date:20191025

[Freeipa-users] Re: cannot create PTR record - too many address components

2019-10-25 Thread Rob Crittenden via FreeIPA-users

Stephen Ingram via FreeIPA-users wrote:
> On Fri, Oct 18, 2019 at 10:16 AM Stephen Ingram  > wrote:
> 
> On Thu, Oct 17, 2019 at 11:36 PM Alexander Bokovoy
> mailto:aboko...@redhat.com>> wrote:
> 
> On to, 17 loka 2019, Stephen Ingram via FreeIPA-users wrote:
> >I'm trying to setup service discovery for our printers on the
> network using
> >a CUPS bonjour tutorial. Specifically the record I'm trying to
> create is:
> >
> >_ipp._tcp   PTR   m477fdw._ipp._tcp.i.example.com
> .
> >
> >Every time I try to create this record in IPA I receive the
> error message:
> >
> >Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires
> exactly 4 IP
> >address components, 5 given
> >
> >Does IPA DNS just not support service discovery records or do I
> need to do
> >something differently?
> I don't think our management code supports having PTR records in non
> .arpa zones.
> 
> Could you please open an issue at pagure.io/freeipa/new_issue
>  detailing
> a specification that requires these PTR records in a non-arpa zone?
> 
> 
> So I did a little digging in Pagure and found an already existing
> issue (https://pagure.io/freeipa/issue/5566) opened over three years
> ago asking for the exact same thing. I didn't even realize that the
> record should be created in the forward lookup zone until you
> mentioned non-arpa (this whole DNS-SD is very new to me). It still
> does result in an error though:
> 
> invalid 'ptrrecord': Reverse zone for PTR record should be a
> sub-zone of one the following fully qualified domains: ip6.arpa.,
> in-addr.arpa.
> 
> Rob points out that it was never the intention to be a
> general-purpose DNS server. Maybe, but if IPA is the authoritative
> source for the local network replacing AD for linux machines, then
> it's sort of ridiculous to have to setup another DNS server just to
> handle these few records. Someone else points out that you can just
> go in and edit the field in the directory bypassing IPA's checks. I
> guess that could work, but again, a real pain just to add a few
> records. It seems like this is more of a IPA not letting you add the
> record more than not being able to handle it, and, thus, hopefully
> an easy fix?
> 
> 
> So does the fact that this issue has gone unaddressed for three years
> indicate that it won't be considered for inclusion? Would it be better
> just to turn off the IPA DNS server and setup an instance of BIND and
> handle it that way?

It's a matter of priority. Very few users have needed this capability,
or at least let us know they need it, so it has remained low.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: cannot create PTR record - too many address components

2019-10-25 Thread Stephen Ingram via FreeIPA-users

On Fri, Oct 18, 2019 at 10:16 AM Stephen Ingram  wrote:

> On Thu, Oct 17, 2019 at 11:36 PM Alexander Bokovoy 
> wrote:
>
>> On to, 17 loka 2019, Stephen Ingram via FreeIPA-users wrote:
>> >I'm trying to setup service discovery for our printers on the network
>> using
>> >a CUPS bonjour tutorial. Specifically the record I'm trying to create is:
>> >
>> >_ipp._tcp   PTR   m477fdw._ipp._tcp.i.example.com.
>> >
>> >Every time I try to create this record in IPA I receive the error
>> message:
>> >
>> >Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP
>> >address components, 5 given
>> >
>> >Does IPA DNS just not support service discovery records or do I need to
>> do
>> >something differently?
>> I don't think our management code supports having PTR records in non
>> .arpa zones.
>>
>> Could you please open an issue at pagure.io/freeipa/new_issue detailing
>> a specification that requires these PTR records in a non-arpa zone?
>>
>
> So I did a little digging in Pagure and found an already existing issue (
> https://pagure.io/freeipa/issue/5566) opened over three years ago asking
> for the exact same thing. I didn't even realize that the record should be
> created in the forward lookup zone until you mentioned non-arpa (this whole
> DNS-SD is very new to me). It still does result in an error though:
>
> invalid 'ptrrecord': Reverse zone for PTR record should be a sub-zone of
> one the following fully qualified domains: ip6.arpa., in-addr.arpa.
>
> Rob points out that it was never the intention to be a general-purpose DNS
> server. Maybe, but if IPA is the authoritative source for the local network
> replacing AD for linux machines, then it's sort of ridiculous to have to
> setup another DNS server just to handle these few records. Someone else
> points out that you can just go in and edit the field in the directory
> bypassing IPA's checks. I guess that could work, but again, a real pain
> just to add a few records. It seems like this is more of a IPA not letting
> you add the record more than not being able to handle it, and, thus,
> hopefully an easy fix?
>

