Re: [Freeipa-users] Post installation ( looks to be small issue )..

2012-01-20 Thread Rob Crittenden 

Nigel Sollars wrote:

HI,

So is the failure of the client an issue, as in I need to run it again?.

I still cant get the local firefox to authenticate.


I think what I'd recommend is to uninstall and re-install the server 
from scratch. It might be the case that re-running the client installer 
would work but it isn't worth the risk that something else wasn't 
completed by the server installer.


rob



Regards
Nige

On Thu, Jan 19, 2012 at 2:34 PM, Nigel Sollars mailto:nsoll...@gmail.com>> wrote:



On Thu, Jan 19, 2012 at 2:28 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Nigel Sollars wrote:

Hi all,

After fixing upa number of things and successfully
installing / testing
the server install,  I have a small issue with the UI inside
firefox in
that after importing the CA and looking at a few guides I
notice these
line in my http error logs:


What things did you fix up?



Just permissions on /dev/shm and /var/tmp




[Thu Jan 19 13:17:56 2012] [error] [client x.x.x.x] File
does not exist:
/usr/share/ipa/ui/develop.js, referer:
https://ipaserver.jitscaleus.__net/ipa/ui/

[Thu Jan 19 13:19:41 2012] [error] [client x.x.x.x] File
does not exist:
/usr/share/ipa/ui/develop.js, referer:
https://ipaserver.jitscaleus.__net/ipa/ui/

[Thu Jan 19 13:19:59 2012] [error] [client x.x.x.x] File
does not exist:
/usr/share/ipa/ui/develop.js, referer:
https://ipaserver.jitscaleus.__net/ipa/ui/

[Thu Jan 19 13:27:58 2012] [error] [client x.x.3.x] File
does not exist:
/usr/share/ipa/ui/develop.js, referer:
https://ipaserver.jitscaleus.__net/ipa/ui/

[Thu Jan 19 13:31:34 2012] [error] [client x.x.x.x] File
does not exist:
/usr/share/ipa/ui/develop.js, referer:
https://ipaserver.jitscaleus.__net/ipa/ui/



I think this can be ignored, I believe the code is just used for
testing/developing (and isn't used at all in newer builds).




Ok cool

I ran through the trouble shooting guide with re-running
kinit ( passing
password ) then running, ldapsearch -Y GSSAPI -b
"dc=domain,dc=com"
uid=admin, which returned the correct response,

The browser loops around the configuration from the server
to return to
the webui with the error of an invalid ticket.


Did you configure the browser to do negotiate authentication (or
use the configure firefox button)?



Via the button,  the CA is there about:config shows the correct
network options there also.

I am not 100% if this is relevant or not but the client
install that was
called after the ser install finalized, bombed completely
with the folowing:

Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install"__, line 1292, in 
 sys.exit(main())
   File "/usr/sbin/ipa-client-install"__, line 1279, in main
 rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install"__, line 1117, in install
 fstore.backup_file("/etc/sssd/__sssd.conf")
   File
"/usr/lib/python2.6/site-__packages/ipapython/sysrestore.__py",
line
126, in backup_file
 shutil.copy2(path, backup_path)
   File "/usr/lib64/python2.6/shutil.__py", line 95, in copy2
 copyfile(src, dst)
   File "/usr/lib64/python2.6/shutil.__py", line 51, in copyfile
 with open(dst, 'wb') as fdst:
IOError: [Errno 2] No such file or directory:
'/var/lib/ipa-client/__sysrestore/107a99f6a6514e30-__sssd.conf'


Strange. Does /var/lib/ipa-client/sysrestore exist?


No that one is not there

rob




--
“Science is a differential equation. Religion is a boundary condition.”

  Alan Turing




--
“Science is a differential equation. Religion is a boundary condition.”

  Alan Turing



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/fre

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 01:08 PM, Jimmy wrote:
That was it! I have passwords syncing, *BUT*(at the risk of sounding 
stupid)-- is it not possible to also sync(add) the users from AD to DS?

