<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">Can you help me figure out, below is some info on the existing working configuration one one of the clients<br>1)Sudo version 1.7.4p5<br><br>2)[root@test500 ~]# sssd --version<br>1.9.2<br><br>3)These are the uncommented lines in /etc/sssd/sssd.conf<br>[sssd]<br>config_file_version = 2<br>services = nss, pam<br>domains = mydomain.com<br>[domain/mydomain.com]<br>cache_credentials = True<br>krb5_store_password_if_offline = True<br>ipa_domain = mydomain.com<br>id_provider = ipa<br>auth_provider = ipa<br>access_provider = ipa<br>ipa_hostname = dns.mydomain.com<br>chpass_provider = ipa<br>ipa_server = ldap.mydomain.com<br>ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com<br>ldap_tls_cacert = /etc/ipa/ca.crt<br><div id="yiv4785094012"><div><div class="" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"><div id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_10">=======================================<br>4)And these are the options in /etc/nsswitch.conf<br>sudoers: files ldap<br>passwd: files sss<br>shadow: files sss<br>group: files sss<br></div><div id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_12"><br>Shreeraj <br clear="none">---------------------------------------------------------------------------------------- <br clear="none"> <br clear="none">Change is the only Constant !</div><div class="" id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_14" style="display: none;"> <br clear="none"> <br clear="none"> <div class="" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div class="" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"> <div class="" id="yiv4785094012yqt76401"><div dir="ltr"> <font face="Arial" size="2"> On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal@redhat.com> wrote:<br clear="none"> </font> </div> <div class=""><div id="yiv4785094012"><div> On 02/19/2014 06:52 PM, Shree wrote: <blockquote type="cite"> <div class="" style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">Rob<br clear="none"> You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like <br clear="none"> =================<br clear="none"> Autodiscovery of servers for failover cannot work with this configuration.<br clear="none"> If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.<br clear="none"> Proceed with fixed values and no DNS discovery? [no]: yes<br clear="none"> =================<br clear="none"> <div><span>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.</span></div> <div class="" style="color:rgb(0, 0, 0);font-size:10.6667px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none"> <span></span></div> <div class="" style="color:rgb(0, 0, 0);font-size:10.6667px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><span>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?<br clear="none"> </span></div> <div> </div> </div> </blockquote> Are you using SSSD and SUDO integration?<br clear="none"> What version of sudo and sssd?<br clear="none"> See if this would help: <a rel="nofollow" shape="rect" class="" target="_blank" href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><div class="" id="yiv4785094012yqtfd92823"><br clear="none"> <br clear="none"> </div><blockquote type="cite"><div class="" id="yiv4785094012yqtfd11561"> <div class="" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div>Shreeraj <br clear="none"> ---------------------------------------------------------------------------------------- <br clear="none"> <br clear="none"> Change is the only Constant !</div> <div class="" style="display:block;"> <br clear="none"> <br clear="none"> <div class="" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div class="" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <a rel="nofollow" shape="rect" class="" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br clear="none"> </font> </div> <div class="">Shree wrote:<br clear="none"> > <a rel="nofollow" shape="rect" ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a> ~]# rpm -q ipa-client<br clear="none"> > ipa-client-2.2.0-16.el6.x86_64<br clear="none"> > [<a rel="nofollow" shape="rect" ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a> ~]#<br clear="none"> <br clear="none"> You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484<br clear="none"> <br clear="none"> Unfortunately our logging around discovery was rather horrible in 2.2.x <br clear="none"> so it is difficult to know exactly what is going on.<br clear="none"> <br clear="none"> I believe the problem is that it is still doing DNS discovery even <br clear="none"> though you've passed in a server name so it is setting up Kerberos to <br clear="none"> look up the KDC which it finds but can't talk to.<br clear="none"> <br clear="none"> This should be fixed in the 3.0 packages so updating to those is the <br clear="none"> preferred solution.<br clear="none"> <br clear="none"> For 2.x you can try the --force option which should make it skip some <br clear="none"> discovery.<br clear="none"> <br clear="none"> rob<br clear="none"> <br clear="none"> ><br clear="none"> ><br clear="none"> > Shreeraj<br clear="none"> > ----------------------------------------------------------------------------------------<br clear="none"> ><br clear="none"> ><br clear="none"> > Change is the only Constant !<br clear="none"> ><br clear="none"> ><br clear="none"> > On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden<br clear="none"> > <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br clear="none"> > Shree wrote:<br clear="none"> > > Here are a couple of things<br clear="none"> > ><br clear="none"> > > [<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> ~]$ rpm -q ipa-client<br clear="none"> > > ipa-client-3.0.0-26.el6_4.4.x86_64<br clear="none"> ><br clear="none"> > What is the version on the client that is failing to enroll?