It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.

Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.

Martin

On 11/11/2014 09:32 AM, Rolf Nufable wrote:
> never mind the problem on the server side, somehow it got fixed , I really 
> don't know how though
> 
> so in the client side , It is successful when installing free ipa client and 
> the server discovery is fine, my freipa Client is 4.1.0 and my server is 
> 4.0.3 (although somewhere I've read that version incompatibility would not be 
> an issue since if either one is of a lower version, the only features that 
> would be used is the one that the lower version can do ) 
> 
> So I really don't know why Can't I connect to the ipa server. 
> 
> Iptables works fine.
> /etc/resolv.conf is file as well 
> 
> sssd/sssd.conf ( added these lines ) 
> [sudo]
> sudo_provider = ldap
> ldap_uri = ldap://myipaserver.example.com
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/myipaserver.example.com
> ldap_sasl_realm = EXAMPLE.COM
> krb_server = myipaserver.example.com
> 
> 
> and /etc/nsswitch.conf
> (added this line ) 
> 
> sudoers : files sss ldap
> 
> is there something missing ? 
> 
> 
> 
> On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable 
> <rolf_16_nufa...@yahoo.com> wrote:
>  
> 
> 
> oh sorry I forgot that on the clients side " 
> network.negotiate-auth.trusted-uris " they have the same domain as of the 
> server side I've configured it as well as in the client side because recent 
> guides for deploying IPA says that you must go to about:config either you are 
> on the server or client side, or at least thats what I remember. 
> 
> Wait a sec I'm trying to achieve the state again where the server side wont 
> let me log in using the admin credentials , just so i could show you the logs 
> 
> 
> 
> 
> On Tuesday, November 11, 2014 3:28 PM, Martin Kosek <mko...@redhat.com> wrote:
>  
> 
> 
> On 11/11/2014 08:07 AM, Rolf Nufable wrote:
>> well I dont know how or what command to use to display the logs, could you 
>> teach me how?
> 
> There should be HOWTO articles on how to do that. Jakub may have better
> sources, but I see for example:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
> 
>> , but yes the network.negotiate-auth.trusted-uris has the same domain name 
>> which is example.com this is on the server side only
> 
> network.negotiate-auth.trusted-uris must be set in the *client* Firefox 
> machine.
> 
>> while on the client side, even
>  though the network.negotiate-auth.trusted-uris is configured correctly, the 
> web UI can't be accessed so its a really weird scenario. but the registration 
> of the ipa client to the server says its successful. 
> 
> FreeIPA 4.0+ Web UI should allow you to login at least with your 
> user+password,
> if SSO login fails. Does at least this part work? Because if not, there is 
> some
> error on the server side. It would be interesting to check if there are no
> errors on the server in following logs:
> - /var/log/httpd/error_log
> - /var/log/krb5kdc.log
> 
> 
> 
>>
>> TIA 
>>
>>
>> On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mko...@redhat.com> 
>> wrote:
>>  
>>
>>
>> On 11/11/2014 06:37 AM, Rolf Nufable wrote:
>>> or could you guys direct me or guide me on how to deploy this ipa server? 
>>> I've been successful deploying ipa version 3.3.5 before but this 4.0 and 
>>> above series is really giving me a headache 
>>
>> Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
>> deploy, on the
>  contrary, it should be much cooler than 3.3.
>>
>>> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable 
>>> <rolf_16_nufa...@yahoo.com> wrote:
>>>  
>>>
>>>
>>> well I'll try them now, my sssd config only consists of these lines added 
>>> to the sudo area 
>>>
>>> sudo_provider = ldap
>>> ldap_uri = ldap://myipaserver.example.com
>>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>>> ldap_sasl_mech =
>  GSSAPI
>>> ldap_sasl_authid = host/myipaserver.example.com
>>> ldap_sasl_realm = EXAMPLE.COM
>>> krb_server = myipaserver.example.com
>>
>> BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
>> provider. Actually, FreeIPA 4.0+ clients do that for you.
>>
>> More info here:
>> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>> https://fedorahosted.org/freeipa/ticket/3358
>>
>>> plus another question why is it that when I invoke the kinit admin command 
>>> for the kerberos I couldnt access the web UI and keeps asking me to 
>>> configure my web browser ( firefox) though I've already configured it many 
>>> times.. 
>>
>> Are you sure that network.negotiate-auth.trusted-uris in about:config
>> correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
>> not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
>> is the setting of network.negotiate-auth.trusted-uris?
>>
>> In any case, it is still hard to
>  advise as I still did not see any related
>> logs, error messages or actual real errors preventing you from enrolling 
>> FreeIPA.
>>
>> Thanks,
>> Martin
>>
>>
>>>
>>>
>>> TIA 
>>>
>>>
>>>
>>> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> 
>>> wrote:
>>>  
>>>
>>>
>>> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
>>>
>>>> On 11/10/2014 02:05 AM, Rolf
>>>  Nufable wrote:
>>>>> Hello 
>>>>>
>>>>> I have tons of questions on why free ipa wont't work on my network , I've 
>>>>> been using fedora 20 as the os for the server and client free ipa .
>>>>>
>>>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the 
>>>>> client side using 2 VM's at first it was okay, got it connected and used 
>>>>> ldap to pass sudo for the client side, but when I finally deployed it
>  in our real network consisting of an esxi server and one work station having 
> the same versions of free ipa for server and client, the error that I'm 
> getting is that " the user does not exist " when I invoked the " su - ( user 
> ) " command, so My question is how can I solve this problem?? I've been at it 
> for 3 weeks now ..
>>>>
>>>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
>>>> assume this is a problem in SSSD client part, if the user cannot be found.
>>>> CCing Lukas and Jakub to advise.
>>>
>>> Sorry, I skipped this thread b/c the subject didn't look like it was
>>> SSSD-related.
>>>
>>> I think we need to examine SSSD logs...
>>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to