Yes, it is.  Just configure IPA Windows Sync

I created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson > wrote:


On 01/20/2012 12:46 PM, Jimmy wrote:

Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

This usually means the search base is incorrect or not found.  You
can look at the 389 access log to see what it was using as the
search criteria.



On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/20/2012 10:23 AM, Jimmy wrote:

You are correct. I had installed as an Enterprise root, but
the doc I was reading(original link) seemed to say that I
had to do the certreq manually, my bad. I think I'm getting
closer I can establish an openssl connection from DS to AD
but I get these errors:

 openssl s_client -connect 192.168.201.150:636
 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't
seem so. I'm still researching but if you guys have a
suggestion let me know.

Is dsca.crt the CA that issued the DS server cert?  If so,
that won't work.  You need the CA cert from the CA that
issued the AD server cert (i.e. the CA cert from the MS
Enterprise Root CA).


-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I
think I've got the right doc and understand better
where this is going. My problem now is that when
configuring SSL on the AD server (step c in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request
attribute.
 The request contains no certificate template
information. 0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801
(-2146875391 )
Denied by Policy Module  0x80094801, The request does
not contain a certificate template extension or the
CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs
and IIS is running but I'm not running IIS. I
researched that error but didn't find anything that
helps with FreeIPA and passsync.

Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between
Windows 2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and
posted here about it and from what I've read and
procedures I've followed we are unable to
accomplish this.


What have you tried,

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
That was it! I have passwords syncing, *BUT*(at the risk of sounding
stupid)-- is it not possible to also sync(add) the users from AD to DS? I
created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson  wrote:

> **
> On 01/20/2012 12:46 PM, Jimmy wrote:
>
> Getting close here... Now I see this message in the sync log file:
>
>  attempting to sync password for testuser
> searching for (ntuserdomainid=testuser)
> ldap error in queryusername
>  32: no such object
> deferring password change for testuser
>
> This usually means the search base is incorrect or not found.  You can
> look at the 389 access log to see what it was using as the search criteria.
>
>
> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:
>
>>  On 01/20/2012 10:23 AM, Jimmy wrote:
>>
>> You are correct. I had installed as an Enterprise root, but the doc I was
>> reading(original link) seemed to say that I had to do the certreq manually,
>> my bad. I think I'm getting closer I can establish an openssl connection
>> from DS to AD but I get these errors:
>>
>>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>> dsca.crt
>> CONNECTED(0003)
>> depth=0 CN = csp-ad.cspad.pdh.csp
>>  verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>>  I thought I had imported the cert from AD but it doesn't seem so. I'm
>> still researching but if you guys have a suggestion let me know.
>>
>>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
>> work.  You need the CA cert from the CA that issued the AD server cert
>> (i.e. the CA cert from the MS Enterprise Root CA).
>>
>>  -J
>>
>>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson wrote:
>>
>>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>>
>>> ok. I started from scratch this week on this and I think I've got the
>>> right doc and understand better where this is going. My problem now is that
>>> when configuring SSL on the AD server (step c in this url:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>>>  )
>>>
>>> I get this error:
>>>
>>>  certreq -submit request.req certnew.cer
>>> Active Directory Enrollment Policy
>>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>   ldap:
>>> RequestId: 3
>>> RequestId: "3"
>>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>>> request does not contain a certificate template extension or the
>>> CertificateTemplate request attribute.
>>>  The request contains no certificate template information. 0x80094801
>>> (-2146875391)
>>> Certificate Request Processor: The request contains no certificate
>>> template information. 0x80094801 (-2146875391)
>>>  Denied by Policy Module  0x80094801, The request does not contain a
>>> certificate template extension or the CertificateTemplate request attribute.
>>>
>>>  The RH doc says to use the browser if an error occurs and IIS is
>>> running but I'm not running IIS. I researched that error but didn't find
>>> anything that helps with FreeIPA and passsync.
>>>
>>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>>> CA mode - it will usually automatically create and install the AD server
>>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>
>>>
>>>  Jimmy
>>>
>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>>>
  On 01/11/2012 11:22 AM, Jimmy wrote:

 We need to be able to replicate user/pass between Windows 2008 AD and
 FreeIPA.


