[Freeipa-users] Free ipa Configurations

Mon Nov 24 08:51:23 UTC 2014

On 18.11.2014 09:54, Rolf Nufable wrote:
> Hello all I have a question regarding the log in in IPA
> well I didn't expect this to happen since last week all installation went smoothly and the adding of the clients as well but now I have another problem. 
> My first problem was ntp/ntpdate wasn't cooperating well and it won't update my fedora 20 time correctly every reboot, so I get the wrong time and manually issue the ntpdate just to get the correct time... ( well this problem is small ) 
> So what I did was just configured/updated the timezone of the Freeipa Server. then I tried rebooting it 3 times in a row just to make sure it won't change time. and it was successful.  ( I did this last friday )
> yesterday I checked the time of the free ipa server. and it was way off.. Now my problem is that if I edited the time or restarted ntpd / ntpdate I cannot log-in to the web UI of freeipa although I'm using the admin account and the right credentials as well , It asks me to configure the browser credentials ( the one going to about:config ) but I still cannot log in, And I don't really know why .. But if I didn't I can Log in smoothly..
> any Ideas on whats causing this error?
> TIA :)  

Maybe some timestamps in Kerberos tickets you have 'cached' locally are wrong.
I would try to check timestampt in "klist" output or try to kdestroy & kinit
again.

