On 11.11.2014 11:11, Jakub Hrozek wrote:
On Tue, Nov 11, 2014 at 02:07:57AM -0800, Rolf Nufable wrote:
well I'm trying to setup sudo in my client machine, also I want to access the 
server web browser In the client machine ( is it possible though ? )

well I'm having this error in the client side when using the command su - ( 
user )

su - u...@example.com

su : u...@example.com does not exist.

Are you sure ipa-client-install did run successfully on that machine?

Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?

As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.


$ id u...@example.com

return you the user info?

if not and ipa-client-install was run successfully before, check nsswitch.conf if it has sssd configured (sss next to various providers).

if not run:
$ authconfig --enablesssd --update

if it doesn't help, try to run:
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update

if it helps, please tell me. I'm curious if you suffer from one issue I experienced.

On Tuesday, November 11, 2014 5:56 PM, Martin Kosek <mko...@redhat.com> wrote:

It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.

Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.


On 11/11/2014 09:32 AM, Rolf Nufable wrote:
never mind the problem on the server side, somehow it got fixed , I really 
don't know how though

so in the client side , It is successful when installing free ipa client and the
  server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 
(although somewhere I've read that version incompatibility would not be an 
issue since if either one is of a lower version, the only features that would 
be used is the one that the lower version can do )

So I really don't know why Can't I connect to the ipa server.

Iptables works fine.
/etc/resolv.conf is file as well

sssd/sssd.conf ( added these lines )
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com

and /etc/nsswitch.conf
(added this line )

sudoers : files sss ldap

is there something missing ?

On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable <rolf_16_nufa...@yahoo.com> 

oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris 
" they have the same domain as of the server side I've configured it as well as in 
the client side because recent guides for deploying IPA says that you must go to 
about:config either
  you are on the server or client side, or at least thats what I remember.

Wait a sec I'm trying to achieve the state again where the server side wont let 
me log in using the admin credentials , just so i could show you the logs

On Tuesday, November 11, 2014 3:28 PM, Martin Kosek <mko...@redhat.com> wrote:

On 11/11/2014 08:07 AM, Rolf Nufable wrote:
well I dont know how or what command to use to display the logs, could you 
teach me how?

There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for

, but yes the network.negotiate-auth.trusted-uris has the same domain name 
which is example.com this is on the server side only

network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.

while on the client side, even
  though the network.negotiate-auth.trusted-uris is configured correctly, the 
web UI can't be accessed so its a really weird scenario. but the registration 
of the ipa client to the server says its successful.

FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
errors on the server in following logs:
- /var/log/httpd/error_log
- /var/log/krb5kdc.log


On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mko...@redhat.com> wrote:

On 11/11/2014 06:37 AM, Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've 
been successful deploying ipa version 3.3.5 before but this 4.0 and above 
series is really giving me a headache

Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
  contrary, it should be much cooler than 3.3.

On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable <rolf_16_nufa...@yahoo.com> 

well I'll try them now, my sssd config only consists of these lines added to 
the sudo area

sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com

BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.

More info here:

plus another question why is it that when I invoke the kinit admin command for 
the kerberos I couldnt access the web UI and keeps asking me to configure my 
web browser ( firefox) though I've already configured it many times..

Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?

In any case, it is still hard to
  advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling 



On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:

On 11/10/2014 02:05 AM, Rolf
  Nufable wrote:

I have tons of questions on why free ipa wont't work on my network , I've been 
using fedora 20 as the os for the server and client free ipa .

I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client 
side using 2 VM's at first it was okay, got it connected and used ldap to pass 
sudo for the client side, but when I finally deployed it
  in our real network consisting of an esxi server and one work station having the same versions of 
free ipa for server and client, the error that I'm getting is that " the user does not exist 
" when I invoked the " su - ( user ) " command, so My question
  is how can I solve this problem?? I've been at it for 3 weeks now ..

I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.

Sorry, I skipped this thread b/c the subject didn't look like it was

I think we need to examine SSSD logs...

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to