  That's what IPA Windows Sync is supposed to do.


 I have followed many different documents and posted here about it and
 from what I've read and procedures I've followed we are unable to
 accomplish this.


  What have you tried, and what problems have you run into?

  It doesn't need to be a full trust.

  Thanks

 On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:

>  > Just wondering if there was anyone listening on the list that
> might be
> > available for little work integrating FreeIPA with Active Directory
> > (preferrably in the south east US.) I hope this isn't against the
> list
> > rules, I just thought one of you guys could help or point me in the
> right
> > direction.
>
>  If you want some help, it is certainly not against list rules ;-)
> But in that
> case, it would be much better if you asked what exactly do you need.
>
> I'm not an AD expert, but a c

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 12:46 PM, Jimmy wrote:

Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser
This usually means the search base is incorrect or not found.  You can 
look at the 389 access log to see what it was using as the search criteria.


On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson > wrote:


On 01/20/2012 10:23 AM, Jimmy wrote:

You are correct. I had installed as an Enterprise root, but the
doc I was reading(original link) seemed to say that I had to do
the certreq manually, my bad. I think I'm getting closer I can
establish an openssl connection from DS to AD but I get these
errors:

 openssl s_client -connect 192.168.201.150:636
 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so.
I'm still researching but if you guys have a suggestion let me know.

Is dsca.crt the CA that issued the DS server cert?  If so, that
won't work.  You need the CA cert from the CA that issued the AD
server cert (i.e. the CA cert from the MS Enterprise Root CA).


-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I think
I've got the right doc and understand better where this is
going. My problem now is that when configuring SSL on the AD
server (step c in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.
 The request contains no certificate template information.
0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
)
Denied by Policy Module  0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs and
IIS is running but I'm not running IIS. I researched that
error but didn't find anything that helps with FreeIPA and
passsync.

Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between
Windows 2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted
here about it and from what I've read and procedures
I've followed we are unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on
the list that might be
> available for little work integrating FreeIPA
with Active Directory
> (preferrably in the south east US.) I hope this
isn't against the list
> rules, I just thought one of you guys could help
or point me in the right
> direction.

If you want some help, it is certainly not against
list rules ;-) But in that
case, it would be much better if you asked what
exactly do you need.

I'm not an AD expert, but a

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:

> **
> On 01/20/2012 10:23 AM, Jimmy wrote:
>
> You are correct. I had installed as an Enterprise root, but the doc I was
> reading(original link) seemed to say that I had to do the certreq manually,
> my bad. I think I'm getting closer I can establish an openssl connection
> from DS to AD but I get these errors:
>
>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
> dsca.crt
> CONNECTED(0003)
> depth=0 CN = csp-ad.cspad.pdh.csp
>  verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
>  I thought I had imported the cert from AD but it doesn't seem so. I'm
> still researching but if you guys have a suggestion let me know.
>
> Is dsca.crt the CA that issued the DS server cert?  If so, that won't
> work.  You need the CA cert from the CA that issued the AD server cert
> (i.e. the CA cert from the MS Enterprise Root CA).
>
>  -J
>
>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson wrote:
>
>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>
>> ok. I started from scratch this week on this and I think I've got the
>> right doc and understand better where this is going. My problem now is that
>> when configuring SSL on the AD server (step c in this url:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>>  )
>>
>> I get this error:
>>
>>  certreq -submit request.req certnew.cer
>> Active Directory Enrollment Policy
>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>   ldap:
>> RequestId: 3
>> RequestId: "3"
>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>> request does not contain a certificate template extension or the
>> CertificateTemplate request attribute.
>>  The request contains no certificate template information. 0x80094801
>> (-2146875391)
>> Certificate Request Processor: The request contains no certificate
>> template information. 0x80094801 (-2146875391)
>>  Denied by Policy Module  0x80094801, The request does not contain a
>> certificate template extension or the CertificateTemplate request attribute.
>>
>>  The RH doc says to use the browser if an error occurs and IIS is
>> running but I'm not running IIS. I researched that error but didn't find
>> anything that helps with FreeIPA and passsync.
>>
>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>> CA mode - it will usually automatically create and install the AD server
>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>
>>
>>  Jimmy
>>
>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>>
>>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>>
>>> We need to be able to replicate user/pass between Windows 2008 AD and
>>> FreeIPA.
>>>
>>>
>>>  That's what IPA Windows Sync is supposed to do.
>>>
>>>
>>> I have followed many different documents and posted here about it and
>>> from what I've read and procedures I've followed we are unable to
>>> accomplish this.
>>>
>>>
>>>  What have you tried, and what problems have you run into?
>>>
>>>  It doesn't need to be a full trust.
>>>
>>>  Thanks
>>>
>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>>>
  > Just wondering if there was anyone listening on the list that might
 be
 > available for little work integrating FreeIPA with Active Directory
 > (preferrably in the south east US.) I hope this isn't against the list
 > rules, I just thought one of you guys could help or point me in the
 right
 > direction.

