On 18.11.2014 09:54, Rolf Nufable wrote:
> Hello all I have a question regarding the log in in IPA
> well I didn't expect this to happen since last week all installation went 
> smoothly and the adding of the clients as well but now I have another 
> problem. 
> My first problem was ntp/ntpdate wasn't cooperating well and it won't update 
> my fedora 20 time correctly every reboot, so I get the wrong time and 
> manually issue the ntpdate just to get the correct time... ( well this 
> problem is small ) 
> So what I did was just configured/updated the timezone of the Freeipa Server. 
> then I tried rebooting it 3 times in a row just to make sure it won't change 
> time. and it was successful.  ( I did this last friday )
> yesterday I checked the time of the free ipa server. and it was way off.. Now 
> my problem is that if I edited the time or restarted ntpd / ntpdate I cannot 
> log-in to the web UI of freeipa although I'm using the admin account and the 
> right credentials as well , It asks me to configure the browser credentials ( 
> the one going to about:config ) but I still cannot log in, And I don't really 
> know why .. But if I didn't I can Log in smoothly..
> any Ideas on whats causing this error?
> TIA :)  

Maybe some timestamps in Kerberos tickets you have 'cached' locally are wrong.
I would try to check timestampt in "klist" output or try to kdestroy & kinit
again.

Petr^2 Spacek

> 
>      On Tuesday, November 11, 2014 11:34 PM, Martin Kosek <mko...@redhat.com> 
> wrote:
>    
> 
>  On 11/12/2014 04:09 AM, Rolf Nufable wrote:
>> I have another question, well I've achieved the state where I can't log in 
>> to my admin account in the server side, it happens because I'm changing the 
>> time of the server machine. 
>>
>> but the time is really wrong. and I disabled NTP and the server has no 
>> access to the internet. 
>>
>> these are my network configurations. 
>>
>> peerdns = no 
>> ipaddr  = 192.168.1.1
>> netmask = 255.255.255.0
>> dns1 = 192.168.1.1
>> onboot = yes 
>>
>> as you can see I've made the server also the dns1, (is this correct though ? 
>> i really don't know ) 
>>
>> feel free to correct my network config 
>>
>> And another problem is that I need to sync my freeipa server time to the 
>> right time zone? if thats the case then I do need internet connection for my 
>> Freeipa server , so that it could access ntp servers right?  ( or am I 
>> wrong? ) 
> 
> Yes, internet connection helps. Theoretically you could just set up the time
> manually on your FreeIPA server and then let your clients synchronize their
> time with it as NTP is running there, but that may be cumbersome.
> 
>>
>> still this is a great breakthrough for my work 
>>
>> Now what to do? 
> 
> FreeIPA server and the KDC do not care about the time zone, it works with UTC
> time anyway, AFAIK. You just simply need to have the time synchronized on all
> your servers and clients or Kerberos protocol will not work.
> 
>> ps. Martin attached is the krb5kdc.log after I changed the time of the 
>> server.  Httpd error log didnt changed at all after I tried to access the 
>> web UI and tried to log in.. 
> 
> I saw no error there...
> 
>>
>>
>> TIA 
>>
>>
>>
>> On Tuesday, November 11, 2014 7:10 PM, Petr Vobornik <pvobo...@redhat.com> 
>> wrote:
>>   
>>
>>
>> On 11.11.2014 11:11, Jakub Hrozek wrote:
>>> On Tue, Nov 11, 2014 at 02:07:57AM -0800, Rolf Nufable wrote:
>>>> well I'm trying to setup sudo in my client machine, also I want to access 
>>>> the server web browser In the client machine ( is it possible though ? )
>>>>
>>>> well I'm having this error in the client side when using the command su - 
>>>> ( user )
>>>>
>>>> su - u...@example.com
>>>>
>>>> su : u...@example.com does not exist.
>>>
>>> Are you sure ipa-client-install did run successfully on that machine?
>>>
>>> Can you unenroll and enroll the client back so that we start from an
>>> sssd.conf that is created by the tooling?
>>>
>>> As Martin said, you don't need those sudo-related config options with
>>> recent SSSD releases, they wouldn't work in the sudo section anyway.
>>
>> Does:
>>
>> $ id u...@example.com
>>
>> return you the user info?
