - Error: object plugin Legacy Replication > Plugin is not started > [25/Sep/2012:13:29:03 -0400] - Error: object plugin Multimaster > Replication Plugin is not started > [25/Sep/2012:13:37:37 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up > [25/Sep/2012:13:37:37 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [25/Sep/2012:13:37:40 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which > should be added before the CoS Definition. > [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [25/Sep/2012:13:37:42 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program > - cl5DBData2Entry: invalid data version > [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program > - changelog5_init: failed to start changelog at > /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > [25/Sep/2012:13:37:43 -0400] - Failed to start object plugin > Multimaster Replication Plugin > [25/Sep/2012:13:37:43 -0400] - Error: Failed to resolve plugin dependencies > [25/Sep/2012:13:37:43 -0400] - Error: preoperation plugin IPA Version > Replication is not started > [25/Sep/2012:13:37:43 -0400] - Error: object plugin Legacy Replication > Plugin is not started > [25/Sep/2012:13:37:43 -0400] - Error: object plugin Multimaster > Replication Plugin is not started > > We've been through Rich's suggested procedure to manually initialize > the consumer, but still get the message above. > > Any ideas? Assuming the directory server is not running, do this: rm -rf /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb then follow the ldif2db procedure then start the directory server > > Thanks, > > Dan > > > On Mon, Sep 24, 2012 at 10:26 AM, Alexander Bokovoy wrote: >> On Mon, 24 Sep 2012, Ikaro Silva wrote: >>> Hi Rich, >>> >>> Thanks for the help. We have tried your suggestion below, however the >>> problem still persists: >>> >>> systemctl status dirsrv.service >> There is no dirsrv.service. dirsrv instances are arranged in >> following setup: >> >> - there is dirsrv.target that is used to start and stop all instances at >> the same time >> >> - there are dirsrv at INSTANCE-NAME.service services for specific instances >> where INSTANCE-NAME is REALM with dots replaced by -. >> >> IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you >> want to >> start/stop them all, use >> >> systemctl stop dirsrv.target >> systemctl start dirsrv.target >> >> For status you need to check specific instances. >> >> systemctl status dirsrv@.service >> >> # systemctl status dirsrv at IPA-LOCAL.service >> dirsrv at IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. >> Loaded: loaded (/lib/systemd/system/dirsrv at .service; enabled) >> Active: active (running) since Mon, 24 Sep 2012 11:53:04 +0300; 5h >> 31min ago >> Process: 684 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i >> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid >> (code=exited, status=0/SUCCESS) >> Main PID: 688 (ns-slapd) >> CGroup: name=systemd:/system/dirsrv at .service/IPA-LOCAL >> ? 688 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOCAL -i >> /var/run/dirsrv/slapd-IPA-LOCAL.pid -w /var/run/dirs... >> >> >>> dirsrv.service >>> Loaded: error (Reason: No such file or directory) >>> Active: inactive (dead) >>> [root at fileserver2 ~]# ipactl status >>> Directory Service: STOPPED >>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>> Connection refused >>> >>> >>> Any other suggestions/advice would be greatly appreaciated. >>> >>> Thank you, >>> >>> -Ikaro >>> >>> On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson >>> wrote: >>>> On 09/20/2012 08:53 AM, Ikaro Silva wrote: >>>>> >>>>> Hi Rich, >>>>> >>>>> We did not upgrade from a previous version, this is our original >>>>> master server (but we do have 2 other replications of this one). The >>>>> architecture is >>>>> >>>>> Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 >>>>> i686 i386 GNU/Linux >>>> >>>> ok - try this: >>>> >>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>>> >>>> you will need to use db2ldif.pl -r to create a replica init ldif file >>>> from >>>> one of your good replicas, copy this file to the machine with the "bad" >>>> replica, and use ldif2db to reinitialize it. >>>> >>>> You use db2ldif.pl on the replica because you can perform this operation >>>> while the server is running. >>>> >>>> You use ldif2db on the bad replica because you can't start the server. >>>> >>>> Note that due to selinux restrictions, you have to use >>>> /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. >>>> >>>>> >>>>> >>>>> On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson >>>>> wrote: >>>>>> >>>>>> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>>>>>> >>>>>>> Hi Everyone, >>>>>>> >>>>>>> >>>>>>> I am new to IPA and I am trying to start the IPA service but I get the >>>>>>> following error message: >>>>>>> >>>>>>> ipactl start >>>>>>> Starting Directory Service >>>>>>> Failed to read data from Directory Service: Unknown error when >>>>>>> retrieving list of services from LDAP: [Errno 111] Connection refused >>>>>>> Shutting down >>>>>> >>>>>> What platform? Did you upgrade from a previous version? >>>>>> Do you have another master that you could use to reinit this one from? >>>>>>> >>>>>>> >>>>>>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>>>>>> following messages: >>>>>>> >>>>>>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>>>>>> starting up >>>>>>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time >>>>>>> Directory Server was running, recovering database. >>>>>>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>>>>>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >>>>>>> should be added before the CoS Definition. >>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - cl5DBData2Entry: invalid data version >>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - cl5Open: failed to open changelog >>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - changelog5_init: failed to start changelog at >>>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>>>>>> Multimaster Replication Plugin >>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - cl5DBData2Entry: invalid data version >>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - cl5Open: failed to open changelog >>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program >>>>>>> - changelog5_init: failed to start changelog at >>>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>>>>>> Multimaster Replication Plugin >>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>>>>>> dependencies >>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version >>>>>>> Replication is not started >>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication >>>>>>> Plugin is not started >>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>>>>>> Replication Plugin is not started >>>>>>> >>>>>>> >>>>>>> Has anyone experienced similar problems or have suggestions on how to >>>>>>> fix these errors ? >>>>>>> >>>>>>> >>>>>>> Thank you, >>>>>>> >>>>>>> -Ikaro >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> Freeipa-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> / Alexander Bokovoy >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Sep 25 21:34:59 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 25 Sep 2012 21:34:59 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <50620863.4030801@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505869D0.3060703@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546CF1A6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have set the filter size as 20000 for the user and it makes no difference. So unless its somewhere else configurable it cant be easily done. via adsi edit? and if so what is the value called? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 26 September 2012 7:39 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/24/2012 11:49 PM, Steven Jones wrote: > Hi, > > Im confused here, has no one tried to winsync 2000+ users before? > > Are there any docs on working around this limit? > > Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present. According to our gurus: The limit is in AD, which has a sizelimit of 2000 by default. There are two ways around this: 1) Go into AD and set the sizelimit for the sync user to be greater than the number of entries. 2) Have DS winsync use simple paged results - this is a code change on our side and we are tracking it for one of the upcoming releases https://fedorahosted.org/389/ticket/472 > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Tuesday, 25 September 2012 3:17 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I am trying to run this and getting search exceeded. > > ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt > > Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] > Sent: Saturday, 22 September 2012 3:46 a.m. > To: dpal at redhat.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/21/2012 09:18 AM, Dmitri Pal wrote: >> On 09/21/2012 11:07 AM, Rich Megginson wrote: >>> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>>> case >>>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>>> seems as a >>>>>> more secure solution) for a user you bind as: >>>>>> >>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>>> >>>>>> >>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>>> that must be increased in AD. >>>>> >>>> Rich, it seems that it might make sense to file an RFE for the winsync >>>> to support paging control. >>> AD supports the paging control? And this allows you to get around the >>> search limit? >>> >> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx >> The default usually 2K BTW. > https://fedorahosted.org/389/ticket/472 >>>>>> Martin >>>>>> >>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>>> the first 2k >>>>>>> of user entries? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>>> *To:* Steven Jones >>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>>> 2000 which >>>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>>> me think >>>>>>>> that that limit is all the AD is allowing the query to see? >>>>>>> You can use >>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>>> what winsync sees when it searches. >>>>>>>> Is there a way to expand it? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>> >>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>>> there a >>>>>>>> quick/clean way to purge them from IPA? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Sep 25 22:00:47 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Sep 2012 16:00:47 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5062298F.2010709@redhat.com> On 09/25/2012 03:34 PM, Steven Jones wrote: > Hi, > > I have set the filter size as 20000 for the user and it makes no difference. Where did you set this? In IPA? In AD? If so, where? How? What does "filter size" mean? To me, it means "the size of an LDAP search filter in an LDAP search request" not "the maximum number of entries returned by a search". > > So unless its somewhere else configurable it cant be easily done. > > via adsi edit? and if so what is the value called? I would like to know the answers to these questions, but I do not. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 26 September 2012 7:39 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/24/2012 11:49 PM, Steven Jones wrote: >> Hi, >> >> Im confused here, has no one tried to winsync 2000+ users before? >> >> Are there any docs on working around this limit? >> >> Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present. > According to our gurus: > > The limit is in AD, which has a sizelimit of 2000 by default. There are > two ways around this: > 1) Go into AD and set the sizelimit for the sync user to be greater than > the number of entries. > 2) Have DS winsync use simple paged results - this is a code change on > our side and we are tracking it for one of the upcoming releases > https://fedorahosted.org/389/ticket/472 > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Tuesday, 25 September 2012 3:17 p.m. >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users >> >> Hi, >> >> I am trying to run this and getting search exceeded. >> >> ldapsearch -xLLL -D -w -h -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn> ad.dns.txt >> >> Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. >> >> :( >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com] >> Sent: Saturday, 22 September 2012 3:46 a.m. >> To: dpal at redhat.com >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/21/2012 09:18 AM, Dmitri Pal wrote: >>> On 09/21/2012 11:07 AM, Rich Megginson wrote: >>>> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>>>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>>>> case >>>>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>>>> seems as a >>>>>>> more secure solution) for a user you bind as: >>>>>>> >>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>>>> >>>>>>> >>>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>>>> that must be increased in AD. >>>>>> >>>>> Rich, it seems that it might make sense to file an RFE for the winsync >>>>> to support paging control. >>>> AD supports the paging control? And this allows you to get around the >>>> search limit? >>>> >>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx >>> The default usually 2K BTW. >> https://fedorahosted.org/389/ticket/472 >>>>>>> Martin >>>>>>> >>>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>>>> the first 2k >>>>>>>> of user entries? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *From:* Rich Megginson [rmeggins at redhat.com] >>>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>>>> *To:* Steven Jones >>>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>> >>>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>>>> 2000 which >>>>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>>>> me think >>>>>>>>> that that limit is all the AD is allowing the query to see? >>>>>>>> You can use >>>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>>>> what winsync sees when it searches. >>>>>>>>> Is there a way to expand it? >>>>>>>>> >>>>>>>>> regards >>>>>>>>> >>>>>>>>> Steven Jones >>>>>>>>> >>>>>>>>> Technical Specialist - Linux RHCE >>>>>>>>> >>>>>>>>> Victoria University, Wellington, NZ >>>>>>>>> >>>>>>>>> 0064 4 463 6272 >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> *From:* freeipa-users-bounces at redhat.com >>>>>>>>> [freeipa-users-bounces at redhat.com] >>>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >>>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>>>> *Cc:* freeipa-users at redhat.com >>>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>>> >>>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>>>> there a >>>>>>>>> quick/clean way to purge them from IPA? >>>>>>>>> >>>>>>>>> regards >>>>>>>>> >>>>>>>>> Steven Jones >>>>>>>>> >>>>>>>>> Technical Specialist - Linux RHCE >>>>>>>>> >>>>>>>>> Victoria University, Wellington, NZ >>>>>>>>> >>>>>>>>> 0064 4 463 6272 >>>>>>>>> >>>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> Freeipa-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jreg2k at gmail.com Tue Sep 25 22:21:14 2012 From: jreg2k at gmail.com (James James) Date: Wed, 26 Sep 2012 00:21:14 +0200 Subject: [Freeipa-users] Apache, autofs and userdir Message-ID: Hi, I don't know if this is the right place to ask this question but I will try. I have : - a freeipa server + autofs maps - a nfsv4 server - a web server from the webserver I can mount my nfs4 exported home dir. Everything works well. I want to acces to my public_html directory from the web server. From my browser, when I try to reach http://myweserver/~user, I've got 403 Forbidden and the logs give me : Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 context for user with uid 48 for server nfs-server.example.com Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid 48 for server nfs-server.example.com Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm ' EXAMPLE.COM' Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 context for user with uid 48 for server nfs-server.example.com Apache user id is 48. Thanks for any help. James -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Sep 25 22:40:06 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 26 Sep 2012 00:40:06 +0200 Subject: [Freeipa-users] Apache, autofs and userdir In-Reply-To: References: Message-ID: <506232C6.9040003@nixtra.com> On 09/26/2012 12:21 AM, James James wrote: > Hi, I don't know if this is the right place to ask this question but I > will try. > > I have : > > - a freeipa server + autofs maps > - a nfsv4 server > - a web server > > from the webserver I can mount my nfs4 exported home dir. Everything > works well. > > I want to acces to my public_html directory from the web server. From > my browser, when I try to reach http://myweserver/~user > , I've got 403 Forbidden and the logs give > me : > > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create > krb5 context for user with uid 48 for server nfs-server.example.com > > Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) > Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: > 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) > Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: > service is '' > Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for > client with uid 48 for server nfs-server.example.com > > Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file > '/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm > 'EXAMPLE.COM ' > Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file > '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48 > Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > being considered, with preferred realm 'EXAMPLE.COM ' > Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > owned by 0, not 48 > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create > krb5 context for user with uid 48 for server nfs-server.example.com > > > > Apache user id is 48. > > Thanks for any help. > > James > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Are you using nfs4 + krb5 as auth for your home directories? If so, what it's telling you is that it's unable to retreive kerberos credentials for the apache user (uid 48). I believe you have to create a user account for apache in IPA, initiate credentials for this user (and renew them when they expire), and set the KRB5CCNAME environment variable to point to the credendials cache in the startup script for httpd. A cronjob or similar would be required to keep renewing the credentials, I have not looked into this myself yet so I cannot give exact feedback for this. Make sure the IPA user account that you provide credentials for have access to read the users public_html directory and list the users home directory. Let me know how you get on. I haven't tested this myself yet but it's been on my mind. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 26 01:31:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2012 21:31:36 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <5062298F.2010709@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <5062298F.2010709@redhat.c! om> Message-ID: <50625AF8.1010805@redhat.com> Rich Megginson wrote: > On 09/25/2012 03:34 PM, Steven Jones wrote: >> Hi, >> >> I have set the filter size as 20000 for the user and it makes no >> difference. > Where did you set this? In IPA? In AD? If so, where? How? > What does "filter size" mean? To me, it means "the size of an LDAP > search filter in an LDAP search request" not "the maximum number of > entries returned by a search". The more details you can provide on what you did the better. This might include the exact ldapmodify command, where you entered it in AD, the attribute names, whichever is applicable. regards rob From Steven.Jones at vuw.ac.nz Wed Sep 26 01:54:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 26 Sep 2012 01:54:30 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <50625AF8.1010805@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505A4F52.9090807@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546CF244@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <5062298F.2010709@redhat.c! om>,<50625AF8.1010805@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I dont have a ldapmodify command for changing something in AD. I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 26 September 2012 1:31 p.m. To: Rich Megginson Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Rich Megginson wrote: > On 09/25/2012 03:34 PM, Steven Jones wrote: >> Hi, >> >> I have set the filter size as 20000 for the user and it makes no >> difference. > Where did you set this? In IPA? In AD? If so, where? How? > What does "filter size" mean? To me, it means "the size of an LDAP > search filter in an LDAP search request" not "the maximum number of > entries returned by a search". The more details you can provide on what you did the better. This might include the exact ldapmodify command, where you entered it in AD, the attribute names, whichever is applicable. regards rob From rcritten at redhat.com Wed Sep 26 03:46:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2012 23:46:30 -0400 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <5062298F.2010709@redhat.c! om>, <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.! nz> Message-ID: <50627A96.2090102@redhat.com> Steven Jones wrote: > Hi, > > I dont have a ldapmodify command for changing something in AD. > > I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... > > Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. Rich knows more about this than me, so maybe he knows what value you're changing, but I don't. Where exactly in the AD gui are you changing the value to 40k? regards rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 26 September 2012 1:31 p.m. > To: Rich Megginson > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Rich Megginson wrote: >> On 09/25/2012 03:34 PM, Steven Jones wrote: >>> Hi, >>> >>> I have set the filter size as 20000 for the user and it makes no >>> difference. >> Where did you set this? In IPA? In AD? If so, where? How? >> What does "filter size" mean? To me, it means "the size of an LDAP >> search filter in an LDAP search request" not "the maximum number of >> entries returned by a search". > > The more details you can provide on what you did the better. This might > include the exact ldapmodify command, where you entered it in AD, the > attribute names, whichever is applicable. > > regards > > rob > > From amessina at messinet.com Wed Sep 26 09:09:44 2012 From: amessina at messinet.com (Anthony Messina) Date: Wed, 26 Sep 2012 04:09:44 -0500 Subject: [Freeipa-users] Apache, autofs and userdir In-Reply-To: References: Message-ID: <2777362.rdXWpkcaOo@linux-ws1.messinet.com> On Wednesday, September 26, 2012 12:21:14 AM James James wrote: > I have : > > - a freeipa server + autofs maps > - a nfsv4 server > - a web server > > from the webserver I can mount my nfs4 exported home dir. Everything works > well. > > I want to acces to my public_html directory from the web server. From my > browser, when I try to reach http://myweserver/~user, I've got 403 > Forbidden and the logs give me : > > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > context for user with uid 48 for server nfs-server.example.com Sep 25 > 23:18:21 web-server rpc.gssd[4522]: doing error downcall > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 > web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep 25 > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid > 48 for server nfs-server.example.com Sep 25 23:18:21 web-server > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, > with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > context for user with uid 48 for server nfs-server.example.com > > > Apache user id is 48. You don't say what system you're using, but for Fedora 16 and 17 (with systemd), you can use something like the following in /etc/systemd/system/httpd.service: .include /usr/lib/systemd/system/httpd.service [Unit] Requires=network.target After=network.target [Service] Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab Environment=KRB5CCNAME=/tmp/krb5cc_48 ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t ${KRB5CCNAME} PrivateTmp=false And you'll need to add a cron job similar to: 5 */8 * * * apache /usr/bin/kinit -R ; chcon -t user_tmp_t /tmp/krb5cc_48 Of course, this may all change when Fedora 18 comes out with it's shiny new way of handling credentials. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jreg2k at gmail.com Wed Sep 26 12:14:20 2012 From: jreg2k at gmail.com (James James) Date: Wed, 26 Sep 2012 14:14:20 +0200 Subject: [Freeipa-users] Apache, autofs and userdir In-Reply-To: <2777362.rdXWpkcaOo@linux-ws1.messinet.com> References: <2777362.rdXWpkcaOo@linux-ws1.messinet.com> Message-ID: Thanks I'll try that and will give you a feedback as soon as possible. 2012/9/26 Anthony Messina > On Wednesday, September 26, 2012 12:21:14 AM James James wrote: > > I have : > > > > - a freeipa server + autofs maps > > - a nfsv4 server > > - a web server > > > > from the webserver I can mount my nfs4 exported home dir. Everything > works > > well. > > > > I want to acces to my public_html directory from the web server. From my > > browser, when I try to reach http://myweserver/~user, I've got 403 > > Forbidden and the logs give me : > > > > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > > context for user with uid 48 for server nfs-server.example.com Sep 25 > > 23:18:21 web-server rpc.gssd[4522]: doing error downcall > > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall > > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server > > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 > > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: > > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 > > web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep > 25 > > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with > uid > > 48 for server nfs-server.example.com Sep 25 23:18:21 web-server > > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, > > with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server > > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by > 797200160, > > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > > being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 > > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep > > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > > context for user with uid 48 for server nfs-server.example.com > > > > > > Apache user id is 48. > > You don't say what system you're using, but for Fedora 16 and 17 (with > systemd), you can use something like the following in > /etc/systemd/system/httpd.service: > > .include /usr/lib/systemd/system/httpd.service > [Unit] > Requires=network.target > After=network.target > > [Service] > Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab > Environment=KRB5CCNAME=/tmp/krb5cc_48 > ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; > /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t > ${KRB5CCNAME} > PrivateTmp=false > > > > And you'll need to add a cron job similar to: > 5 */8 * * * apache /usr/bin/kinit -R ; chcon -t user_tmp_t > /tmp/krb5cc_48 > > > Of course, this may all change when Fedora 18 comes out with it's shiny new > way of handling