  If you want some help, it is certainly not against list rules ;-) But
 in that
 case, it would be much better if you asked what exactly do you need.

 I'm not an AD expert, but a couple tips: If you are looking for
 cross-domain
 (cross-realm) trust, then you might be a bit disappointed, it is still
 in
 development, so it probably won't be 100% functional at this moment.

 If you are looking for something else, could you be a little more
 specific what
 it is?

 I also recommend starting with reading some doc:
 http://freeipa.org/page/DocumentationPortal

 Thanks
 Jan

>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www

Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

2012-01-20 Thread Stephen Gallagher 
On Fri, 2012-01-20 at 18:41 +0100, Sigbjorn Lie wrote:
> On 01/20/2012 06:33 PM, Stephen Gallagher wrote:
> > On Fri, 2012-01-20 at 17:35 +0100, Sigbjorn Lie wrote:
> >> On 01/19/2012 04:33 PM, Stephen Gallagher wrote:
> >>> On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:
>  https://fedorahosted.org/freeipa/ticket/22827
> >>> For the record, the correct link is
> >>> https://fedorahosted.org/freeipa/ticket/2282
> >>>
> >>>
> >> The Solaris LDAP client has a property called servers, and a property
> >> called preferred servers. As the name implies, all the preferred servers
> >> will be used before using the rest of the servers in the servers
> >> property for that client.
> >>
> >> Perhaps this would be a good idea to implement in SSSD too?
> > https://fedorahosted.org/sssd/ticket/1128
> >
> > Currently scheduled for SSSD 1.9.0 (end of May)
> >
> Excellent! :)
> 
> In the ticket is mentioned "server", a single server. Will this feature 
> be implemented of a single primary server, or a group of 
> primary/preferred servers?
> 

The original intent was to handle switching back over to the primary
server when failover caused an error. However, please add your request
to that ticket and it'll be evaluated there.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.2 IPA and automember

2012-01-20 Thread Dmitri Pal 
On 01/20/2012 11:24 AM, Sigbjorn Lie wrote:
> On 01/20/2012 03:45 PM, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> Hi,
>>>
>>> What happened to the automember functionality in the IPA shipped
>>> with RHEL 6.2?
>>>
>>> I no longer have the option to create or modify automember
>>> configuration. This was working fine in
>>> the release shipped with RHEL 6.2 beta.
>>>
>>> # ipa automember
>>> ipa: ERROR: unknown command 'automember'
>>
>> It was removed from the final release because it had not been fully
>> verified by QE.
>
> :(
>
> When can it be expected to be back in RHEL?
>

In 6.3

>
> Regards,
> Siggi
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

2012-01-20 Thread Sigbjorn Lie 

On 01/20/2012 06:33 PM, Stephen Gallagher wrote:

On Fri, 2012-01-20 at 17:35 +0100, Sigbjorn Lie wrote:

On 01/19/2012 04:33 PM, Stephen Gallagher wrote:

On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:

https://fedorahosted.org/freeipa/ticket/22827

For the record, the correct link is
https://fedorahosted.org/freeipa/ticket/2282



The Solaris LDAP client has a property called servers, and a property
called preferred servers. As the name implies, all the preferred servers
will be used before using the rest of the servers in the servers
property for that client.