>>
>> if not and ipa-client-install was run successfully before, check 
>> nsswitch.conf if it has sssd configured (sss next to various providers).
>>
>> if not run:
>> $ authconfig --enablesssd --update
>>
>> if it doesn't help, try to run:
>> $ authconfig --disablesssd --update
>> $ authconfig --enablesssd --update
>>
>> if it helps, please tell me. I'm curious if you suffer from one issue I 
>> experienced.
>>
>>
>>
>>>
>>>>
>>>>
>>>>
>>>> On Tuesday, November 11, 2014 5:56 PM, Martin Kosek <mko...@redhat.com> 
>>>> wrote:
>>>>
>>>>
>>>>
>>>> It is still really hard to give advise as I do not know what's actually 
>>>> wrong.
>>>> So are you trying to set up a sudo on your client or are you trying to log 
>>>> in
>>>> with your client browser to FreeIPA server? These are 2 orthogonal actions.
>>>>
>>>> Who gives the "Can't I connect to the ipa server" error? As I said 
>>>> earlier, I
>>>> cannot help you without described procedure you are trying to do, logs and
>>>> exact error messages.
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 11/11/2014 09:32 AM, Rolf Nufable wrote:
>>>>> never mind the problem on the server side, somehow it got fixed , I 
>>>>> really don't know how though
>>>>>
>>>>> so in the client side , It is successful when installing free ipa client 
>>>>> and the
>>>>   server discovery is fine, my freipa Client is 4.1.0 and my server is 
>>>> 4.0.3 (although somewhere I've read that version incompatibility would not 
>>>> be an issue since if either one is of a lower version, the only features 
>>>> that would be used is the one that the lower version can do )
>>>>>
>>>>> So I really don't know why Can't I connect to the ipa server.
>>>>>
>>>>> Iptables works fine.
>>>>> /etc/resolv.conf is file as well
>>>>>
>>>>> sssd/sssd.conf ( added these lines )
>>>>> [sudo]
>>>>> sudo_provider = ldap
>>>>> ldap_uri = ldap://myipaserver.example.com
>>>>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>>>>> ldap_sasl_mech = GSSAPI
>>>>> ldap_sasl_authid = host/myipaserver.example.com
>>>>> ldap_sasl_realm = EXAMPLE.COM
>>>>> krb_server = myipaserver.example.com
>>>>>
>>>>>
>>>>> and /etc/nsswitch.conf
>>>>> (added this line )
>>>>>
>>>>> sudoers : files sss ldap
>>>>>
>>>>> is there something missing ?
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable 
>>>>> <rolf_16_nufa...@yahoo.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> oh sorry I forgot that on the clients side " 
>>>>> network.negotiate-auth.trusted-uris " they have the same domain as of the 
>>>>> server side I've configured it as well as in the client side because 
>>>>> recent guides for deploying IPA says that you must go to about:config 
>>>>> either
>>>>   you are on the server or client side, or at least thats what I remember.
>>>>>
>>>>> Wait a sec I'm trying to achieve the state again where the server side 
>>>>> wont let me log in using the admin credentials , just so i could show you 
>>>>> the logs
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, November 11, 2014 3:28 PM, Martin Kosek <mko...@redhat.com> 
>>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 11/11/2014 08:07 AM, Rolf Nufable wrote:
>>>>>> well I dont know how or what command to use to display the logs, could 
>>>>>> you teach me how?
>>>>>
>>>>> There should be HOWTO articles on how to do that. Jakub may have better
>>>>> sources, but I see for
>>>>   example:
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
>>>>>
>>>>>> , but yes the network.negotiate-auth.trusted-uris has the same domain 
>>>>>> name which is example.com this is on the server side only
>>>>>
>>>>> network.negotiate-auth.trusted-uris must be set in the *client* Firefox 
>>>>> machine.
>>>>>
>>>>>> while on the client side, even
>>>>>   though the network.negotiate-auth.trusted-uris is configured correctly, 
>>>>> the web UI can't be accessed so its a really weird scenario. but the 
>>>>> registration of the ipa client to the server says its successful.
