On 02/20/2014 02:58 PM, Shree wrote:
Can you help me figure out, below is some info on the existing working
configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root@test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = mydomain.com
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dns.mydomain.com
chpass_provider = ipa
ipa_server = ldap.mydomain.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
=======================================
4)And these are the options in /etc/nsswitch.conf
sudoers: files ldap
passwd: files sss
shadow: files sss
group: files sss
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <d...@redhat.com>
wrote:
On 02/19/2014 06:52 PM, Shree wrote:
Rob
You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning
during the client install that went something like
=================
Autodiscovery of servers for failover cannot work with this
configuration.
If you proceed with the installation, services will be configured to
always access the discovered server for all operations and will not
fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
=================
I continued by saying yes because in my case the master and the
replica are in different VLANs and failover is not possible for me. I
have tried in two hosts successfully and am hoping that does the trick.
However I see one issue immediately that my sudo access does not seem
to work now on the newly added clients! Do you know what might be
happening?
Are you using SSSD and SUDO integration?
What version of sudo and sssd?
See if this would help:
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden
<rcrit...@redhat.com> <mailto:rcrit...@redhat.com> wrote:
Shree wrote:
> root@test500 <mailto:root@test500> ~]# rpm -q ipa-client
> ipa-client-2.2.0-16.el6.x86_64
> [root@test500 <mailto:root@test500> ~]#
You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
Unfortunately our logging around discovery was rather horrible in 2.2.x
so it is difficult to know exactly what is going on.
I believe the problem is that it is still doing DNS discovery even
though you've passed in a server name so it is setting up Kerberos to
look up the KDC which it finds but can't talk to.
This should be fixed in the 3.0 packages so updating to those is the
preferred solution.
For 2.x you can try the --force option which should make it skip some
discovery.
rob
>
>
> Shreeraj
>
----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
> Shree wrote:
> > Here are a couple of things
> >
> > [skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2
<mailto:skarulkar@ldap2>> ~]$ rpm -q ipa-client
> > ipa-client-3.0.0-26.el6_4.4.x86_64
>
> What is the version on the client that is failing to enroll?
>
> rob
>
> >
> > and my /etc/krb5.conf looks like ..........
> > =======================================
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = MYDOMAIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > MYDOMAIN.COM = {
> > kdc = ldap2.mydomain.com:88
> > master_kdc = ldap2.mydomain.com:88
> > admin_server = ldap2.mydomain.com:749
> > default_domain = mydomain.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > default_domain = mydomain.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > }
> >
> > [domain_realm]
> > .mydomain.com = MYDOMAIN.COM
> > mydomain.com = MYDOMAIN.COM
> >
> > [dbmodules]
> > MYDOMAIN.COM = {
> > db_library = ipadb.so
> > }
> >
> > =======================================
> >
> >
> > Shreeraj
> >
>
----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
> > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
> > Shree wrote:
> > > 1) I have got a step furthur. My replica is not running CA
Service. To
> > > achieve this I had to remove the existing cert with this command
> > >
> > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
-force
> > >
> > > Now the replica looks like this
> > >
> > > skarulkar@ldap2 <mailto:skarulkar@ldap2>
<mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>>
<mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>
> <mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>>> tmp]$ sudo
ipactl status
> > > [sudo] password for skarulkar:
> > > Directory Service: RUNNING
> > > KDC Service: RUNNING
> > > KPASSWD Service: RUNNING
> > > MEMCACHE Service: RUNNING
> > > HTTP Service: RUNNING
> > > CA Service: RUNNING
> > > [skarulkar@ldap2 <mailto:skarulkar@ldap2>
<mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>>
<mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>
> <mailto:skarulkar@ldap2 <mailto:skarulkar@ldap2>>> tmp]$
>
> >
> > The tracking failed with:
> >
> > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos
library:
> > Improper format of Kerberos configuration file.
> >
> > It looks like it failed on this for most if not all the tracking.
What
> > does /etc/krb5.conf look like?
> >
> > >
> > > 2) I am still not able to add client using ipa-client-install
> using the
> > > replica.
> >
> > The temporary krb5.conf that is used during enrollment has
> > dns_lookup_kdc=True so it is probably trying to contact the other KDC
> > and failing.
> >
> > What is the output of:
> >
> > $ rpm -q ipa-client
> >
> >
> > rob
> >
> >
> >
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
It seems like you do not use SSSD integration so turning the debug on
sudo and seeing what it is doing is the next step.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