So does the fact that this issue has gone unaddressed for three years
indicate that it won't be considered for inclusion? Would it be better just
to turn off the IPA DNS server and setup an instance of BIND and handle it
that way?

Steve
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Full Server backup fails with IPA version error

2019-10-25 Thread Rob Crittenden via FreeIPA-users

Saurabh Garg via FreeIPA-users wrote:
> Background -
> We are trying to restore "full server" from an existing IPA server (with 
> replication ON to another server) to a newly created IPA Server from the same 
> golden image as all other servers.

There is no restore with replication on. It would cause endless problems.

Restore is expected to be for a single master in a catastrophic
situation. The others will require re-init from this master.

> Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
> # ipa-server-install --version
> 4.6.4
> 
> Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
> # ipa-server-install --version
> 4.6.4
> 
> Problem Statement -
> While running  "ipa-restore" (exact command: # ipa-restore /root/backup/) on 
> the new IPA server for full server backup, system throws the following error 
> lines in iparestore.log:
> 
> 
> 2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be 
> upgraded (expected version '4.6.4-10.el7_6.6', current version 
> '4.6.4-10.el7_6.3')
> Automatically running upgrade, for details see /var/log/ipaupgrade.log
> Be patient, this may take a few minutes.
> Automatic upgrade failed: Update complete
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> Publish directory already set to new location
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
> ipa-server-upgrade manually.
> CA did not start in 300.0s
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
> information

It is very persnickety. The versions do not match.

There are sometimes subtle differences between versions of IPA, even in
minor releases, so it is not considered safe to restore between versions.

You could hack out the version check and roll the dice, or downgrade the
packages to match the backed-up value.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Full Server backup fails with IPA version error

2019-10-25 Thread Angus Clarke via FreeIPA-users

Hi

An alternative approach would be to setup your new server as an IPA client and 
then to promote it.

On new server:
# ipa-client-install

Followed by
# ipa-replica-install

Check the man pages for options suitable to your environment, otherwise I 
specify --setup-ca for all our new IPA instances.

I use this process for rolling out new IPA servers when we add new environments.

Regards
Angus


From: Saurabh Garg via FreeIPA-users 
Sent: Friday, October 25, 2019 11:55:40 AM
To: freeipa-users@lists.fedorahosted.org 
Cc: Saurabh Garg 
Subject: [Freeipa-users] Full Server backup fails with IPA version error

Background -
We are trying to restore "full server" from an existing IPA server (with 
replication ON to another server) to a newly created IPA Server from the same 
golden image as all other servers.

Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
# ipa-server-install --version
4.6.4

Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
# ipa-server-install --version
4.6.4

Problem Statement -
While running  "ipa-restore" (exact command: # ipa-restore /root/backup/) on 
the new IPA server for full server backup, system throws the following error 
lines in iparestore.log:


2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded 
(expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade 
again
Aborting ipactl

2019-10-25T08:19:26Z INFO Restoring umask to 23
2019-10-25T08:19:26Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", 
line 428, in run
run(['ipactl', 'start'])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))

2019-10-25T08:19:26Z DEBUG The ipa-restore command failed, exception: 
CalledProcessError: Command 'ipactl start' returned non-zero exit status 1
2019-10-25T08:19:26Z ERROR Command 'ipactl start' returned non-zero exit status 
1
2019-10-25T08:19:26Z ERROR The ipa-restore command failed. See 
/var/log/iparestore.log for more information

In case you are aware of its fix/workaround, kindly share the steps.

