It is still really hard to give advise as I do not know what's actually wrong. So are you trying to set up a sudo on your client or are you trying to log in with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I cannot help you without described procedure you are trying to do, logs and exact error messages. Martin On 11/11/2014 09:32 AM, Rolf Nufable wrote: > never mind the problem on the server side, somehow it got fixed , I really > don't know how though > > so in the client side , It is successful when installing free ipa client and > the server discovery is fine, my freipa Client is 4.1.0 and my server is > 4.0.3 (although somewhere I've read that version incompatibility would not be > an issue since if either one is of a lower version, the only features that > would be used is the one that the lower version can do ) > > So I really don't know why Can't I connect to the ipa server. > > Iptables works fine. > /etc/resolv.conf is file as well > > sssd/sssd.conf ( added these lines ) > [sudo] > sudo_provider = ldap > ldap_uri = ldap://myipaserver.example.com > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/myipaserver.example.com > ldap_sasl_realm = EXAMPLE.COM > krb_server = myipaserver.example.com > > > and /etc/nsswitch.conf > (added this line ) > > sudoers : files sss ldap > > is there something missing ? > > > > On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable > <rolf_16_nufa...@yahoo.com> wrote: > > > > oh sorry I forgot that on the clients side " > network.negotiate-auth.trusted-uris " they have the same domain as of the > server side I've configured it as well as in the client side because recent > guides for deploying IPA says that you must go to about:config either you are > on the server or client side, or at least thats what I remember. > > Wait a sec I'm trying to achieve the state again where the server side wont > let me log in using the admin credentials , just so i could show you the logs > > > > > On Tuesday, November 11, 2014 3:28 PM, Martin Kosek <mko...@redhat.com> wrote: > > > > On 11/11/2014 08:07 AM, Rolf Nufable wrote: >> well I dont know how or what command to use to display the logs, could you >> teach me how? > > There should be HOWTO articles on how to do that. Jakub may have better > sources, but I see for example: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html > >> , but yes the network.negotiate-auth.trusted-uris has the same domain name >> which is example.com this is on the server side only > > network.negotiate-auth.trusted-uris must be set in the *client* Firefox > machine. > >> while on the client side, even > though the network.negotiate-auth.trusted-uris is configured correctly, the > web UI can't be accessed so its a really weird scenario. but the registration > of the ipa client to the server says its successful. > > FreeIPA 4.0+ Web UI should allow you to login at least with your > user+password, > if SSO login fails. Does at least this part work? Because if not, there is > some > error on the server side. It would be interesting to check if there are no > errors on the server in following logs: > - /var/log/httpd/error_log > - /var/log/krb5kdc.log > > > >> >> TIA >> >> >> On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mko...@redhat.com> >> wrote: >> >> >> >> On 11/11/2014 06:37 AM, Rolf Nufable wrote: >>> or could you guys direct me or guide me on how to deploy this ipa server? >>> I've been successful deploying ipa version 3.3.5 before but this 4.0 and >>> above series is really giving me a headache >> >> Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to >> deploy, on the > contrary, it should be much cooler than 3.3. >> >>> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable >>> <rolf_16_nufa...@yahoo.com> wrote: >>> >>> >>> >>> well I'll try them now, my sssd config only consists of these lines added >>> to the sudo area >>> >>> sudo_provider = ldap >>> ldap_uri = ldap://myipaserver.example.com >>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com >>> ldap_sasl_mech = > GSSAPI >>> ldap_sasl_authid = host/myipaserver.example.com >>> ldap_sasl_realm = EXAMPLE.COM >>> krb_server = myipaserver.example.com >> >> BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo >> provider. Actually, FreeIPA 4.0+ clients do that for you. >> >> More info here: >> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf >> https://fedorahosted.org/freeipa/ticket/3358 >> >>> plus another question why is it that when I invoke the kinit admin command >>> for the kerberos I couldnt access the web UI and keeps asking me to >>> configure my web browser ( firefox) though I've already configured it many >>> times.. >> >> Are you sure that network.negotiate-auth.trusted-uris in about:config >> correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but >> not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what >> is the setting of network.negotiate-auth.trusted-uris? >> >> In any case, it is still hard to > advise as I still did not see any related >> logs, error messages or actual real errors preventing you from enrolling >> FreeIPA. >> >> Thanks, >> Martin >> >> >>> >>> >>> TIA >>> >>> >>> >>> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> >>> >>> >>> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote: >>> >>>> On 11/10/2014 02:05 AM, Rolf >>> Nufable wrote: >>>>> Hello >>>>> >>>>> I have tons of questions on why free ipa wont't work on my network , I've >>>>> been using fedora 20 as the os for the server and client free ipa . >>>>> >>>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the >>>>> client side using 2 VM's at first it was okay, got it connected and used >>>>> ldap to pass sudo for the client side, but when I finally deployed it > in our real network consisting of an esxi server and one work station having > the same versions of free ipa for server and client, the error that I'm > getting is that " the user does not exist " when I invoked the " su - ( user > ) " command, so My question is how can I solve this problem?? I've been at it > for 3 weeks now .. >>>> >>>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I >>>> assume this is a problem in SSSD client part, if the user cannot be found. >>>> CCing Lukas and Jakub to advise. >>> >>> Sorry, I skipped this thread b/c the subject didn't look like it was >>> SSSD-related. >>> >>> I think we need to examine SSSD logs... >>> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project