Perhaps this would be a good idea to implement in SSSD too?

https://fedorahosted.org/sssd/ticket/1128

Currently scheduled for SSSD 1.9.0 (end of May)


Excellent! :)

In the ticket is mentioned "server", a single server. Will this feature 
be implemented of a single primary server, or a group of 
primary/preferred servers?




Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

2012-01-20 Thread Stephen Gallagher 
On Fri, 2012-01-20 at 17:35 +0100, Sigbjorn Lie wrote:
> On 01/19/2012 04:33 PM, Stephen Gallagher wrote:
> > On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:
> >> https://fedorahosted.org/freeipa/ticket/22827
> > For the record, the correct link is
> > https://fedorahosted.org/freeipa/ticket/2282
> >
> >
> 
> The Solaris LDAP client has a property called servers, and a property 
> called preferred servers. As the name implies, all the preferred servers 
> will be used before using the rest of the servers in the servers 
> property for that client.
> 
> Perhaps this would be a good idea to implement in SSSD too?

https://fedorahosted.org/sssd/ticket/1128

Currently scheduled for SSSD 1.9.0 (end of May)


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 10:23 AM, Jimmy wrote:
You are correct. I had installed as an Enterprise root, but the doc I 
was reading(original link) seemed to say that I had to do the certreq 
manually, my bad. I think I'm getting closer I can establish an 
openssl connection from DS to AD but I get these errors:


 openssl s_client -connect 192.168.201.150:636 
 -showcerts -CAfile dsca.crt

CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so. I'm 
still researching but if you guys have a suggestion let me know.
Is dsca.crt the CA that issued the DS server cert?  If so, that won't 
work.  You need the CA cert from the CA that issued the AD server cert 
(i.e. the CA cert from the MS Enterprise Root CA).

-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson > wrote:


On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I think I've got
the right doc and understand better where this is going. My
problem now is that when configuring SSL on the AD server (step c
in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
 The request contains no certificate template information.
0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
)
Denied by Policy Module  0x80094801, The request does not contain
a certificate template extension or the CertificateTemplate
request attribute.

The RH doc says to use the browser if an error occurs and IIS is
running but I'm not running IIS. I researched that error but
didn't find anything that helps with FreeIPA and passsync.

Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install
the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between Windows
2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted here
about it and from what I've read and procedures I've
followed we are unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on the
list that might be
> available for little work integrating FreeIPA with
Active Directory
> (preferrably in the south east US.) I hope this isn't
against the list
> rules, I just thought one of you guys could help or
point me in the right
> direction.

If you want some help, it is certainly not against list
rules ;-) But in that
case, it would be much better if you asked what exactly
do you need.

I'm not an AD expert, but a couple tips: If you are
looking for cross-domain
(cross-realm) trust, then you might be a bit
disappointed, it is still in
development, so it probably won't be 100% functional at
this moment.

If you are looking for something else, could you be a
little more specific what
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users








___
Freeipa-users mailing list
Freeipa-users@redh

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
You are correct. I had installed as an Enterprise root, but the doc I was
reading(original link) seemed to say that I had to do the certreq manually,
my bad. I think I'm getting closer I can establish an openssl connection
from DS to AD but I get these errors:

 openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so. I'm still
researching but if you guys have a suggestion let me know.
-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson  wrote:

> **
> On 01/19/2012 02:59 PM, Jimmy wrote:
>
> ok. I started from scratch this week on this and I think I've got the
> right doc and understand better where this is going. My problem now is that
> when configuring SSL on the AD server (step c in this url:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>  )
>
> I get this error:
>
>  certreq -submit request.req certnew.cer
> Active Directory Enrollment Policy
>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>   ldap:
> RequestId: 3
> RequestId: "3"
> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
> request does not contain a certificate template extension or the
> CertificateTemplate request attribute.
>  The request contains no certificate template information. 0x80094801
> (-2146875391)
> Certificate Request Processor: The request contains no certificate
> template information. 0x80094801 (-2146875391)
>  Denied by Policy Module  0x80094801, The request does not contain a
> certificate template extension or the CertificateTemplate request attribute.
>
>  The RH doc says to use the browser if an error occurs and IIS is running
> but I'm not running IIS. I researched that error but didn't find anything
> that helps with FreeIPA and passsync.
>
> Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA
> mode - it will usually automatically create and install the AD server
> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
>
>  Jimmy
>
> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>
>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>
>> We need to be able to replicate user/pass between Windows 2008 AD and
>> FreeIPA.
>>
>>
>>  That's what IPA Windows Sync is supposed to do.
>>
>>
>> I have followed many different documents and posted here about it and
>> from what I've read and procedures I've followed we are unable to
>> accomplish this.
>>
>>
>>  What have you tried, and what problems have you run into?
>>
>>  It doesn't need to be a full trust.
>>
>>  Thanks
>>
>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>>
>>>  > Just wondering if there was anyone listening on the list that might
>>> be
>>> > available for little work integrating FreeIPA with Active Directory
>>> > (preferrably in the south east US.) I hope this isn't against the list
>>> > rules, I just thought one of you guys could help or point me in the
>>> right
>>> > direction.
>>>
>>>  If you want some help, it is certainly not against list rules ;-) But
>>> in that
>>> case, it would be much better if you asked what exactly do you need.
>>>
>>> I'm not an AD expert, but a couple tips: If you are looking for
>>> cross-domain
>>> (cross-realm) trust, then you might be a bit disappointed, it is still in
>>> development, so it probably won't be 100% functional at this moment.
>>>
>>> If you are looking for something else, could you be a little more
>>> specific what
>>> it is?
>>>
>>> I also recommend starting with reading some doc:
>>> http://freeipa.org/page/DocumentationPortal
>>>
>>> Thanks
>>> Jan
>>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Post installation ( looks to be small issue )..

2012-01-20 Thread Nigel Sollars 
HI,

So is the failure of the client an issue, as in I need to run it again?.

I still cant get the local firefox to authenticate.

Regards
Nige

On Thu, Jan 19, 2012 at 2:34 PM, Nigel Sollars  wrote:

>
>
> On Thu, Jan 19, 2012 at 2:28 PM, Rob Crittenden wrote:
>
>> Nigel Sollars wrote:
>>
>>> Hi all,
>>>
>>> After fixing upa number of things and successfully installing / testing
>>> the server install,  I have a small issue with the UI inside firefox in
>>> that after importing the CA and looking at a few guides I notice these
>>> line in my http error logs:
>>>
>>
>> What things did you fix up?
>
>
>
> Just permissions on /dev/shm and /var/tmp
>
>
>>
>>
>>
>>> [Thu Jan 19 13:17:56 2012] [error] [client x.x.x.x] File does not exist:
>>> /usr/share/ipa/ui/develop.js, referer:
>>> https://ipaserver.jitscaleus.**net/ipa/ui/
>>> [Thu Jan 19 13:19:41 2012] [error] [client x.x.x.x] File does not exist:
>>> /usr/share/ipa/ui/develop.js, referer:
>>> https://ipaserver.jitscaleus.**net/ipa/ui/
>>> [Thu Jan 19 13:19:59 2012] [error] [client x.x.x.x] File does not exist:
>>> /usr/share/ipa/ui/develop.js, referer:
>>> https://ipaserver.jitscaleus.**net/ipa/ui/
>>> [Thu Jan 19 13:27:58 2012] [error] [client x.x.3.x] File does not exist:
>>> /usr/share/ipa/ui/develop.js, referer:
>>> https://ipaserver.jitscaleus.**net/ipa/ui/
>>> [Thu Jan 19 13:31:34 2012] [error] [client x.x.x.x] File does not exist:
>>> /usr/share/ipa/ui/develop.js, referer:
>>> https://ipaserver.jitscaleus.**net/ipa/ui/
>>>
>>
>> I think this can be ignored, I believe the code is just used for
>> testing/developing (and isn't used at all in newer builds).
>>
>>
>>
>
> Ok cool
>
>
>
>>  I ran through the trouble shooting guide with re-running kinit ( passing
>>> password ) then running, ldapsearch -Y GSSAPI -b "dc=domain,dc=com"
>>> uid=admin, which returned the correct response,
>>>
>>> The browser loops around the configuration from the server to return to
>>> the webui with the error of an invalid ticket.
>>>
>>
>> Did you configure the browser to do negotiate authentication (or use the
>> configure firefox button)?
>>
>>
>>
> Via the button,  the CA is there about:config shows the correct network
> options there also.
>
>
>
>>  I am not 100% if this is relevant or not but the client install that was
>>> called after the ser install finalized, bombed completely with the
>>> folowing:
>>>
>>> Traceback (most recent call last):
>>>   File "/usr/sbin/ipa-client-install"**, line 1292, in 
>>> sys.exit(main())
>>>   File "/usr/sbin/ipa-client-install"**, line 1279, in main
>>> rval = install(options, env, fstore, statestore)
>>>   File "/usr/sbin/ipa-client-install"**, line 1117, in install
>>> fstore.backup_file("/etc/sssd/**sssd.conf")
>>>   File "/usr/lib/python2.6/site-**packages/ipapython/sysrestore.**py",
>>> line
>>> 126, in backup_file
>>> shutil.copy2(path, backup_path)
>>>   File "/usr/lib64/python2.6/shutil.**py", line 95, in copy2
>>> copyfile(src, dst)
>>>   File "/usr/lib64/python2.6/shutil.**py", line 51, in copyfile
>>> with open(dst, 'wb') as fdst:
>>> IOError: [Errno 2] No such file or directory:
>>> '/var/lib/ipa-client/**sysrestore/107a99f6a6514e30-**sssd.conf'
>>>
>>
>> Strange. Does /var/lib/ipa-client/sysrestore exist?
>>
>>
> No that one is not there
>
>
>
>> rob
>>
>
>
>
> --
> “Science is a differential equation. Religion is a boundary condition.”
>
> Alan Turing
>
>


-- 
“Science is a differential equation. Religion is a boundary condition.”

Alan Turing
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

2012-01-20 Thread Sigbjorn Lie 

On 01/19/2012 04:33 PM, Stephen Gallagher wrote:

On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:

https://fedorahosted.org/freeipa/ticket/22827

For the record, the correct link is
https://fedorahosted.org/freeipa/ticket/2282




The Solaris LDAP client has a property called servers, and a property 
called preferred servers. As the name implies, all the preferred servers 
will be used before using the rest of the servers in the servers 
property for that client.


Perhaps this would be a good idea to implement in SSSD too?



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.2 IPA and automember

2012-01-20 Thread Sigbjorn Lie 

On 01/20/2012 03:45 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

Hi,

What happened to the automember functionality in the IPA shipped with 
RHEL 6.2?


I no longer have the option to create or modify automember 
configuration. This was working fine in

the release shipped with RHEL 6.2 beta.

# ipa automember
ipa: ERROR: unknown command 'automember'


It was removed from the final release because it had not been fully 
verified by QE.


:(

When can it be expected to be back in RHEL?


Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.2 IPA and automember

2012-01-20 Thread Rob Crittenden 

Sigbjorn Lie wrote:

Hi,

What happened to the automember functionality in the IPA shipped with RHEL 6.2?

I no longer have the option to create or modify automember configuration. This 
was working fine in
the release shipped with RHEL 6.2 beta.

# ipa automember
ipa: ERROR: unknown command 'automember'


It was removed from the final release because it had not been fully 
verified by QE.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEL 6.2 IPA and automember

2012-01-20 Thread Sigbjorn Lie 
Hi,

What happened to the automember functionality in the IPA shipped with RHEL 6.2?

I no longer have the option to create or modify automember configuration. This 
was working fine in
the release shipped with RHEL 6.2 beta.

# ipa automember
ipa: ERROR: unknown command 'automember'



Regards,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users