Petr^2 Spacek

> 
>      On Tuesday, November 11, 2014 11:34 PM, Martin Kosek <mkosek at redhat.com> wrote:
>    
> 
>  On 11/12/2014 04:09 AM, Rolf Nufable wrote:
>> I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine. 
>>
>> but the time is really wrong. and I disabled NTP and the server has no access to the internet. 
>>
>> these are my network configurations. 
>>
>> peerdns = no 
>> ipaddr  = 192.168.1.1
>> netmask = 255.255.255.0
>> dns1 = 192.168.1.1
>> onboot = yes 
>>
>> as you can see I've made the server also the dns1, (is this correct though ? i really don't know ) 
>>
>> feel free to correct my network config 
>>
>> And another problem is that I need to sync my freeipa server time to the right time zone? if thats the case then I do need internet connection for my Freeipa server , so that it could access ntp servers right?  ( or am I wrong? ) 
> 
> Yes, internet connection helps. Theoretically you could just set up the time
> manually on your FreeIPA server and then let your clients synchronize their
> time with it as NTP is running there, but that may be cumbersome.
> 
>>
>> still this is a great breakthrough for my work 
>>
>> Now what to do? 
> 
> FreeIPA server and the KDC do not care about the time zone, it works with UTC
> time anyway, AFAIK. You just simply need to have the time synchronized on all
> your servers and clients or Kerberos protocol will not work.
> 
>> ps. Martin attached is the krb5kdc.log after I changed the time of the server.  Httpd error log didnt changed at all after I tried to access the web UI and tried to log in.. 
> 
> I saw no error there...
> 
>>
>>
>> TIA 
>>
>>
>>
>> On Tuesday, November 11, 2014 7:10 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
>>   
>>
>>
>> On 11.11.2014 11:11, Jakub Hrozek wrote:
>>> On Tue, Nov 11, 2014 at 02:07:57AM -0800, Rolf Nufable wrote:
>>>> well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
>>>>
>>>> well I'm having this error in the client side when using the command su - ( user )
>>>>
>>>> su - user at example.com
>>>>
>>>> su : user at example.com does not exist.
>>>
>>> Are you sure ipa-client-install did run successfully on that machine?
>>>
>>> Can you unenroll and enroll the client back so that we start from an
>>> sssd.conf that is created by the tooling?
>>>
>>> As Martin said, you don't need those sudo-related config options with
>>> recent SSSD releases, they wouldn't work in the sudo section anyway.
>>
>> Does:
>>
>> $ id user at example.com
>>
>> return you the user info?
>>
>> if not and ipa-client-install was run successfully before, check 
>> nsswitch.conf if it has sssd configured (sss next to various providers).
>>
>> if not run:
>> $ authconfig --enablesssd --update
>>
>> if it doesn't help, try to run:
>> $ authconfig --disablesssd --update
>> $ authconfig --enablesssd --update
>>
>> if it helps, please tell me. I'm curious if you suffer from one issue I 
>> experienced.
>>
>>
>>
>>>
>>>>
>>>>
>>>>
>>>> On Tuesday, November 11, 2014 5:56 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>>>
>>>>
>>>>
>>>> It is still really hard to give advise as I do not know what's actually wrong.
>>>> So are you trying to set up a sudo on your client or are you trying to log in
>>>> with your client browser to FreeIPA server? These are 2 orthogonal actions.
>>>>
>>>> Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
>>>> cannot help you without described procedure you are trying to do, logs and
>>>> exact error messages.
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 11/11/2014 09:32 AM, Rolf Nufable wrote:
>>>>> never mind the problem on the server side, somehow it got fixed , I really don't know how though
>>>>>
>>>>> so in the client side , It is successful when installing free ipa client and the
>>>>   server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
>>>>>
>>>>> So I really don't know why Can't I connect to the ipa server.
>>>>>
>>>>> Iptables works fine.
>>>>> /etc/resolv.conf is file as well
>>>>>
>>>>> sssd/sssd.conf ( added these lines )
>>>>> [sudo]
>>>>> sudo_provider = ldap
>>>>> ldap_uri = ldap://myipaserver.example.com
>>>>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>>>>> ldap_sasl_mech = GSSAPI
>>>>> ldap_sasl_authid = host/myipaserver.example.com
>>>>> ldap_sasl_realm = EXAMPLE.COM
>>>>> krb_server = myipaserver.example.com
>>>>>
>>>>>
>>>>> and /etc/nsswitch.conf
>>>>> (added this line )
>>>>>
>>>>> sudoers : files sss ldap
>>>>>
>>>>> is there something missing ?
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable <rolf_16_nufable at yahoo.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
>>>>   you are on the server or client side, or at least thats what I remember.
>>>>>
>>>>> Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, November 11, 2014 3:28 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 11/11/2014 08:07 AM, Rolf Nufable wrote:
>>>>>> well I dont know how or what command to use to display the logs, could you teach me how?
>>>>>
>>>>> There should be HOWTO articles on how to do that. Jakub may have better
>>>>> sources, but I see for
>>>>   example:
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
>>>>>
>>>>>> , but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
>>>>>
>>>>> network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
>>>>>
>>>>>> while on the client side, even
>>>>>   though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
>>>>>
>>>>> FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
>>>>> if SSO login fails. Does at least this part work? Because if not, there is some
>>>>> error on the server side. It would be interesting to check if there are no
>>>>> errors on the server in following logs:
>>>>> - /var/log/httpd/error_log
>>>>> - /var/log/krb5kdc.log
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> TIA
>>>>>>
>>>>>>
>>>>>> On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 11/11/2014 06:37 AM, Rolf Nufable
>>>>   wrote:
>>>>>>> or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
>>>>>>
>>>>>> Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
>>>>>> deploy, on the
>>>>>   contrary, it should be much cooler than 3.3.
>>>>>>
>>>>>>> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable <rolf_16_nufable at yahoo.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> well I'll try them now, my sssd config only consists of these lines added to the sudo area
>>>>>>>
>>>>>>> sudo_provider = ldap
>>>>>>> ldap_uri = ldap://myipaserver.example.com
>>>>>>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>>>>>>> ldap_sasl_mech =
>>>>>   GSSAPI
>>>>>>> ldap_sasl_authid = host/myipaserver.example.com
>>>>>>> ldap_sasl_realm = EXAMPLE.COM
>>>>>>> krb_server = myipaserver.example.com
>>>>>>
>>>>>> BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
>>>>>> provider. Actually, FreeIPA 4.0+ clients do that for you.
>>>>>>
>>>>>> More info here:
>>>>>> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>>>>> https://fedorahosted.org/freeipa/ticket/3358
>>>>>>
>>>>>>> plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
>>>>>>
>>>>>> Are you sure that network.negotiate-auth.trusted-uris in about:config
>>>>>> correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
>>>>>> not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
>>>>>> is the setting of network.negotiate-auth.trusted-uris?
>>>>>>
>>>>>> In any case, it is still hard to
>>>>>   advise as I still did not see any related
>>>>>> logs, error messages or actual real errors preventing you from enrolling FreeIPA.
>>>>>>
>>>>>> Thanks,
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> TIA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
>>>>>>>
>>>>>>>> On 11/10/2014 02:05 AM, Rolf
>>>>>>>   Nufable wrote:
>>>>>>>>> Hello
>>>>>>>>>
>>>>>>>>> I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
>>>>>>>>>
>>>>>>>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
>>>>>   in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
>>>>   is how can I solve this problem?? I've been at it for 3 weeks now ..
>>>>>>>>
>>>>>>>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
>>>>>>>> assume this is a problem in SSSD client part, if the user cannot be found.
>>>>>>>> CCing Lukas and Jakub to advise.
>>>>>>>
>>>>>>> Sorry, I skipped this thread b/c the subject didn't look like it was
>>>>>>> SSSD-related.
>>>>>>>
>>>>>>> I think we need to examine SSSD logs...