Thanks,
sgarg
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7Cf387ce2c794d4e68d3e108d759318ccc%7C84df9e7fe9f640afb435%7C1%7C0%7C637075941655510312&sdata=P9YiAhfLP52C%2FuH0C%2BqyJYWovpEM90fMVy8VBgGsZh0%3D&reserved=0
List Guidelines: 
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7Cf387ce2c794d4e68d3e108d759318ccc%7C84df9e7fe9f640afb435%7C1%7C0%7C637075941655510312&sdata=211CDIyJCx7zCeyfeAfx34CRw08LGZbzneFgGZX%2Bggg%3D&reserved=0
List Archives: 
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7C%7Cf387ce2c794d4e68d3e108d759318ccc%7C84df9e7fe9f640afb435%7C1%7C0%7C637075941655510312&sdata=nSLzErDuiZ6F0w5PD5WQLwobi3xqjvl6o9iu06daywo%3D&reserved=0
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

2019-10-25 Thread Andreas Schneider via FreeIPA-users

On Friday, 25 October 2019 11:11:32 CEST Alexander Bokovoy wrote:
> On pe, 25 loka 2019, Kees Bakker wrote:
> >On 24-10-19 16:12, Alexander Bokovoy wrote:
> >>On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote:
> >>>Hey,
> >>>
> >>>With x2go [1] you can start a remote desktop. Going from UNIX (client) to
> >>>UNIX (server) it will use SSH behinds the scenes.
> >>>
> >>>However, on a IPA client the x2goclient command fails with a segfault
> >>>(somewhere in a ssh library). This is caused by the modified
> >>>/etc/ssh/ssh_config. More specifically this
> >>>
> >>>ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
> >>>
> >>>When you disable this line the x2go connection succeeds.
> >>>
> >>>[1] https://wiki.x2go.org/doku.php
> >>
> >>If you could install debug packages and generate a backtrace, that would
> >>be great as it would help to understand where it happens. Thanks in
> >>advance!
> >
> >Hey Alexander,
> >
> >The segfault is in a library of the libssh-4 package. I don't know if that
> >is something you wanted to be involved with. Anyway, here is the stack
> >strace of the segfault.
> Thanks. So the crash is in ssh_poll_set_events(). Andreas, do you have
> any ideas?

Where is libssh installed from? It looks like this is libssh 0.8.0.

> 
> >segfault at 4 ip 7f6e7e0d5eeb sp 7f6e64e6ea88 error 6 in
> >libssh.so.4.5.0
> >
> >After installing the dgbsym package and running from gdb I could get a
> >stack trace
> >
> >Thread 6 "SshMasterConnec" received signal SIGSEGV, Segmentation fault.
> >[Switching to Thread 0x7fffdf1a0700 (LWP 14736)]
> >0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at
> >./src/poll.c:349 349./src/poll.c: No such file or directory.
> >(gdb) where
> >#0  0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4)
> >at ./src/poll.c:349 #1  0x77b8d3c8 in ssh_socket_unbuffered_write
> >(len=, buffer=, s=0x7fffd4003850) at
> >./src/socket.c:574
> >#2  ssh_socket_nonblocking_flush (s=s@entry=0x7fffd4003850) at
> >./src/socket.c:667 #3  0x77b8d4c4 in ssh_socket_write
> >(s=0x7fffd4003850, buffer=, len=len@entry=64) at
> >./src/socket.c:628
> >#4  0x77b846c3 in ssh_packet_write (session=0x7fffd4004bc0,
> >session=0x7fffd4004bc0) at ./src/packet.c:1316 #5  packet_send2
> >(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1386 #6 
> >0x77b85315 in ssh_packet_send
> >(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1411 #7 
> >0x77b72d69 in channel_write_common (channel=0x7fffd40112e0,
> >data=0x7fffdf11fce0, len=6, is_stderr=0) at ./src/channels.c:1357
> >#8  0x55640cc3 in ?? ()
> >#9  0x55644745 in ?? ()
> >#10 0x7581de3c in ?? () from
> >/usr/lib/x86_64-linux-gnu/libQtCore.so.4 #11 0x7558b6db in
> >start_thread (arg=0x7fffdf1a0700) at pthread_create.c:463 #12
> >0x74d1388f in clone () at
> >../sysdeps/unix/sysv/linux/x86_64/clone.S:95