<br clear="none"> ><br clear="none"> > rob<br clear="none"> ><br clear="none"> > ><br clear="none"> > > and my /etc/krb5.conf looks like ..........<br clear="none"> > > =======================================<br clear="none"> > > includedir /var/lib/sss/pubconf/krb5.include.d/<br clear="none"> > ><br clear="none"> > > [logging]<br clear="none"> > > default = <a href="" rel="nofollow" shape="rect" class="">FILE:/var/log/krb5libs.log</a><br clear="none"> > > kdc = <a href="" rel="nofollow" shape="rect" class="">FILE:/var/log/krb5kdc.log</a><br clear="none"> > > admin_server = <a href="" rel="nofollow" shape="rect" class="">FILE:/var/log/kadmind.log</a><br clear="none"> > ><br clear="none"> > > [libdefaults]<br clear="none"> > > default_realm = MYDOMAIN.COM<br clear="none"> > > dns_lookup_realm = false<br clear="none"> > > dns_lookup_kdc = true<br clear="none"> > > rdns = false<br clear="none"> > > ticket_lifetime = 24h<br clear="none"> > > forwardable = yes<br clear="none"> > ><br clear="none"> > > [realms]<br clear="none"> > > MYDOMAIN.COM = {<br clear="none"> > > kdc = ldap2.mydomain.com:88<br clear="none"> > > master_kdc = ldap2.mydomain.com:88<br clear="none"> > > admin_server = ldap2.mydomain.com:749<br clear="none"> > > default_domain = mydomain.com<br clear="none"> > > pkinit_anchors = <a href="" rel="nofollow" shape="rect" class="">FILE:/etc/ipa/ca.crt</a><br clear="none"> > > default_domain = mydomain.com<br clear="none"> > > pkinit_anchors = <a href="" rel="nofollow" shape="rect" class="">FILE:/etc/ipa/ca.crt</a><br clear="none"> > > }<br clear="none"> > ><br clear="none"> > > [domain_realm]<br clear="none"> > > .mydomain.com = MYDOMAIN.COM<br clear="none"> > > mydomain.com = MYDOMAIN.COM<br clear="none"> > ><br clear="none"> > > [dbmodules]<br clear="none"> > > MYDOMAIN.COM = {<br clear="none"> > > db_library = ipadb.so<br clear="none"> > > }<br clear="none"> > ><br clear="none"> > > =======================================<br clear="none"> > ><br clear="none"> > ><br clear="none"> > > Shreeraj<br clear="none"> > ><br clear="none"> > ----------------------------------------------------------------------------------------<br clear="none"> > ><br clear="none"> > ><br clear="none"> > > Change is the only Constant !<br clear="none"> > ><br clear="none"> > ><br clear="none"> > > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden<br clear="none"> > > <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br clear="none"> > > Shree wrote:<br clear="none"> > > > 1) I have got a step furthur. My replica is not running CA Service. To<br clear="none"> > > > achieve this I had to remove the existing cert with this command<br clear="none"> > > ><br clear="none"> > > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force<br clear="none"> > > ><br clear="none"> > > > Now the replica looks like this<br clear="none"> > > ><br clear="none"> > > > <a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><br clear="none"> > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>> tmp]$ sudo ipactl status<br clear="none"> > > > [sudo] password for skarulkar:<br clear="none"> > > > Directory Service: RUNNING<br clear="none"> > > > KDC Service: RUNNING<br clear="none"> > > > KPASSWD Service: RUNNING<br clear="none"> > > > MEMCACHE Service: RUNNING<br clear="none"> > > > HTTP Service: RUNNING<br clear="none"> > > > CA Service: RUNNING<br clear="none"> > > > [<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <div class="" id="yiv4785094012yqtfd53238"><br clear="none"> > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>> tmp]$<br clear="none"> ><br clear="none"> > ><br clear="none"> > > The tracking failed with:<br clear="none"> > ><br clear="none"> > > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:<br clear="none"> > > Improper format of Kerberos configuration file.<br clear="none"> > ><br clear="none"> > > It looks like it failed on this for most if not all the tracking. What<br clear="none"> > > does /etc/krb5.conf look like?<br clear="none"> > ><br clear="none"> > > ><br clear="none"> > > > 2) I am still not able to add client using ipa-client-install<br clear="none"> > using the<br clear="none"> > > > replica.<br clear="none"> > ><br clear="none"> > > The temporary krb5.conf that is used during enrollment has<br clear="none"> > > dns_lookup_kdc=True so it is probably trying to contact the other KDC<br clear="none"> > > and failing.<br clear="none"> > ><br clear="none"> > > What is the output of:<br clear="none"> > ><br clear="none"> > > $ rpm -q ipa-client<br clear="none"> > ><br clear="none"> > ><br clear="none"> > > rob<br clear="none"> > ><br clear="none"> > ><br clear="none"> > ><br clear="none"> ><br clear="none"> ><br clear="none"> ><br clear="none"> <br clear="none"> </div> <br clear="none"> <br clear="none"> </div> </div> </div> </div> </div> <br clear="none"> <fieldset class=""></fieldset> <br clear="none"> <pre>_______________________________________________ Freeipa-users mailing list <a rel="nofollow" shape="rect" class="" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a rel="nofollow" shape="rect" class="" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre></div> </blockquote> <br clear="none"> <br clear="none"> <pre class="">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a rel="nofollow" shape="rect" class="" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></pre><div class="" id="yiv4785094012yqtfd01221"> </div><div class="" id="yiv4785094012yqtfd53142"> </div></div></div><br clear="none"><div class="" id="yiv4785094012yqtfd31381">_______________________________________________<br clear="none">Freeipa-users mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div><br clear="none"><br clear="none"></div></div> </div> </div> </div> </div></div></div></div></body></html>