>>>>>
>>>>> FreeIPA 4.0+ Web UI should allow you to login at least with your 
>>>>> user+password,
>>>>> if SSO login fails. Does at least this part work? Because if not, there 
>>>>> is some
>>>>> error on the server side. It would be interesting to check if there are no
>>>>> errors on the server in following logs:
>>>>> - /var/log/httpd/error_log
>>>>> - /var/log/krb5kdc.log
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> TIA
>>>>>>
>>>>>>
>>>>>> On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mko...@redhat.com> 
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 11/11/2014 06:37 AM, Rolf Nufable
>>>>   wrote:
>>>>>>> or could you guys direct me or guide me on how to deploy this ipa 
>>>>>>> server? I've been successful deploying ipa version 3.3.5 before but 
>>>>>>> this 4.0 and above series is really giving me a headache
>>>>>>
>>>>>> Hm, that is worrying. FreeIPA 4.0+ should definitely not be more 
>>>>>> difficult to
>>>>>> deploy, on the
>>>>>   contrary, it should be much cooler than 3.3.
>>>>>>
>>>>>>> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable 
>>>>>>> <rolf_16_nufa...@yahoo.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> well I'll try them now, my sssd config only consists of these lines 
>>>>>>> added to the sudo area
>>>>>>>
>>>>>>> sudo_provider = ldap
>>>>>>> ldap_uri = ldap://myipaserver.example.com
>>>>>>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>>>>>>> ldap_sasl_mech =
>>>>>   GSSAPI
>>>>>>> ldap_sasl_authid = host/myipaserver.example.com
>>>>>>> ldap_sasl_realm = EXAMPLE.COM
>>>>>>> krb_server = myipaserver.example.com
>>>>>>
>>>>>> BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" 
>>>>>> sudo
>>>>>> provider. Actually, FreeIPA 4.0+ clients do that for you.
>>>>>>
>>>>>> More info here:
>>>>>> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>>>>> https://fedorahosted.org/freeipa/ticket/3358
>>>>>>
>>>>>>> plus another question why is it that when I invoke the kinit admin 
>>>>>>> command for the kerberos I couldnt access the web UI and keeps asking 
>>>>>>> me to configure my web browser ( firefox) though I've already 
>>>>>>> configured it many times..
>>>>>>
>>>>>> Are you sure that network.negotiate-auth.trusted-uris in about:config
>>>>>> correctly? Are you saying that your Firefox works with FreeIPA 3.3 
>>>>>> server but
>>>>>> not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and 
>>>>>> what
>>>>>> is the setting of network.negotiate-auth.trusted-uris?
>>>>>>
>>>>>> In any case, it is still hard to
>>>>>   advise as I still did not see any related
>>>>>> logs, error messages or actual real errors preventing you from enrolling 
>>>>>> FreeIPA.
>>>>>>
>>>>>> Thanks,
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> TIA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> 
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
>>>>>>>
>>>>>>>> On 11/10/2014 02:05 AM, Rolf
>>>>>>>   Nufable wrote:
>>>>>>>>> Hello
>>>>>>>>>
>>>>>>>>> I have tons of questions on why free ipa wont't work on my network , 
>>>>>>>>> I've been using fedora 20 as the os for the server and client free 
>>>>>>>>> ipa .
>>>>>>>>>
>>>>>>>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the 
>>>>>>>>> client side using 2 VM's at first it was okay, got it connected and 
>>>>>>>>> used ldap to pass sudo for the client side, but when I finally 
>>>>>>>>> deployed it
>>>>>   in our real network consisting of an esxi server and one work station 
>>>>> having the same versions of free ipa for server and client, the error 
>>>>> that I'm getting is that " the user does not exist " when I invoked the " 
>>>>> su - ( user ) " command, so My question
>>>>   is how can I solve this problem?? I've been at it for 3 weeks now ..
>>>>>>>>
>>>>>>>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr 
>>>>>>>> repo. I
>>>>>>>> assume this is a problem in SSSD client part, if the user cannot be 
>>>>>>>> found.
>>>>>>>> CCing Lukas and Jakub to advise.
>>>>>>>
>>>>>>> Sorry, I skipped this thread b/c the subject didn't look like it was
>>>>>>> SSSD-related.
>>>>>>>
>>>>>>> I think we need to examine SSSD logs...

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to