-- 
Andreas Schneider  a...@samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

2019-10-25 Thread Kees Bakker via FreeIPA-users


On 25-10-19 13:09, Andreas Schneider wrote:

On Friday, 25 October 2019 11:11:32 CEST Alexander Bokovoy wrote:

On pe, 25 loka 2019, Kees Bakker wrote:

On 24-10-19 16:12, Alexander Bokovoy wrote:

On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote:

Hey,

With x2go [1] you can start a remote desktop. Going from UNIX (client) to
UNIX (server) it will use SSH behinds the scenes.

However, on a IPA client the x2goclient command fails with a segfault
(somewhere in a ssh library). This is caused by the modified
/etc/ssh/ssh_config. More specifically this

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

When you disable this line the x2go connection succeeds.

[1] https://wiki.x2go.org/doku.php

If you could install debug packages and generate a backtrace, that would
be great as it would help to understand where it happens. Thanks in
advance!

Hey Alexander,

The segfault is in a library of the libssh-4 package. I don't know if that
is something you wanted to be involved with. Anyway, here is the stack
strace of the segfault.

Thanks. So the crash is in ssh_poll_set_events(). Andreas, do you have
any ideas?

Where is libssh installed from? It looks like this is libssh 0.8.0.


It's Ubuntu 18.04.3 and the libraries are from the normal
distribution source.
    https://packages.ubuntu.com/search?keywords=libssh

# dpkg -l libssh\*|cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version    Architecture Description
+++-=-==--===
ii  libssh-4:amd64 0.8.0~20170825.94fa1e38-1ubuntu0.2 amd64    tiny C SSH 
library (OpenSSL flavor)
ii  libssh-4-dbgsym:amd64 0.8.0~20170825.94fa1e38-1ubuntu0.2 amd64    debug 
symbols for libssh-4
un  libssh-dbg     (no description 
available)
ii  libssh-gcrypt-4:amd64 0.8.0~20170825.94fa1e38-1ubuntu0.2 amd64    tiny 
C SSH library (gcrypt flavor)
ii  libssh2-1:amd64 1.8.0-1    amd64    SSH2 
client-side library
# apt policy libssh-4
libssh-4:
  Installed: 0.8.0~20170825.94fa1e38-1ubuntu0.2
  Candidate: 0.8.0~20170825.94fa1e38-1ubuntu0.2
  Version table:
 *** 0.8.0~20170825.94fa1e38-1ubuntu0.2 500
    500 http://nl.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
    500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
    100 /var/lib/dpkg/status
 0.8.0~20170825.94fa1e38-1build1 500
    500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages




segfault at 4 ip 7f6e7e0d5eeb sp 7f6e64e6ea88 error 6 in
libssh.so.4.5.0

After installing the dgbsym package and running from gdb I could get a
stack trace

Thread 6 "SshMasterConnec" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf1a0700 (LWP 14736)]
0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at
./src/poll.c:349 349./src/poll.c: No such file or directory.
(gdb) where
#0  0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4)
at ./src/poll.c:349 #1  0x77b8d3c8 in ssh_socket_unbuffered_write
(len=, buffer=, s=0x7fffd4003850) at
./src/socket.c:574
#2  ssh_socket_nonblocking_flush (s=s@entry=0x7fffd4003850) at
./src/socket.c:667 #3  0x77b8d4c4 in ssh_socket_write
(s=0x7fffd4003850, buffer=, len=len@entry=64) at
./src/socket.c:628
#4  0x77b846c3 in ssh_packet_write (session=0x7fffd4004bc0,
session=0x7fffd4004bc0) at ./src/packet.c:1316 #5  packet_send2
(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1386 #6
0x77b85315 in ssh_packet_send
(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1411 #7
0x77b72d69 in channel_write_common (channel=0x7fffd40112e0,
data=0x7fffdf11fce0, len=6, is_stderr=0) at ./src/channels.c:1357
#8  0x55640cc3 in ?? ()
#9  0x55644745 in ?? ()
#10 0x7581de3c in ?? () from
/usr/lib/x86_64-linux-gnu/libQtCore.so.4 #11 0x7558b6db in
start_thread (arg=0x7fffdf1a0700) at pthread_create.c:463 #12
0x74d1388f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Full Server backup fails with IPA version error

2019-10-25 Thread Saurabh Garg via FreeIPA-users

Background -
We are trying to restore "full server" from an existing IPA server (with 
replication ON to another server) to a newly created IPA Server from the same 
golden image as all other servers.

Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
# ipa-server-install --version
4.6.4

Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
# ipa-server-install --version
4.6.4

Problem Statement -
While running  "ipa-restore" (exact command: # ipa-restore /root/backup/) on 
the new IPA server for full server backup, system throws the following error 
lines in iparestore.log:


2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded 
(expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade 
again
Aborting ipactl

2019-10-25T08:19:26Z INFO Restoring umask to 23
2019-10-25T08:19:26Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", 
line 428, in run
run(['ipactl', 'start'])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))

2019-10-25T08:19:26Z DEBUG The ipa-restore command failed, exception: 
CalledProcessError: Command 'ipactl start' returned non-zero exit status 1
2019-10-25T08:19:26Z ERROR Command 'ipactl start' returned non-zero exit status 
1
2019-10-25T08:19:26Z ERROR The ipa-restore command failed. See 
/var/log/iparestore.log for more information

In case you are aware of its fix/workaround, kindly share the steps.

Thanks,
sgarg
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple HBAC rules in one Apache config

2019-10-25 Thread Alexander Bokovoy via FreeIPA-users


On pe, 25 loka 2019, Ronald Wimmer via FreeIPA-users wrote:

Hi,

is there a way to use multiple HBAC rules in the same "Require 
pam-account" line in on and the same Apache config?


Something like
Require pam-account hbacA|hbacB


'Require pam-account' doesn't ask you for HBAC rules. It asks you for
the PAM service name. PAM configuration for that service should use
pam_sss and then you can have HBAC service with the same name, subject
to how many HBAC rules you want to give.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

2019-10-25 Thread Alexander Bokovoy via FreeIPA-users


On pe, 25 loka 2019, Kees Bakker wrote:

On 24-10-19 16:12, Alexander Bokovoy wrote:

On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote:

Hey,

With x2go [1] you can start a remote desktop. Going from UNIX (client) to UNIX 
(server)
it will use SSH behinds the scenes.

However, on a IPA client the x2goclient command fails with a segfault 
(somewhere in a ssh library).
This is caused by the modified /etc/ssh/ssh_config. More specifically this

    ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

When you disable this line the x2go connection succeeds.

[1] https://wiki.x2go.org/doku.php

If you could install debug packages and generate a backtrace, that would
be great as it would help to understand where it happens. Thanks in
advance!


Hey Alexander,

The segfault is in a library of the libssh-4 package. I don't know if that is 
something
you wanted to be involved with. Anyway, here is the stack strace of the 
segfault.


Thanks. So the crash is in ssh_poll_set_events(). Andreas, do you have
any ideas?



segfault at 4 ip 7f6e7e0d5eeb sp 7f6e64e6ea88 error 6 in libssh.so.4.5.0

After installing the dgbsym package and running from gdb I could get a stack 
trace

Thread 6 "SshMasterConnec" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf1a0700 (LWP 14736)]
0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at 
./src/poll.c:349
349    ./src/poll.c: No such file or directory.
(gdb) where
#0  0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at 
./src/poll.c:349
#1  0x77b8d3c8 in ssh_socket_unbuffered_write (len=, 
buffer=, s=0x7fffd4003850)
    at ./src/socket.c:574
#2  ssh_socket_nonblocking_flush (s=s@entry=0x7fffd4003850) at 
./src/socket.c:667
#3  0x77b8d4c4 in ssh_socket_write (s=0x7fffd4003850, buffer=, len=len@entry=64)
    at ./src/socket.c:628
#4  0x77b846c3 in ssh_packet_write (session=0x7fffd4004bc0, 
session=0x7fffd4004bc0) at ./src/packet.c:1316
#5  packet_send2 (session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1386
#6  0x77b85315 in ssh_packet_send 
(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1411
#7  0x77b72d69 in channel_write_common (channel=0x7fffd40112e0, 
data=0x7fffdf11fce0, len=6, is_stderr=0)
    at ./src/channels.c:1357
#8  0x55640cc3 in ?? ()
#9  0x55644745 in ?? ()
#10 0x7581de3c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#11 0x7558b6db in start_thread (arg=0x7fffdf1a0700) at 
pthread_create.c:463
#12 0x74d1388f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