credentials. > > > -- > Anthony - http://messinet.com - http://messinet.com/~amessina/gallery > 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ikaro at mit.edu Wed Sep 26 13:30:45 2012 From: ikaro at mit.edu (Ikaro Silva) Date: Wed, 26 Sep 2012 09:30:45 -0400 Subject: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version In-Reply-To: <50621425.2040102@redhat.com> References: <505B252C.4020606@redhat.com> <505B2F68.1070906@redhat.com> <20120924142629.GC17454@redhat.com> <50621425.2040102@redhat.com> Message-ID: Hi Rich, That worked!! Thank you Rick and Alexander for the kind help! Best, -Ikaro On Tue, Sep 25, 2012 at 4:29 PM, Rich Megginson wrote: > On 09/25/2012 11:39 AM, Dan Scott wrote: >> >> Hi, >> >> We've tried starting the service properly - the dirsrv process still >> won't start properly: >> >> [25/Sep/2012:13:28:10 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >> starting up >> [25/Sep/2012:13:28:10 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [25/Sep/2012:13:28:42 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >> starting up >> [25/Sep/2012:13:28:42 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [25/Sep/2012:13:28:48 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >> should be added before the CoS Definition. >> [25/Sep/2012:13:29:01 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [25/Sep/2012:13:29:02 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [25/Sep/2012:13:29:03 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [25/Sep/2012:13:29:03 -0400] - Error: Failed to resolve plugin >> dependencies >> [25/Sep/2012:13:29:03 -0400] - Error: preoperation plugin IPA Version >> Replication is not started >> [25/Sep/2012:13:29:03 -0400] - Error: object plugin Legacy Replication >> Plugin is not started >> [25/Sep/2012:13:29:03 -0400] - Error: object plugin Multimaster >> Replication Plugin is not started >> [25/Sep/2012:13:37:37 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >> starting up >> [25/Sep/2012:13:37:37 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [25/Sep/2012:13:37:40 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which >> should be added before the CoS Definition. >> [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [25/Sep/2012:13:37:42 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program >> - cl5DBData2Entry: invalid data version >> [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program >> - changelog5_init: failed to start changelog at >> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >> [25/Sep/2012:13:37:43 -0400] - Failed to start object plugin >> Multimaster Replication Plugin >> [25/Sep/2012:13:37:43 -0400] - Error: Failed to resolve plugin >> dependencies >> [25/Sep/2012:13:37:43 -0400] - Error: preoperation plugin IPA Version >> Replication is not started >> [25/Sep/2012:13:37:43 -0400] - Error: object plugin Legacy Replication >> Plugin is not started >> [25/Sep/2012:13:37:43 -0400] - Error: object plugin Multimaster >> Replication Plugin is not started >> >> We've been through Rich's suggested procedure to manually initialize >> the consumer, but still get the message above. >> >> Any ideas? > > Assuming the directory server is not running, do this: > rm -rf /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb > then follow the ldif2db procedure > then start the directory server > >> >> Thanks, >> >> Dan >> >> >> On Mon, Sep 24, 2012 at 10:26 AM, Alexander Bokovoy >> wrote: >>> >>> On Mon, 24 Sep 2012, Ikaro Silva wrote: >>>> >>>> Hi Rich, >>>> >>>> Thanks for the help. We have tried your suggestion below, however the >>>> problem still persists: >>>> >>>> systemctl status dirsrv.service >>> >>> There is no dirsrv.service. dirsrv instances are arranged in >>> following setup: >>> >>> - there is dirsrv.target that is used to start and stop all instances at >>> the same time >>> >>> - there are dirsrv at INSTANCE-NAME.service services for specific instances >>> where INSTANCE-NAME is REALM with dots replaced by -. >>> >>> IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you >>> want to >>> start/stop them all, use >>> >>> systemctl stop dirsrv.target >>> systemctl start dirsrv.target >>> >>> For status you need to check specific instances. >>> >>> systemctl status dirsrv@.service >>> >>> # systemctl status dirsrv at IPA-LOCAL.service >>> dirsrv at IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. >>> Loaded: loaded (/lib/systemd/system/dirsrv at .service; enabled) >>> Active: active (running) since Mon, 24 Sep 2012 11:53:04 >>> +0300; 5h >>> 31min ago >>> Process: 684 ExecStart=/usr/sbin/ns-slapd -D >>> /etc/dirsrv/slapd-%i >>> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid >>> (code=exited, status=0/SUCCESS) >>> Main PID: 688 (ns-slapd) >>> CGroup: name=systemd:/system/dirsrv at .service/IPA-LOCAL >>> ? 688 /usr/sbin/ns-slapd -D >>> /etc/dirsrv/slapd-IPA-LOCAL -i >>> /var/run/dirsrv/slapd-IPA-LOCAL.pid -w /var/run/dirs... >>> >>> >>>> dirsrv.service >>>> Loaded: error (Reason: No such file or directory) >>>> Active: inactive (dead) >>>> [root at fileserver2 ~]# ipactl status >>>> Directory Service: STOPPED >>>> Unknown error when retrieving list of services from LDAP: [Errno 111] >>>> Connection refused >>>> >>>> >>>> Any other suggestions/advice would be greatly appreaciated. >>>> >>>> Thank you, >>>> >>>> -Ikaro >>>> >>>> On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson >>>> wrote: >>>>> >>>>> On 09/20/2012 08:53 AM, Ikaro Silva wrote: >>>>>> >>>>>> >>>>>> Hi Rich, >>>>>> >>>>>> We did not upgrade from a previous version, this is our original >>>>>> master server (but we do have 2 other replications of this one). The >>>>>> architecture is >>>>>> >>>>>> Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 >>>>>> i686 i386 GNU/Linux >>>>> >>>>> >>>>> ok - try this: >>>>> >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line >>>>> >>>>> you will need to use db2ldif.pl -r to create a replica init ldif file >>>>> from >>>>> one of your good replicas, copy this file to the machine with the "bad" >>>>> replica, and use ldif2db to reinitialize it. >>>>> >>>>> You use db2ldif.pl on the replica because you can perform this >>>>> operation >>>>> while the server is running. >>>>> >>>>> You use ldif2db on the bad replica because you can't start the server. >>>>> >>>>> Note that due to selinux restrictions, you have to use >>>>> /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. >>>>> >>>>>> >>>>>> >>>>>> On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginson >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> On 09/20/2012 08:10 AM, Ikaro Silva wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi Everyone, >>>>>>>> >>>>>>>> >>>>>>>> I am new to IPA and I am trying to start the IPA service but I get >>>>>>>> the >>>>>>>> following error message: >>>>>>>> >>>>>>>> ipactl start >>>>>>>> Starting Directory Service >>>>>>>> Failed to read data from Directory Service: Unknown error when >>>>>>>> retrieving list of services from LDAP: [Errno 111] Connection >>>>>>>> refused >>>>>>>> Shutting down >>>>>>> >>>>>>> >>>>>>> What platform? Did you upgrade from a previous version? >>>>>>> Do you have another master that you could use to reinit this one >>>>>>> from? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the >>>>>>>> following messages: >>>>>>>> >>>>>>>> [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 >>>>>>>> starting up >>>>>>>> [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last >>>>>>>> time >>>>>>>> Directory Server was running, recovering database. >>>>>>>> [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password >>>>>>>> Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, >>>>>>>> which >>>>>>>> should be added before the CoS Definition. >>>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - cl5DBData2Entry: invalid data version >>>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - cl5Open: failed to open changelog >>>>>>>> [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - changelog5_init: failed to start changelog at >>>>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>>>> [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin >>>>>>>> Multimaster Replication Plugin >>>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - cl5DBData2Entry: invalid data version >>>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - cl5Open: failed to open changelog >>>>>>>> [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog >>>>>>>> program >>>>>>>> - changelog5_init: failed to start changelog at >>>>>>>> /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb >>>>>>>> [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin >>>>>>>> Multimaster Replication Plugin >>>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin >>>>>>>> dependencies >>>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA >>>>>>>> Version >>>>>>>> Replication is not started >>>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy >>>>>>>> Replication >>>>>>>> Plugin is not started >>>>>>>> [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster >>>>>>>> Replication Plugin is not started >>>>>>>> >>>>>>>> >>>>>>>> Has anyone experienced similar problems or have suggestions on how >>>>>>>> to >>>>>>>> fix these errors ? >>>>>>>> >>>>>>>> >>>>>>>> Thank you, >>>>>>>> >>>>>>>> -Ikaro >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-users mailing list >>>>>>>> Freeipa-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>>> >>>>>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Ikaro Silva, Ph.D. ikaro at mit.edu Harvard-MIT Division of Health Sciences and Technology MIT Room E25-505, Cambridge, MA 02139 USA From natxo.asenjo at gmail.com Wed Sep 26 14:04:18 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 26 Sep 2012 16:04:18 +0200 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <50627A96.2090102@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C8BF3.60604@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <50627A96.2090102@redhat.com> Message-ID: On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: > > Steven Jones wrote: >> >> Hi, >> >> I dont have a ldapmodify command for changing something in AD. >> >> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... >> >> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. > > sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits attribute of the Default Query Policy object in the Query-Policies container. We needed to do this to be able to get more than 1000 objects from AD a long time ago. The details I used back then were here: http://technet.microsoft.com/en-us/library/aa998536.aspx cmd.exe -> ntdsutil.exe (on a domain controller) At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. show values [enter] ldap policy: show values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 MaxValRange 1500 We want to change MaxPageSize. First we need to authenticate: connections [enter] set creds domain user pwd connect to domain your.domain q then we got to ldap policy set MaxPageSize to 2000 Commit Changes quit quit -- natxo From d.sastre.medina at gmail.com Wed Sep 26 15:35:51 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Wed, 26 Sep 2012 17:35:51 +0200 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host Message-ID: Hello, I'm experiencing an issue with sudo-ldap: I have some commands defined in a rule, have granted permissions to my user to execute them via sudo following the docs: 1. # ipa sudorule-show networking-commands 2. Rule name: networking-commands 3. Enabled: TRUE 4. Users: dsastrem 5. Host Groups: des 6. Sudo Allow Command Groups: networking 7. 8. # ipa sudocmdgroup-show networking 9. Sudo Command Group: networking 10. Description: commands for network configuration and troubleshooting 11. Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables, /sbin/mii-tool, /sbin/ethtool, /sbin/ip 12. 13. /etc/nsswitch.conf 14. ================== 15. passwd: files sss 16. shadow: files sss 17. group: files sss 18. hosts: files dns 19. bootparams: nisplus [NOTFOUND=return] files 20. ethers: files 21. netmasks: files 22. networks: files 23. protocols: files 24. rpc: files 25. services: files sss 26. netgroup: files sss 27. publickey: nisplus 28. automount: files 29. aliases: files nisplus 30. sudoers: files ldap sss 31. 32. /etc/sudo-ldap.conf 33. =================== 34. uri ldap://panoramix.some.domain.com 35. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com 36. bind_timelimit 5 37. timelimit 15 38. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com 39. bindpw secret 40. ssl start_tls 41. tls_cacertfile /etc/ipa/ca.crt 42. tls_checkpeer yes 43. 44. /etc/rc.local 45. ============= 46. touch /var/lock/subsys/local 47. nisdomainname some.domain.com All three config files are equal in several hosts, but sudo is failing from one hosts in this way: Pam_tally2 count gets increased with failed attempts, but the password is (obviously) the same (my kerberos passwd) 1. dsastrem at obelix ~ 2. $ sudo ip addr show 3. LDAP Config Summary 4. =================== 5. uri ldap://panoramix.some.domain.com 6. ldap_version 3 7. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com 8. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com 9. bindpw secret 10. bind_timelimit 5000 11. timelimit 15 12. ssl start_tls 13. tls_checkpeer (yes) 14. tls_cacertfile /etc/ipa/ca.crt 15. =================== 16. sudo: ldap_set_option: debug -> 0 17. sudo: ldap_set_option: tls_checkpeer -> 1 18. sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt 19. sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt 20. sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com) 21. sudo: ldap_set_option: ldap_version -> 3 22. sudo: ldap_set_option: timelimit -> 15 23. sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) 24. sudo: ldap_start_tls_s() ok 25. sudo: ldap_sasl_bind_s() ok 26. sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com 27. sudo: ldap search '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))' 28. sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com 29. sudo: ldap sudoHost '+des' ... MATCH! 