--
Kees Bakker


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

2019-10-25 Thread Kees Bakker via FreeIPA-users


On 24-10-19 16:12, Alexander Bokovoy wrote:

On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote:

Hey,

With x2go [1] you can start a remote desktop. Going from UNIX (client) to UNIX 
(server)
it will use SSH behinds the scenes.

However, on a IPA client the x2goclient command fails with a segfault 
(somewhere in a ssh library).
This is caused by the modified /etc/ssh/ssh_config. More specifically this

    ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

When you disable this line the x2go connection succeeds.

[1] https://wiki.x2go.org/doku.php

If you could install debug packages and generate a backtrace, that would
be great as it would help to understand where it happens. Thanks in
advance!


Hey Alexander,

The segfault is in a library of the libssh-4 package. I don't know if that is 
something
you wanted to be involved with. Anyway, here is the stack strace of the 
segfault.

segfault at 4 ip 7f6e7e0d5eeb sp 7f6e64e6ea88 error 6 in libssh.so.4.5.0

After installing the dgbsym package and running from gdb I could get a stack 
trace

Thread 6 "SshMasterConnec" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf1a0700 (LWP 14736)]
0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at 
./src/poll.c:349
349    ./src/poll.c: No such file or directory.
(gdb) where
#0  0x77b89eeb in ssh_poll_set_events (p=0x7fffd40076b0, events=4) at 
./src/poll.c:349
#1  0x77b8d3c8 in ssh_socket_unbuffered_write (len=, 
buffer=, s=0x7fffd4003850)
    at ./src/socket.c:574
#2  ssh_socket_nonblocking_flush (s=s@entry=0x7fffd4003850) at 
./src/socket.c:667
#3  0x77b8d4c4 in ssh_socket_write (s=0x7fffd4003850, buffer=, len=len@entry=64)
    at ./src/socket.c:628
#4  0x77b846c3 in ssh_packet_write (session=0x7fffd4004bc0, 
session=0x7fffd4004bc0) at ./src/packet.c:1316
#5  packet_send2 (session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1386
#6  0x77b85315 in ssh_packet_send 
(session=session@entry=0x7fffd4004bc0) at ./src/packet.c:1411
#7  0x77b72d69 in channel_write_common (channel=0x7fffd40112e0, 
data=0x7fffdf11fce0, len=6, is_stderr=0)
    at ./src/channels.c:1357
#8  0x55640cc3 in ?? ()
#9  0x55644745 in ?? ()
#10 0x7581de3c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#11 0x7558b6db in start_thread (arg=0x7fffdf1a0700) at 
pthread_create.c:463
#12 0x74d1388f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

--
Kees Bakker
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Multiple HBAC rules in one Apache config

2019-10-25 Thread Ronald Wimmer via FreeIPA-users


Hi,

is there a way to use multiple HBAC rules in the same "Require 
pam-account" line in on and the same Apache config?


Something like
Require pam-account hbacA|hbacB

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: cannot create PTR record - too many address components

[Freeipa-users] Re: cannot create PTR record - too many address components

[Freeipa-users] Re: Full Server backup fails with IPA version error

[Freeipa-users] Re: Full Server backup fails with IPA version error

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

[Freeipa-users] Full Server backup fails with IPA version error

[Freeipa-users] Re: Multiple HBAC rules in one Apache config

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

[Freeipa-users] Multiple HBAC rules in one Apache config

11 matches

Site Navigation

Mail list logo

Footer information