30. sudo: ldap sudoCommand '/sbin/route' ... not 31. sudo: ldap sudoCommand '/sbin/ifconfig' ... not 32. sudo: ldap sudoCommand '/sbin/iptables' ... not 33. sudo: ldap sudoCommand '/sbin/mii-tool' ... not 34. sudo: ldap sudoCommand '/sbin/ethtool' ... not 35. sudo: ldap sudoCommand '/sbin/ip' ... MATCH! 36. sudo: Command allowed 37. sudo: user_matches=1 38. sudo: host_matches=1 39. sudo: sudo_ldap_lookup(0)=0x02 40. [sudo] password for dsastrem: 41. Sorry, try again. 42. [sudo] password for dsastrem: 43. sudo: 1 incorrect password attempt 44. 45. # pam_tally2 -u dsastrem 46. Login Failures Latest failure From 47. dsastrem 2 09/26/12 17:22:54 /dev/pts/1 Any idea of what could be wrong? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Sep 26 17:17:40 2012 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Sep 2012 13:17:40 -0400 (EDT) Subject: [Freeipa-users] [HOWTO] Bulk creating test users Message-ID: <176090046.2223275.1348679860914.JavaMail.root@redhat.com> Hello list, I wanted to share a simple way I use to create users for testing, it is something that I get regularly asked when we do testing so I thought it may turn useful to others. Assume we have a FreeIPA domain called freeipa.org and we want to create a few test users with a specific password, here is a simple script that does it (requires you kinit as admin first): --------------------------------------------------------------------------------- #!/bin/bash # Pass user name as first argument and password as second argument ipa user-add $1 --first Test --last User echo "test" | ipa passwd $1 ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2 --------------------------------------------------------------------------------- In this example no escaping is performed, so you'll need to add it to user names/password if you want to use characters that may cause shell expansion. Hope this helps. Simo. -- Simo Sorce * Red Hat, Inc. * New York From rcritten at redhat.com Wed Sep 26 19:06:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Sep 2012 15:06:40 -0400 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host In-Reply-To: References: Message-ID: <50635240.1080100@redhat.com> David Sastre wrote: > Hello, > > I'm experiencing an issue with sudo-ldap: > I have some commands defined in a rule, have granted permissions to my > user to execute them via sudo following the docs: > > 1. > # ipa sudorule-show networking-commands > 2. > Rule name: networking-commands > 3. > Enabled: TRUE > 4. > Users: dsastrem > 5. > Host Groups: des > 6. > Sudo Allow Command Groups: networking > 7. > 8. > # ipa sudocmdgroup-show networking > 9. > Sudo Command Group: networking > 10. > Description: commands for network configuration and troubleshooting > 11. > Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables, > /sbin/mii-tool, /sbin/ethtool, /sbin/ip > 12. > 13. > /etc/nsswitch.conf > 14. > ================== > 15. > passwd: files sss > 16. > shadow: files sss > 17. > group: files sss > 18. > hosts: files dns > 19. > bootparams: nisplus [NOTFOUND=return] files > 20. > ethers: files > 21. > netmasks: files > 22. > networks: files > 23. > protocols: files > 24. > rpc: files > 25. > services: files sss > 26. > netgroup: files sss > 27. > publickey: nisplus > 28. > automount: files > 29. > aliases: files nisplus > 30. > sudoers: files ldap sss > 31. > 32. > /etc/sudo-ldap.conf > 33. > =================== > 34. > uri ldap://panoramix.some.domain.com > 35. > sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com > 36. > bind_timelimit 5 > 37. > timelimit 15 > 38. > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com > 39. > bindpw secret > 40. > ssl start_tls > 41. > tls_cacertfile /etc/ipa/ca.crt > 42. > tls_checkpeer yes > 43. > 44. > /etc/rc.local > 45. > ============= > 46. > touch /var/lock/subsys/local > 47. > nisdomainname some.domain.com > > All three config files are equal in several hosts, but sudo is failing > from one hosts in this way: > Pam_tally2 count gets increased with failed attempts, but the password > is (obviously) the same (my kerberos passwd) > > 1. > dsastrem at obelix ~ > 2. > $ sudo ip addr show > 3. > LDAP Config Summary > 4. > =================== > 5. > uri ldap://panoramix.some.domain.com > 6. > ldap_version 3 > 7. > sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com > 8. > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com > 9. > bindpw secret > 10. > bind_timelimit 5000 > 11. > timelimit 15 > 12. > ssl start_tls > 13. > tls_checkpeer (yes) > 14. > tls_cacertfile /etc/ipa/ca.crt > 15. > =================== > 16. > sudo: ldap_set_option: debug -> 0 > 17. > sudo: ldap_set_option: tls_checkpeer -> 1 > 18. > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > 19. > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > 20. > sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com > ) > 21. > sudo: ldap_set_option: ldap_version -> 3 > 22. > sudo: ldap_set_option: timelimit -> 15 > 23. > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > 24. > sudo: ldap_start_tls_s() ok > 25. > sudo: ldap_sasl_bind_s() ok > 26. > sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com > 27. > sudo: ldap search > '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))' > 28. > sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com > 29. > sudo: ldap sudoHost '+des' ... MATCH! > 30. > sudo: ldap sudoCommand '/sbin/route' ... not > 31. > sudo: ldap sudoCommand '/sbin/ifconfig' ... not > 32. > sudo: ldap sudoCommand '/sbin/iptables' ... not > 33. > sudo: ldap sudoCommand '/sbin/mii-tool' ... not > 34. > sudo: ldap sudoCommand '/sbin/ethtool' ... not > 35. > sudo: ldap sudoCommand '/sbin/ip' ... MATCH! > 36. > sudo: Command allowed > 37. > sudo: user_matches=1 > 38. > sudo: host_matches=1 > 39. > sudo: sudo_ldap_lookup(0)=0x02 > 40. > [sudo] password for dsastrem: > 41. > Sorry, try again. > 42. > [sudo] password for dsastrem: > 43. > sudo: 1 incorrect password attempt > 44. > 45. > # pam_tally2 -u dsastrem > 46. > Login Failures Latest failure From > 47. > dsastrem 2 09/26/12 17:22:54 /dev/pts/1 > > Any idea of what could be wrong? Thanks in advance. Does sssd work on this machine otherwise? getent passwd , you can log into the console as the user, or perhaps kinit to the user? rob From d.sastre.medina at gmail.com Wed Sep 26 21:08:18 2012 From: d.sastre.medina at gmail.com (David Sastre Medina) Date: Wed, 26 Sep 2012 23:08:18 +0200 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host In-Reply-To: <50635240.1080100@redhat.com> References: <50635240.1080100@redhat.com> Message-ID: <20120926210817.GB5907@pris.crapsteak.org> On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > David Sastre wrote: > > [big snip] > Does sssd work on this machine otherwise? getent passwd , you > can log into the console as the user, or perhaps kinit to the user? Rob, thanks for the feedback. I'll check that out and post the results tomorrow. -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: Digital signature URL: From Steven.Jones at vuw.ac.nz Wed Sep 26 21:17:27 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 26 Sep 2012 21:17:27 +0000 Subject: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz> Is this expected? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 27 03:57:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 27 Sep 2012 03:57:48 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C8BF3.60604@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <50627A96.2090102@redhat.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D4D48@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Unable to get this to work on win2k3r2 even with enterprise admin permissions. What I have found is this which Im about to try, 1. Use adsiedit.msc to bind to any domain controller. 2. Navigate through Configuration CN=Configuration,DC=,DC=COM CN=Services CN=Windows NT CN=Directory Services CN=Query-Policies 3. Double-click CN=Default Query Policy in the rght-hand pane. 4. Double-click LdapAdminLimits. 5. Select MaxPageSize and press Remove. 6. Modify the limit of MaxPageSize and press Add. 7. Press OK, Apply, and OK. 8. Close ADSI Edit. 9. After replication, the new limit should be available. adsiedit is part of the ms support tools here, http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Natxo Asenjo [natxo.asenjo at gmail.com] Sent: Thursday, 27 September 2012 2:04 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: > > Steven Jones wrote: >> >> Hi, >> >> I dont have a ldapmodify command for changing something in AD. >> >> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... >> >> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. > > sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits attribute of the Default Query Policy object in the Query-Policies container. We needed to do this to be able to get more than 1000 objects from AD a long time ago. The details I used back then were here: http://technet.microsoft.com/en-us/library/aa998536.aspx cmd.exe -> ntdsutil.exe (on a domain controller) At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. show values [enter] ldap policy: show values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 MaxValRange 1500 We want to change MaxPageSize. First we need to authenticate: connections [enter] set creds domain user pwd connect to domain your.domain q then we got to ldap policy set MaxPageSize to 2000 Commit Changes quit quit -- natxo From d.sastre.medina at gmail.com Thu Sep 27 06:18:21 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Thu, 27 Sep 2012 08:18:21 +0200 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host In-Reply-To: <20120926210817.GB5907@pris.crapsteak.org> References: <50635240.1080100@redhat.com> <20120926210817.GB5907@pris.crapsteak.org> Message-ID: On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina < d.sastre.medina at gmail.com> wrote: > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > > David Sastre wrote: > > > [big snip] > > Does sssd work on this machine otherwise? getent passwd , you > > can log into the console as the user, or perhaps kinit to the user? > It looks like sssd is operating correctly $ getent passwd dsastrem dsastrem:*:1543400001:1543400001:David Sastre Medina:/home/dsastrem:/bin/rbash I can also kinit w/o problems: $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) $ kinit dsastrem Password for dsastrem at SOME.DOMAIN.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: dsastrem at SOME.DOMAIN.COM I can log in using ssh, and the log shows: debug1: Authentication succeeded (gssapi-with-mic). Valid starting Expires Service principal 09/27/12 07:59:36 09/28/12 07:59:36 krbtgt/SOME.DOMAIN.COM at SOME.DOMAIN.COM renew until 09/28/12 08:01:20 Yet, sudo fails to authenticate me: dsastrem at obelix ~ $ sudo ip addr show [sudo] password for dsastrem: Sorry, try again. [sudo] password for dsastrem: Sorry, try again. [sudo] password for dsastrem: sudo: 2 incorrect password attempts -------------- next part -------------- An HTML attachment was scrubbed... URL: From pieter.baele at gmail.com Thu Sep 27 07:56:02 2012 From: pieter.baele at gmail.com (Pieter Baele) Date: Thu, 27 Sep 2012 09:56:02 +0200 Subject: [Freeipa-users] FreeIPA 3 rc1 sslget error Message-ID: Hi, Two problems with FreeIPA 3 on an updated fedora 17 (updates-testing enabled) 1) dependency error for libsss_sudo Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates) Requires: libsss_sudo.so.0(EXPORTED)(64bit) Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates) libsss_sudo.so.0(EXPORTED)(64bit) Updated By: libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64 (freeipa-devel) Not found Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora) libsss_sudo.so.0(EXPORTED)(64bit) Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates) Requires: libsss_sudo.so.0()(64bit) Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates) libsss_sudo.so.0()(64bit) Updated By: libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64 (freeipa-devel) Not found Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora) libsss_sudo.so.0()(64bit) 2) some error on RA agent certificate issuing [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7 ipa.nix.be:9443' returned non-zero exit status 6 3) if I then try to remove using --uninstall, I get this error Unexpected error - see /var/log/ipaserver-uninstall.log for details: CalledProcessError: Command '/bin/systemctl start messagebus.service' returned non-zero exit status 1 DEBUG LOG (2) ========= - 2012-09-27T07:22:01Z DEBUG [8/20]: fixing RA database permissions 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [9/20]: setting up signing cert profile 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [10/20]: set up CRL publishing 2012-09-27T07:22:01Z DEBUG args=/usr/sbin/selinuxenabled 2012-09-27T07:22:01Z DEBUG stdout= 2012-09-27T07:22:01Z DEBUG stderr= 2012-09-27T07:22:01Z DEBUG args=/usr/sbin/restorecon /var/lib/pki-ca/publish 2012-09-27T07:22:01Z DEBUG stdout= 2012-09-27T07:22:01Z DEBUG stderr= 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [11/20]: set certificate subject base 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [12/20]: enabling Subject Key Identifier 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [13/20]: configuring certificate server to start on boot 2012-09-27T07:22:01Z DEBUG args=/bin/systemctl is-enabled pki-cad.target 2012-09-27T07:22:01Z DEBUG stdout=disabled 2012-09-27T07:22:01Z DEBUG stderr= 2012-09-27T07:22:01Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2012-09-27T07:22:01Z DEBUG duration: 0 seconds 2012-09-27T07:22:01Z DEBUG [14/20]: restarting certificate server 2012-09-27T07:22:02Z DEBUG args=/bin/systemctl restart pki-cad at pki-ca.service 2012-09-27T07:22:02Z DEBUG stdout= 2012-09-27T07:22:02Z DEBUG stderr= 2012-09-27T07:22:02Z DEBUG args=/bin/systemctl is-active pki-cad at pki-ca.service 2012-09-27T07:22:02Z DEBUG stdout=active 2012-09-27T07:22:02Z DEBUG stderr= 2012-09-27T07:22:02Z DEBUG wait_for_open_ports: localhost [9180] timeout 120 2012-09-27T07:22:04Z DEBUG duration: 3 seconds 2012-09-27T07:22:04Z DEBUG [15/20]: requesting RA certificate from CA 2012-09-27T07:22:07Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=NIX.BE -z /tmp/tmpW2tvmL -a 2012-09-27T07:22:07Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: NIX.BE State: (not specified) Country: (not specified) -----BEGIN NEW CERTIFICATE REQUEST----- MIICbTCCAVUCAQAwKDEVMBMGA1UEChMMTklYLlJBSUxCLkJFMQ8wDQYDVQQDEwZJ Mw== -----END NEW CERTIFICATE REQUEST----- 2012-09-27T07:22:07Z DEBUG stderr= Generating key. This may take a few moments... 2012-09-27T07:22:11Z DEBUG duration: 6 seconds 2012-09-27T07:22:11Z DEBUG [16/20]: issuing RA agent certificate 2012-09-27T07:22:11Z DEBUG args=/usr/bin/certutil -d /tmp/tmp-1ItZiZ -f XXXXXXXX -M -t CT,C,C -n Certificate Authority - NIX.BE 2012-09-27T07:22:11Z DEBUG stdout= 2012-09-27T07:22:11Z DEBUG stderr= 2012-09-27T07:22:11Z DEBUG args=/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7 ipa.nix.be:9443 2012-09-27T07:22:11Z DEBUG stdout= 2012-09-27T07:22:11Z DEBUG stderr=GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 port: 9443 addr='ipa.nix.be' family='10' exit after PR_Connect with error -5987: 2012-09-27T07:22:11Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 931, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 562, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 321, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 903, in __issue_ra_cert (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 309, in run raise CalledProcessError(p.returncode, args) 2012-09-27T07:22:11Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7 ipa.nix.be:9443' returned non-zero exit status 6 From jhrozek at redhat.com Thu Sep 27 08:01:26 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Sep 2012 10:01:26 +0200 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host In-Reply-To: References: <50635240.1080100@redhat.com> <20120926210817.GB5907@pris.crapsteak.org> Message-ID: <20120927080126.GP25493@hendrix.brq.redhat.com> On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote: > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina < > d.sastre.medina at gmail.com> wrote: > > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > > > David Sastre wrote: > > > > [big snip] > > > Does sssd work on this machine otherwise? getent passwd , you > > > can log into the console as the user, or perhaps kinit to the user? > > > > It looks like sssd is operating correctly > $ getent passwd dsastrem > dsastrem:*:1543400001:1543400001:David Sastre > Medina:/home/dsastrem:/bin/rbash > > I can also kinit w/o problems: > $ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) > > $ kinit dsastrem > Password for dsastrem at SOME.DOMAIN.COM: > kinit bypasses the SSSD and talks to the KDC directly. > $ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: dsastrem at SOME.DOMAIN.COM > > I can log in using ssh, and the log shows: > debug1: Authentication succeeded (gssapi-with-mic). > > Valid starting Expires Service principal > 09/27/12 07:59:36 09/28/12 07:59:36 krbtgt/SOME.DOMAIN.COM at SOME.DOMAIN.COM > renew until 09/28/12 08:01:20 > ...however, the ssh should go through the SSSD... > Yet, sudo fails to authenticate me: > dsastrem at obelix ~ > $ sudo ip addr show > [sudo] password for dsastrem: > Sorry, try again. > [sudo] password for dsastrem: > Sorry, try again. > [sudo] password for dsastrem: > sudo: 2 incorrect password attempts Can you check the messages that appear in /var/log/secure during the sudo auth attempt? You should see pam_sss being contacted, what does it say? Is there any error? From jhrozek at redhat.com Thu Sep 27 08:14:04 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Sep 2012 10:14:04 +0200 Subject: [Freeipa-users] FreeIPA 3 rc1 sslget error In-Reply-To: References: Message-ID: <20120927081404.GQ25493@hendrix.brq.redhat.com> On Thu, Sep 27, 2012 at 09:56:02AM +0200, Pieter Baele wrote: > Hi, > > Two problems with FreeIPA 3 on an updated fedora 17 (updates-testing enabled) > > 1) dependency error for libsss_sudo > > Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates) > Requires: libsss_sudo.so.0(EXPORTED)(64bit) > Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates) > libsss_sudo.so.0(EXPORTED)(64bit) > Updated By: > libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64 > (freeipa-devel) > Not found > Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora) > libsss_sudo.so.0(EXPORTED)(64bit) > Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates) > Requires: libsss_sudo.so.0()(64bit) > Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates) > libsss_sudo.so.0()(64bit) > Updated By: > libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64 > (freeipa-devel) > Not found > Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora) > libsss_sudo.so.0()(64bit) > > It seems you have mixed packages from the ipa-devel repository (that includes new libsss_sudo and the corresponding sudo) and from stock updates/updates testing. $ yum list extras would show you the packages that are installed on your system but not available in any configured repository. From abokovoy at redhat.com Thu Sep 27 08:29:25 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 27 Sep 2012 11:29:25 +0300 Subject: [Freeipa-users] FreeIPA 3 rc1 sslget error In-Reply-To: References: Message-ID: <20120927082925.GR17454@redhat.com> On Thu, 27 Sep 2012, Pieter Baele wrote: >2) some error on RA agent certificate issuing > >[16/20]: issuing RA agent certificate >Unexpected error - see /var/log/ipaserver-install.log for details: >CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p >XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7 >ipa.nix.be:9443' returned non-zero exit status 6 https://bugzilla.redhat.com/show_bug.cgi?id=859043 -- / Alexander Bokovoy From d.sastre.medina at gmail.com Thu Sep 27 08:53:06 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Thu, 27 Sep 2012 10:53:06 +0200 Subject: [Freeipa-users] Password failing for sudo-ldap authentication only from one host In-Reply-To: <20120927080126.GP25493@hendrix.brq.redhat.com> References: <50635240.1080100@redhat.com> <20120926210817.GB5907@pris.crapsteak.org> <20120927080126.GP25493@hendrix.brq.redhat.com> Message-ID: On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote: > On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote: > > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote: > > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > > > > David Sastre wrote: > > > > > [big snip] > > > > Does sssd work on this machine otherwise? getent passwd , you > > > > can log into the console as the user, or perhaps kinit to the user? > > > > > It looks like sssd is operating correctly > > I can also kinit w/o problems: > > kinit bypasses the SSSD and talks to the KDC directly. > ...however, the ssh should go through the SSSD... > > Can you check the messages that appear in /var/log/secure during the > sudo auth attempt? You should see pam_sss being contacted, what does it > say? Is there any error? > Jakub, Does your comment mean ssh/sshd is misbehaving or bad configured? There are, indeed, errors regarding pam_sss in /var/log/secure. This is a successful login+sudo+logout in a host: Sep 27 10:29:56 panoramix sshd[12913]: Authorized to dsastrem, krb5 principal dsastrem at SOME.DOMAIN.COM (krb5_kuserok) Sep 27 10:29:56 panoramix sshd[12913]: Accepted gssapi-with-mic for dsastrem from 172.26.130.101 port 58678 ssh2 Sep 27 10:29:56 panoramix sshd[12913]: pam_unix(sshd:session): session opened for user dsastrem by (uid=0) Sep 27 10:30:13 panoramix sudo: pam_unix(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost= user=dsastrem Sep 27 10:30:13 panoramix sudo: pam_sss(sudo:auth): authentication success; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost= user=dsastrem Sep 27 10:30:13 panoramix sudo: dsastrem : TTY=pts/2 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show Sep 27 10:30:32 panoramix sshd[12942]: Received disconnect from 172.26.130.101: 11: disconnected by user Sep 27 10:30:32 panoramix sshd[12913]: pam_unix(sshd:session): session closed for user dsastrem This one a failed attempt to do the same in another host: Sep 27 10:32:27 obelix sshd[5242]: Authorized to dsastrem, krb5 principal dsastrem at SOME.DOMAIN.COM (krb5_kuserok) Sep 27 10:32:27 obelix sshd[5242]: Accepted gssapi-with-mic for dsastrem from 172.26.130.101 port 38276 ssh2 Sep 27 10:32:27 obelix sshd[5242]: pam_unix(sshd:session): session opened for user dsastrem by (uid=0) Sep 27 10:32:50 obelix sudo: pam_unix(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): system info: [Permission denied] Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): received for user dsastrem: 4 (System error) Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): conversation failed Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): auth could not identify password for [dsastrem] Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): system info: [Cannot read password] Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): received for user dsastrem: 4 (System error) Sep 27 10:33:13 obelix sudo: dsastrem : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show Sep 27 10:33:21 obelix sshd[5281]: Received disconnect from 172.26.130.101: 11: disconnected by user Sep 27 10:33:21 obelix sshd[5242]: pam_unix(sshd:session): session closed for user dsastrem I can see now where it is failing, but I can't understand why (yet), is this PAM related? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 27 13:58:40 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 27 Sep 2012 09:58:40 -0400 Subject: [Freeipa-users] Easy deployment In-Reply-To: <50621178.7080208@nixtra.com> References: <50621178.7080208@nixtra.com> Message-ID: <50645B90.6040304@redhat.com> On 09/25/2012 04:18 PM, Sigbjorn Lie wrote: > On 09/25/2012 12:17 AM, James James wrote: >> Hi guys, >> >> we are planning to install 150 freeipa clients and I was wondering if >> there is a way to easily install (from kickstart) nfsv4 client. >> >> I can add host with >> >> # ipa host-add --password=secret >> >> But to get the keytab (host and service), I have to log into the >> machine, launch kinit and get the keytab. >> >> This will be very painful for 150 clients .... >> >> Any hints is welcome ... >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hi, > > I am working on integrating what you are asking for into OneClickKick. > OneClickKick which is a web based GUI for managing DHCP server and PXE > booting. The current version can read the host objects from IPA's > LDAP, and you can use these to generate PXE boot files for > kickstarting RHEL/Fedora, preseeding Debian/Ubuntu installations, do > BIOS upgrades, run LIVE environments, etc. > > What I have done in the past is to add a line like this to the post > section of the kickstart: > /usr/sbin/ipa-client-install --domain="ix.test.com" > --principal="ipajoinuser" --password="somepassword" -U -f > > This is not ideal even though the kickstart is saved in a database and > only made available dynamically trough a php script to the host that's > enabled for kickstarting. It is not saved in a text file on the disk. > The next version will include tighter integration with IPA where a One > Time Password is set for the host being kickstarted at the time it's > enabled for kickstarting, and this password is seeded dynamically when > the host is served it's kickstart file. > > The next version will also have the PXE Enrollment boot image updated > to supporting adding new hosts directly into IPA. The PXE Enrollment > is support for adding a new host simply to PXE booting it, logging on, > and giving it a hostname and assigning it with a kickstart profile to > load the machine directly from the console of the new machine. > > Adding of machines directly to IPA from the web UI will also be > available in the next version. This allows you to do everything from > adding the host, to selecting the kickstart profile group, and > enabling for PXE installation/kickstart in 1 step. > > It can also search trough the /var/log/messages file to find new hosts > that's unknown to it's naming sources and directly add these. > > You can also select a group of machine to install, so if you have your > 150 machines in one group you can select the entire group for > installation. > > > See the project website or contact me for more information: > http://sourceforge.net/projects/oneclickkick/ > > Have you looked at Foreman? > > Regards, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 27 15:49:54 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Sep 2012 09:49:54 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <50627A96.2090102@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C853F.2090003@redhat.c! om>, <505C8BF3.60604@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <5062298F.2010709@redhat.c! om>, <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.! nz> <50627A96.2090102@redhat.com> Message-ID: <506475A2.3070606@redhat.com> On 09/25/2012 09:46 PM, Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> I dont have a ldapmodify command for changing something in AD. >> >> I have increased the only scope I/we know about which is the return >> of objects from a search inside the AD gui but that might be specific >> to that view tool. That is 2000 by default, Ive set 40000, I am >> testing it now, if that doesn't work.... >> >> Our best AD person is currently researching to see if its even >> possible to alter that hard code in AD. The only way he can see is >> using a windows/ad specific command line command to modify the >> internals of AD but he's never seen or read about doing it for this >> attribute. > > Rich knows more about this than me, so maybe he knows what value > you're changing, but I don't. Where exactly in the AD gui are you > changing the value to 40k? There are limits you can set that apply only to the GUI, and there are limits you can set which apply to LDAP. It's possible you set some limits which only apply to the windows GUI. http://support.microsoft.com/kb/315071 I don't see any setting which directly corresponds to sizelimit. The only ones that control the size of the result set are: MaxPageSize, which seems only to apply to paged result searches; MaxTempTableSize, which sounds something like our idlistscanlimit and could be applicable here; and MaxResultSetSize, which could also be applicable here. Do you have more than 10000 entries in your active directory? Might AD be attempting to return more than 262,144 bytes? > > regards > > rob > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 26 September 2012 1:31 p.m. >> To: Rich Megginson >> Cc: Steven Jones; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users >> >> Rich Megginson wrote: >>> On 09/25/2012 03:34 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I have set the filter size as 20000 for the user and it makes no >>>> difference. >>> Where did you set this? In IPA? In AD? If so, where? How? >>> What does "filter size" mean? To me, it means "the size of an LDAP >>> search filter in an LDAP search request" not "the maximum number of >>> entries returned by a search". >> >> The more details you can provide on what you did the better. This might >> include the exact ldapmodify command, where you entered it in AD, the >> attribute names, whichever is applicable. >> >> regards >> >> rob >> >> > From rmeggins at redhat.com Thu Sep 27 16:08:03 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Sep 2012 10:08:03 -0600 Subject: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <506479E3.1030104@redhat.com> On 09/26/2012 03:17 PM, Steven Jones wrote: > Is this expected? Ticket #2324 AD Users synced to IPA server are not added to "ipausers" group https://fedorahosted.org/freeipa/ticket/2324 By "existing users" do you mean existing users in IPA? Are these users synced with entries in AD? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jreg2k at gmail.com Thu Sep 27 16:51:08 2012 From: jreg2k at gmail.com (James James) Date: Thu, 27 Sep 2012 18:51:08 +0200 Subject: [Freeipa-users] Easy deployment In-Reply-To: <50645B90.6040304@redhat.com> References: <50621178.7080208@nixtra.com> <50645B90.6040304@redhat.com> Message-ID: Not yet but can you give me some clues ? 2012/9/27 Dmitri Pal > On 09/25/2012 04:18 PM, Sigbjorn Lie wrote: > > On 09/25/2012 12:17 AM, James James wrote: > > Hi guys, > > we are planning to install 150 freeipa clients and I was wondering if > there is a way to easily install (from kickstart) nfsv4 client. > > I can add host with > > # ipa host-add --password=secret > > But to get the keytab (host and service), I have to log into the machine, > launch kinit and get the keytab. > > This will be very painful for 150 clients .... > > Any hints is welcome ... > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > Hi, > > I am working on integrating what you are asking for into OneClickKick. > OneClickKick which is a web based GUI for managing DHCP server and PXE > booting. The current version can read the host objects from IPA's LDAP, and > you can use these to generate PXE boot files for kickstarting RHEL/Fedora, > preseeding Debian/Ubuntu installations, do BIOS upgrades, run LIVE > environments, etc. > > What I have done in the past is to add a line like this to the post > section of the kickstart: > /usr/sbin/ipa-client-install --domain="ix.test.com" > --principal="ipajoinuser" --password="somepassword" -U -f > > This is not ideal even though the kickstart is saved in a database and > only made available dynamically trough a php script to the host that's > enabled for kickstarting. It is not saved in a text file on the disk. The > next version will include tighter integration with IPA where a One Time > Password is set for the host being kickstarted at the time it's enabled for > kickstarting, and this password is seeded dynamically when the host is > served it's kickstart file. > > The next version will also have the PXE Enrollment boot image updated to > supporting adding new hosts directly into IPA. The PXE Enrollment is > support for adding a new host simply to PXE booting it, logging on, and > giving it a hostname and assigning it with a kickstart profile to load the > machine directly from the console of the new machine. > > Adding of machines directly to IPA from the web UI will also be available > in the next version. This allows you to do everything from adding the host, > to selecting the kickstart profile group, and enabling for PXE > installation/kickstart in 1 step. > > It can also search trough the /var/log/messages file to find new hosts > that's unknown to it's naming sources and directly add these. > > You can also select a group of machine to install, so if you have your 150 > machines in one group you can select the entire group for installation. > > > See the project website or contact me for more information: > http://sourceforge.net/projects/oneclickkick/ > > > > Have you looked at Foreman? > > > Regards, > Siggi > > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Fitzgerald at millersville.edu Thu Sep 27 19:36:28 2012 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Thu, 27 Sep 2012 15:36:28 -0400 Subject: [Freeipa-users] clients very slow In-Reply-To: <50526307.1010305@redhat.com> References: <73D5696F6096F9478FA4CA43E2FD99B9B958FFC8@mail6.millersville.edu> <50526307.1010305@redhat.com> Message-ID: <73D5696F6096F9478FA4CA43E2FD99B9B9E7B2E0@mail6.millersville.edu> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, September 13, 2012 6:50 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] clients very slow On 09/13/2012 09:54 AM, David Fitzgerald wrote: Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Do you use SSSD as a client or something else? If SSSD we would need the nsswitch, pam, krb5.conf, sssd.conf configuration files and SSSD logs set to debug_level=8 or 9. What operation they are freezing on? Is it login/authentication or just suddenly, which probably indicates identity lookup. So freezes might be related to the DNS or name resolution lookups that those machines do. They might be accessing a DNS server that is down or misconfigured before failing over to a correct one. So resolve.conf, /etc/hosts would be helpful. But you might need to check the DNS configuration yourself. HTH We do use SSSD as a client. The freeze occurs suddenly, after the user logs in. One process that always is at the top of 'top' when the systems freeze is 'xxx.xxx.xxx.xxx-ma', where the xxx's are the ip address of my freeIPA server. Watching the network during these freezes show that the clients are attempting to contact the freeIPA server but we don't see a reply. Is there a limit on the number of connections the server can handle? Thanks! Dave +++++++++++++++++++++++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 27 20:38:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 27 Sep 2012 20:38:52 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D4D48@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF51A@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CF921@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546CFA1A@STAWINCOX10MBX1.staff.vuw.ac.nz> <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C8BF3.60604@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <50627A96.2090102@redhat.com>, , <833D8E48405E064EBC54C84EC6B36E40546D4D48@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D4D66@STAWINCOX10MBX1.staff.vuw.ac.nz> Its also a forest wide setting.... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 27 September 2012 3:57 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, Unable to get this to work on win2k3r2 even with enterprise admin permissions. What I have found is this which Im about to try, 1. Use adsiedit.msc to bind to any domain controller. 2. Navigate through Configuration CN=Configuration,DC=,DC=COM CN=Services CN=Windows NT CN=Directory Services CN=Query-Policies 3. Double-click CN=Default Query Policy in the rght-hand pane. 4. Double-click LdapAdminLimits. 5. Select MaxPageSize and press Remove. 6. Modify the limit of MaxPageSize and press Add. 7. Press OK, Apply, and OK. 8. Close ADSI Edit. 9. After replication, the new limit should be available. adsiedit is part of the ms support tools here, http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Natxo Asenjo [natxo.asenjo at gmail.com] Sent: Thursday, 27 September 2012 2:04 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: > > Steven Jones wrote: >> >> Hi, >> >> I dont have a ldapmodify command for changing something in AD. >> >> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... >> >> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. > > sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits attribute of the Default Query Policy object in the Query-Policies container. We needed to do this to be able to get more than 1000 objects from AD a long time ago. The details I used back then were here: http://technet.microsoft.com/en-us/library/aa998536.aspx cmd.exe -> ntdsutil.exe (on a domain controller) At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. show values [enter] ldap policy: show values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 MaxValRange 1500 We want to change MaxPageSize. First we need to authenticate: connections [enter] set creds domain user pwd connect to domain your.domain q then we got to ldap policy set MaxPageSize to 2000 Commit Changes quit quit -- natxo _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From d.sastre.medina at gmail.com Thu Sep 27 20:41:46 2012 From: d.sastre.medina at gmail.com (David Sastre Medina) Date: Thu, 27 Sep 2012 22:41:46 +0200 Subject: [Freeipa-users] Problem with webui: kerberos ticket no longer valid In-Reply-To: <504DE426.9060001@redhat.com> References: <50375220.7080001@s3group.cz> <504DE426.9060001@redhat.com> Message-ID: <20120927204145.GD6934@pris.crapsteak.org> On Mon, Sep 10, 2012 at 08:59:18AM -0400, Dmitri Pal wrote: > On 08/24/2012 06:31 AM, David Sastre wrote: > > On Fri, Aug 24, 2012 at 12:06 PM, Ondrej Valousek wrote: > >> try running 'kinit -R'? > > Nope. It fails even after kdestroy and kinit a-new. > > > Was this issue ever resolved? Just for the record: yes, it was solved. Pure PEBKAC, as I was messing with polyinstantiated dirs, and the workaround was to obtain the tgt and open up the browser within the same session: $ ssh -X user at freeipa.server.com 'kinit admin; firefox' -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: Digital signature URL: From rmeggins at redhat.com Thu Sep 27 20:41:22 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Sep 2012 14:41:22 -0600 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D4D66@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C8BF3.60604@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <50627A96.2090102@redhat.com>, , <833D8E48405E064EBC54C84EC6B36E40546D4D48@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D4D66@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5064B9F2.7060005@redhat.com> On 09/27/2012 02:38 PM, Steven Jones wrote: > Its also a forest wide setting.... Just to confirm - setting MaxPageSize higher allows winsync to pull every user, but this is an unacceptable solution because it applies to the entire tree rather than a subset and/or a particular user? > > :/ > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 27 September 2012 3:57 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > Unable to get this to work on win2k3r2 even with enterprise admin permissions. > > What I have found is this which Im about to try, > > 1. Use adsiedit.msc to bind to any domain controller. > 2. Navigate through > Configuration > CN=Configuration,DC=,DC=COM > CN=Services > CN=Windows NT > CN=Directory Services > CN=Query-Policies > 3. Double-click CN=Default Query Policy in the rght-hand pane. > 4. Double-click LdapAdminLimits. > 5. Select MaxPageSize and press Remove. > 6. Modify the limit of MaxPageSize and press Add. > 7. Press OK, Apply, and OK. > 8. Close ADSI Edit. > 9. After replication, the new limit should be available. > > adsiedit is part of the ms support tools here, > > http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911 > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Natxo Asenjo [natxo.asenjo at gmail.com] > Sent: Thursday, 27 September 2012 2:04 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> Hi, >>> >>> I dont have a ldapmodify command for changing something in AD. >>> >>> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... >>> >>> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. >> > sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits > attribute of the Default Query Policy object in the Query-Policies > container. We needed to do this to be able to get more than 1000 > objects from AD a long time ago. > > The details I used back then were here: > > http://technet.microsoft.com/en-us/library/aa998536.aspx > > > cmd.exe -> ntdsutil.exe (on a domain controller) > > At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. > > show values [enter] > ldap policy: show values > > Policy Current(New) > MaxPoolThreads 4 > MaxDatagramRecv 4096 > MaxReceiveBuffer 10485760 > InitRecvTimeout 120 > MaxConnections 5000 > MaxConnIdleTime 900 > MaxPageSize 1000 > MaxQueryDuration 120 > MaxTempTableSize 10000 > MaxResultSetSize 262144 > MaxNotificationPerConn 5 > MaxValRange 1500 > > We want to change MaxPageSize. > > First we need to authenticate: > connections [enter] > set creds domain user pwd > connect to domain your.domain > q > > then we got to ldap policy > > set MaxPageSize to 2000 > Commit Changes > quit > quit > > -- > natxo > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 27 20:57:35 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 27 Sep 2012 20:57:35 +0000 Subject: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups In-Reply-To: <506479E3.1030104@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <506479E3.1030104@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D5077@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes existing IPA users....all users that are in AD lose ipausers AND any IPA user groups they were assigned to in IPA before the winsync takes place. So to be clear (I hope), After the winsync any IPA user NOT in AD stays in ipausers and their assigned IPA groups and works normally. After the winsync any pre-sync user in IPA and AD loses ALL IPA user group membership not just ipauser....and is not working. After the winsync any user not until then in IPA but synced over from AD does not end up in ipausers (which was my understanding what was meant to happen). That actually is no biggee... So I lost 80% of my user setup, its a lot bigger issue than "not added to ipauser" group. :( Fortunately its a cloned virtual test bed....and not production.....ouch... This and not bringing over all users because the user can have a sub-folder for mobile phone sync so gets wiped by the previous bug we discussed are total show stoppers for our IPA and RHEL desktop deployment, Which seems to imply not this year? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 28 September 2012 4:08 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups On 09/26/2012 03:17 PM, Steven Jones wrote: > Is this expected? Ticket #2324 AD Users synced to IPA server are not added to "ipausers" group https://fedorahosted.org/freeipa/ticket/2324 By "existing users" do you mean existing users in IPA? Are these users synced with entries in AD? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Sep 27 21:03:06 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Sep 2012 15:03:06 -0600 Subject: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40546D5077@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <506479E3.1030104@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D5077@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5064BF0A.3010904@redhat.com> On 09/27/2012 02:57 PM, Steven Jones wrote: > Hi, > > Yes existing IPA users....all users that are in AD lose ipausers AND any IPA user groups they were assigned to in IPA before the winsync takes place. > > So to be clear (I hope), > > After the winsync any IPA user NOT in AD stays in ipausers and their assigned IPA groups and works normally. > > After the winsync any pre-sync user in IPA and AD loses ALL IPA user group membership not just ipauser....and is not working. Ok. This is a new issue. > > After the winsync any user not until then in IPA but synced over from AD does not end up in ipausers (which was my understanding what was meant to happen). That actually is no biggee... Right, this is https://fedorahosted.org/freeipa/ticket/2324 > > So I lost 80% of my user setup, its a lot bigger issue than "not added to ipauser" group. > > :( > > Fortunately its a cloned virtual test bed....and not production.....ouch... > > This and not bringing over all users because the user can have a sub-folder for mobile phone sync so gets wiped by the previous bug we discussed are total show stoppers for our IPA and RHEL desktop deployment, This is a new one, perhaps I missed it. If an AD user has a sub-folder, that user is not synced to IPA, and due to #355 winsync should not delete entry that appears to be out of scope it then is deleted from IPA? In this case, should winsync sync the sub-folder, or ignore it, and just sync the user entry? > > Which seems to imply not this year? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 28 September 2012 4:08 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups > > On 09/26/2012 03:17 PM, Steven Jones wrote: >> Is this expected? > Ticket #2324 AD Users synced to IPA server are not added to "ipausers" group > https://fedorahosted.org/freeipa/ticket/2324 > > By "existing users" do you mean existing users in IPA? Are these users > synced with entries in AD? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Sep 27 22:36:21 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 27 Sep 2012 18:36:21 -0400 Subject: [Freeipa-users] Easy deployment In-Reply-To: References: <50621178.7080208@nixtra.com> <50645B90.6040304@redhat.com> Message-ID: <5064D4E5.6080505@redhat.com> On 09/27/2012 12:51 PM, James James wrote: > Not yet but can you give me some clues ? It is the project that does pretty much what you are trying to accomplish. It has nice UI. It might make sense to take a look. http://theforeman.org/ > > 2012/9/27 Dmitri Pal > > > On 09/25/2012 04:18 PM, Sigbjorn Lie wrote: >> On 09/25/2012 12:17 AM, James James wrote: >>> Hi guys, >>> >>> we are planning to install 150 freeipa clients and I was >>> wondering if there is a way to easily install (from kickstart) >>> nfsv4 client. >>> >>> I can add host with >>> >>> # ipa host-add --password=secret >>> >>> But to get the keytab (host and service), I have to log into the >>> machine, launch kinit and get the keytab. >>> >>> This will be very painful for 150 clients .... >>> >>> Any hints is welcome ... >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Hi, >> >> I am working on integrating what you are asking for into >> OneClickKick. OneClickKick which is a web based GUI for managing >> DHCP server and PXE booting. The current version can read the >> host objects from IPA's LDAP, and you can use these to generate >> PXE boot files for kickstarting RHEL/Fedora, preseeding >> Debian/Ubuntu installations, do BIOS upgrades, run LIVE >> environments, etc. >> >> What I have done in the past is to add a line like this to the >> post section of the kickstart: >> /usr/sbin/ipa-client-install --domain="ix.test.com >> " --principal="ipajoinuser" >> --password="somepassword" -U -f >> >> This is not ideal even though the kickstart is saved in a >> database and only made available dynamically trough a php script >> to the host that's enabled for kickstarting. It is not saved in a >> text file on the disk. The next version will include tighter >> integration with IPA where a One Time Password is set for the >> host being kickstarted at the time it's enabled for kickstarting, >> and this password is seeded dynamically when the host is served >> it's kickstart file. >> >> The next version will also have the PXE Enrollment boot image >> updated to supporting adding new hosts directly into IPA. The PXE >> Enrollment is support for adding a new host simply to PXE booting >> it, logging on, and giving it a hostname and assigning it with a >> kickstart profile to load the machine directly from the console >> of the new machine. >> >> Adding of machines directly to IPA from the web UI will also be >> available in the next version. This allows you to do everything >> from adding the host, to selecting the kickstart profile group, >> and enabling for PXE installation/kickstart in 1 step. >> >> It can also search trough the /var/log/messages file to find new >> hosts that's unknown to it's naming sources and directly add these. >> >> You can also select a group of machine to install, so if you have >> your 150 machines in one group you can select the entire group >> for installation. >> >> >> See the project website or contact me for more information: >> http://sourceforge.net/projects/oneclickkick/ >> >> > > Have you looked at Foreman? > >> >> Regards, >> Siggi >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 27 23:50:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 27 Sep 2012 23:50:13 +0000 Subject: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups In-Reply-To: <5064BF0A.3010904@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40546D485A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <506479E3.1030104@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D5077@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5064BF0A.3010904@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D5119@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><-------- > This and not bringing over all users because the user can have a sub-folder for mobile phone sync so gets wiped by the previous bug we discussed are total show stoppers for our IPA and RHEL desktop deployment, This is a new one, perhaps I missed it. If an AD user has a sub-folder, that user is not synced to IPA, and due to #355 winsync should not delete entry that appears to be out of scope it then is deleted from IPA? In this case, should winsync sync the sub-folder, or ignore it, and just sync the user entry? I think I asked / suggested for this as a flag --exclude-subfolders or similar....It might fix it but AD's can be modded so much it might be a nightmare and you will need some serious testing per site. 8><--------- I will try and describe this as best I can.... so the user is (hope this is understandable) cn=user,ou=VUW_Staff,dc=staff,dc=vuw etc What looks to be happening is (my best guess) the user gets synced over as its -win-subtree= ou=VUW_Staff,dc=staff,dc=vuw etc but then there is a sort of simlink thing from cn=exchangesyncusers,cn=user,dc=staff,dc=vuw etc thats actually to a subdirectory under some of users... The ones with mobile smart phones, maybe you can swing an iphone5 each to test...;) Hence I think the known bug coming into play as the agreement is moving the user over and its next object is the cn=exchangesyncusers,cn=user,ou=VUW_Staff,dc=vuw etc so it promptly deletes the user it just added. This exchange-sync-user subfolder is invisible until you go to advanced view and turn the users into folders and scroll down and find the user (it took our exchange guru to show me) at that point this sync to exchange folder "appears" and its oops time. :/ I guess the problem is AD can be changed so much from a vanilla layout that finding these odd things and allowing for it in the winsync command is a bit of a nightmare, especially if you dont know there is an advanced AD view! I certainly suggest that unless whomever can deploy this doesnt do it live first off but in a test environment with a FULL copy of their AD. My management actually wanted me to do a simple test AD environment as a trial, that wouldnt have picked this up until too late when I did it on production. I think I asked for a --exclude-subfolders flag which would cover our disabled users as its a subfolder under the --win-subtree=OU=VUW_Staff....but it looks like this is a symlink at a peer level, so actually fixing the #355 bug would stop it being an issue I think. Im at home today so I cant supply much more info right now but I'll try on Monday if you need more... regards From Steven.Jones at vuw.ac.nz Fri Sep 28 03:56:02 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 28 Sep 2012 03:56:02 +0000 Subject: [Freeipa-users] winsync agreement wipes IPA users In-Reply-To: <5064B9F2.7060005@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4053CA54AB@STAWINCOX10MBX1.staff.vuw.ac.nz> <505BA8EC.3030200@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D007D@STAWINCOX10MBX1.staff.vuw.ac.nz> <505C4D9D.10404@redhat.com> <505C6A6F.8060004@redhat.com> <505C81FC.9080701@redhat.com> <505C82CB.2010201@redhat.com> <505C8BF3.60604@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D36B7@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D36E2@STAWINCOX10MBX1.staff.vuw.ac.nz> <50620863.4030801@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D3964@STAWINCOX10MBX1.staff.vuw.ac.nz> <50625AF8.1010805@redhat.com> <833D8E48405E064EBC54C84EC6B36E40546D41F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <50627A96.2090102@redhat.com>, , <833D8E48405E064EBC54C84EC6B36E40546D4D48@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40546D4D66@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5064B9F2.7060005@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40546D5252@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Once we get bug #533 fixed then I'll know if it will bring all users it isnt at present but I odnt know if its bug #533 or AD still. Our AD specialist is not very bothered about it and has advised our management that he thinks its no biggee...however other organisations might not be so happy. Part of the problem is finding what value to set but we have the ldapsearch xxxxxxxxxx | wc -l to give us an idea... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 28 September 2012 8:41 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/27/2012 02:38 PM, Steven Jones wrote: > Its also a forest wide setting.... Just to confirm - setting MaxPageSize higher allows winsync to pull every user, but this is an unacceptable solution because it applies to the entire tree rather than a subset and/or a particular user? > > :/ > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 27 September 2012 3:57 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > Unable to get this to work on win2k3r2 even with enterprise admin permissions. > > What I have found is this which Im about to try, > > 1. Use adsiedit.msc to bind to any domain controller. > 2. Navigate through > Configuration > CN=Configuration,DC=,DC=COM > CN=Services > CN=Windows NT > CN=Directory Services > CN=Query-Policies > 3. Double-click CN=Default Query Policy in the rght-hand pane. > 4. Double-click LdapAdminLimits. > 5. Select MaxPageSize and press Remove. > 6. Modify the limit of MaxPageSize and press Add. > 7. Press OK, Apply, and OK. > 8. Close ADSI Edit. > 9. After replication, the new limit should be available. > > adsiedit is part of the ms support tools here, > > http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911 > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Natxo Asenjo [natxo.asenjo at gmail.com] > Sent: Thursday, 27 September 2012 2:04 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> Hi, >>> >>> I dont have a ldapmodify command for changing something in AD. >>> >>> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work.... >>> >>> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute. >> > sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits > attribute of the Default Query Policy object in the Query-Policies > container. We needed to do this to be able to get more than 1000 > objects from AD a long time ago. > > The details I used back then were here: > > http://technet.microsoft.com/en-us/library/aa998536.aspx > > > cmd.exe -> ntdsutil.exe (on a domain controller) > > At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. > > show values [enter] > ldap policy: show values > > Policy Current(New) > MaxPoolThreads 4 > MaxDatagramRecv 4096 > MaxReceiveBuffer 10485760 > InitRecvTimeout 120 > MaxConnections 5000 > MaxConnIdleTime 900 > MaxPageSize 1000 > MaxQueryDuration 120 > MaxTempTableSize 10000 > MaxResultSetSize 262144 > MaxNotificationPerConn 5 > MaxValRange 1500 > > We want to change MaxPageSize. > > First we need to authenticate: > connections [enter] > set creds domain user pwd > connect to domain your.domain > q > > then we got to ldap policy > > set MaxPageSize to 2000 > Commit Changes > quit > quit > > -- > natxo > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simon.williams at thehelpfulcat.com Fri Sep 28 10:57:26 2012 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Fri, 28 Sep 2012 11:57:26 +0100 Subject: [Freeipa-users] Certificates for public facing web sites Message-ID: Hi Possibly a bit of a strange requirement, I don't really know! I have a small business and am using IPA to manage our network. I have migrated from an LDAP setup with a variety of different certificates lying around for different applications and find IPA much easier to administer, despite the fact that it probably overkill for a couple of users using half a dozen hosts. I have a few named virtual hosts that provide access to web based systems from outside the local network, but I do not have sufficient control over the external domain's DNS to add a subdomain with it's own DNS. I can add A records and CNAME records to point to the virtual hosts, but I cannot add NS records to delegate name resolution to my own DNS. The ISP I use does not allow dynamic DNS updates. I would like to use FreeIPA to manage the SSL certificates for these virtual hosts using mod_nss and have already implemented this successfully for virtual hosts on the local domain, but since I do not control the public domain, I can't see how to achieve this. Please forgive me if I am missing something obvious, but I've only been using FreeIPA for two weeks and it is a testament to it's ease of use that I have managed to get as far as I have with it in that time unaided! Regards Simon Williams -------------- next part -------------- An HTML attachment was scrubbed... URL: From eivind at aminor.no Fri Sep 28 12:08:28 2012 From: eivind at aminor.no (Eivind Olsen) Date: Fri, 28 Sep 2012 14:08:28 +0200 Subject: [Freeipa-users] Strange issue regarding password change Message-ID: <4f56a7ff3305e6123fc644ab47f96da0.squirrel@webmail.aminor.no> I've noticed an issue here. It's most likely something I've managed to do the wrong way, or something really obvious I'm missing, but at the moment I can't see what it is (otherwise I'd fix it instead of asking for help here :)) I have a setup with some RHEL 6.3 boxes, using the IPA bundled with that OS (ipa-client-2.2.0-16, and same version of the ipa-server as well). When I create new users, I assign them a password, and they're required to change their password at the first login. My problem is that I can only get this password change to work when I ssh to the KDC/IPA server - it fails if I ssh to one of the clients instead. After I have changed the password on the KDC, I can ssh to the clients. Here's an example of what it looks like when I ssh from a laptop that's not part of the kerberos realm, to one of the clients: [eio at lappy ~]$ ssh eolsen at libresse.domainname Password: Password expired. Change your password now. Current Password: New password: Retype new password: Password change failed. Server message: Failed decrypting request Password: Password expired. Change your password now. Current Password: Password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). [eio at lappy ~]$ In the /var/log/messages on the server "libresse", I see: Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity check failed Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity check failed Here's what it looks like when I ssh to the KDC instead: [eio at lappy ~]$ ssh eolsen at kdc.domainname eolsen at kdc.domainname's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user eolsen. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to kdc.domainname closed. [eio at lappy ~]$ ...and I can now ssh to all the servers just fine: [eio at lappy ~]$ ssh eolsen at libresse.domainname Password: Last login: Fri Sep 28 11:12:28 2012 from .... Welcome to libresse.domainname (RedHat 6.3 x86_64). [eolsen at libresse ~]$ Some additional information: lappy and libresse are using RFC1918 addresses, and don't have proper reverse DNS. kdc is using official IP address with proper reverse DNS. Are anyone able to see what I've done wrong here, or have suggestions on where I should be digging deeper? Regards Eivind Olsen eivind at aminor.no From eivind at aminor.no Fri Sep 28 13:59:59 2012 From: eivind at aminor.no (Eivind Olsen) Date: Fri, 28 Sep 2012 15:59:59 +0200 Subject: [Freeipa-users] Strange issue regarding password change In-Reply-To: <4f56a7ff3305e6123fc644ab47f96da0.squirrel@webmail.aminor.no> References: <4f56a7ff3305e6123fc644ab47f96da0.squirrel@webmail.aminor.no> Message-ID: <9836ef952ca523cca777d6ea0a5571f5.squirrel@webmail.aminor.no> I wrote: ... > In the /var/log/messages on the server "libresse", I see: > > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity > check failed > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity > check failed During the same time, this is what I see in /var/log/secure: Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): system info: [Password has expired] Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): received for user eolsen: 12 (Authentication token is no longer valid; new one required) Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:28 libresse sshd[14819]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)] Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): User info message: Password change failed. Server message: Failed decrypting request Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): Password change failed for user eolsen: 20 (Authentication token manipulation error) Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): system info: [Password has expired] Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): received for user eolsen: 12 (Authentication token is no longer valid; new one required) Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): system info: [Decrypt integrity check failed] Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): Authentication failed for user eolsen: 4 (System error) Sep 28 10:39:58 libresse sshd[14810]: error: PAM: Authentication token manipulation error for eolsen from host8560.domain.internal Sep 28 10:40:01 libresse sshd[14838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): system info: [Decrypt integrity check failed] Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): received for user eolsen: 4 (System error) Sep 28 10:40:03 libresse sshd[14810]: error: PAM: Authentication failure for eolsen from host8560.domain.internal Sep 28 10:40:03 libresse sshd[14811]: Connection closed by 10.83.70.15 Regards Eivind Olsen From sbose at redhat.com Fri Sep 28 14:43:14 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 28 Sep 2012 16:43:14 +0200 Subject: [Freeipa-users] Strange issue regarding password change In-Reply-To: <9836ef952ca523cca777d6ea0a5571f5.squirrel@webmail.aminor.no> References: <4f56a7ff3305e6123fc644ab47f96da0.squirrel@webmail.aminor.no> <9836ef952ca523cca777d6ea0a5571f5.squirrel@webmail.aminor.no> Message-ID: <20120928144314.GL6816@localhost.localdomain> On Fri, Sep 28, 2012 at 03:59:59PM +0200, Eivind Olsen wrote: > > I wrote: > ... > > In the /var/log/messages on the server "libresse", I see: > > > > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > > Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity > > check failed > > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired > > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity > > check failed > > During the same time, this is what I see in /var/log/secure: > > Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): system info: > [Password has expired] > Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): received for > user eolsen: 12 (Authentication token is no longer valid; new one > required) > Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:account): User info > message: Password expired. Change your password now. > Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:chauthtok): user > "eolsen" does not exist in /etc/passwd > Sep 28 10:39:28 libresse sshd[14819]: pam_unix(sshd:chauthtok): user > "eolsen" does not exist in /etc/passwd > Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): system > info: [Generic error (see e-text)] > Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): User info > message: Password change failed. Server message: Failed decrypting request > Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): Password > change failed for user eolsen: 20 (Authentication token manipulation > error) hmm, any chance there is a firewall doing NAT between the client and the KDC? Kerberos password changes do not work reliable over NAT. Afaik there is some work in progress to make it possible but for the time being it will not work. HTH bye, Sumit > Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): system info: > [Password has expired] > Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): received for > user eolsen: 12 (Authentication token is no longer valid; new one > required) > Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:account): User info > message: Password expired. Change your password now. > Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:chauthtok): user > "eolsen" does not exist in /etc/passwd > Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): system > info: [Decrypt integrity check failed] > Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): > Authentication failed for user eolsen: 4 (System error) > Sep 28 10:39:58 libresse sshd[14810]: error: PAM: Authentication token > manipulation error for eolsen from host8560.domain.internal > Sep 28 10:40:01 libresse sshd[14838]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): system info: > [Decrypt integrity check failed] > Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=host8560.domain.internal user=eolsen > Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): received for > user eolsen: 4 (System error) > Sep 28 10:40:03 libresse sshd[14810]: error: PAM: Authentication failure > for eolsen from host8560.domain.internal > Sep 28 10:40:03 libresse sshd[14811]: Connection closed by 10.83.70.15 > > Regards > Eivind Olsen > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From eivind at aminor.no Fri Sep 28 20:12:01 2012 From: eivind at aminor.no (Eivind Olsen) Date: Fri, 28 Sep 2012 22:12:01 +0200 Subject: [Freeipa-users] Strange issue regarding password change In-Reply-To: <20120928144314.GL6816@localhost.localdomain> References: <4f56a7ff3305e6123fc644ab47f96da0.squirrel@webmail.aminor.no> <9836ef952ca523cca777d6ea0a5571f5.squirrel@webmail.aminor.no> <20120928144314.GL6816@localhost.localdomain> Message-ID: <0c7ca0c8c222b53c833120ea55fa6be4.squirrel@webmail.aminor.no> Sumit Bose wrote: > hmm, any chance there is a firewall doing NAT between the client and the > KDC? Kerberos password changes do not work reliable over NAT. Afaik > there is some work in progress to make it possible but for the time > being it will not work. Hm, yes. There seems to be NAT between the kerberos client "libresse" and the KDC, so it's quite likely that you've spotted what's causing my problem. Thanks! Now, to see how I can work around it... :) Regards Eivind Olsen