[Freeipa-users] Re: FeeIPA SSL chain

2021-05-26 Thread Andrew Meyer via FreeIPA-users 
All good.  I worked with duo support last night.

Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: FeeIPA SSL chain

2021-05-25 Thread Andrew Meyer via FreeIPA-users 
This is what I have been following:
https://github.com/gudmmk/howtos/blob/master/duo_authproxy-with-freeipa.md
https://duo.com/docs/authproxy-reference
https://help.duo.com/s/article/2209?language=en_US
https://community.duo.com/t/directory-sync-with-idm/2171/19


Here is the error output.  
[error] The Auth Proxy was not able to create an SSL context with the given 
certificate and private key. It will be unable to use these credentials to 
create and maintain SSL-based connections such as LDAPS.
[error] The Auth Proxy was not able to validate the SSL private key at 
/opt/duoauthproxy/conf/duoauth-starttls.key.  Ensure that it is a readable, 
valid SSL key file using a tool like 'openssl rsa'.
[debug] Exception: [('PEM routines', 'PEM_read_bio', 'no start line')]
[info]  The Auth Proxy was able to validate the SSL certificate data at 
/etc/ipa/ca.crt.
[warn]  The Auth Proxy did not run the SSL context creation check because of 
the problem(s) with the SSL key and cert check. Resolve that issue and rerun 
the tester.
[warn]  The Auth Proxy did not run the listen check because of the problem(s) 
with the ssl configuration check. Resolve that issue and rerun the tester.
[info]  -
[info]  SUMMARY

Thanks for your help!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] FeeIPA SSL chain

2021-05-25 Thread Andrew Meyer via FreeIPA-users 
Hello,
I am trying to find the correct way to get the FreeIPA SSL certificate in pem 
format.  

So far I have the following commands:

kinit $USER_WITH_ADMIN_PRIVS
ipa ca-show
ipa ca-show --certificate-out=/etc/pki/tls/private/server.key

I don't think this is right.  I need this to get the private key for FreeIPA 
for setting up Duo 2FA.

Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ssh key issues

2020-09-16 Thread Andrew Meyer via FreeIPA-users 
Found the offending server which had a completely different IP address.  
Deleted it anyways.  Problem fixed.  Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh key issues

2020-09-16 Thread Andrew Meyer via FreeIPA-users 
How do I remove it once I find it?  I tried stopping sssd and deleting 
everything in /var/lib/sss/db/* but it throw the same error when trying to SSH 
to the new server.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh key issues

2020-09-15 Thread Andrew Meyer via FreeIPA-users 
I tried this.  I ran into this problem earlier this year but can't remember 
what I did to fix it.  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh key issues

2020-09-15 Thread Andrew Meyer via FreeIPA-users 
Where did you run  this?  On a FreeIPA server?  Or the affected server?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ssh key issues

2020-09-14 Thread Andrew Meyer via FreeIPA-users 
I just ran sss_cache -H and that didn't fix it.  Still getting this:

[andrew.meyer@jump01 ~]$ ssh ameyer@10.150.10.130
@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:eKvyhTmq6m3zlrJY8b+wVEPhaN5V2VE9vGiGmdrh18E.
Please contact your system administrator.
Add correct host key in /home/andrew.meyer/.ssh/known_hosts to get rid of this 
message.
Offending ED25519 key in /var/lib/sss/pubconf/known_hosts:6
ECDSA host key for 10.150.10.130 has changed and you have requested strict 
checking.
Host key verification failed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ssh key issues

2020-09-14 Thread Andrew Meyer via FreeIPA-users 
I recently cleaned up a few server in my home lab.  Deleted servers that I no 
longer needed.  However It seems I have a server with an IP address that used 
previously.  FreeIPA is reporting that it is in 
/var/lib/sss/pubconf/known_hosts but I can't reverse engineer the hostname by 
doing sshkey -R 1.2.3.4.  I have run into this issue previously but it has bee 
quite some time.  When I go to delete the line from 
/var/lib/sss/pubconf/known_hosts it is gone.  If someone could help me that 
would be great.  I didn't see anything on my FreeIPA master that indicated I 
did anything there.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] New DNS records not populating

2020-05-26 Thread Andrew Meyer via FreeIPA-users 
I recently had a server that didn't get added to DNS but was joined to FreeIPA 
system.  I just went backto fix it.  I tried removing the host rebooting and 
re-adding it to the FreeIPA system.  After doing this new DNS records did not 
get added.  I went back to manually add the DNS records (A,SSHFP) and was 
successful however when I try to ssh to the server I get this:
[andrew.meyer@jump01 ~]$ ssh pihole01.loc.example.com
sss_ssh_knownhostsproxy: Could not resolve hostname pihole01.loc.example.com
kex_exchange_identification: Connection closed by remote host
[andrew.meyer@jump01 ~]$ 

But when I try to run a dig against the records added none of the them come 
back.

[andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com 

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2980
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 05879881b6a519f543d896f85ecd7e4235ba486f22821495 (good)
;; QUESTION SECTION:
;pihole01.loc.example.com.  IN  A

;; AUTHORITY SECTION:
loc.example.com.3600IN  SOA freeipa001.loc.example.com. 
hostmaster.loc.example.com. 1590523365 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 10.150.10.12#53(10.150.10.12)
;; WHEN: Tue May 26 15:38:26 CDT 2020
;; MSG SIZE  rcvd: 141

[andrew.meyer@jump01 ~]$

[andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com A

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: da22b671a9a042aa3acbb8d95ecd71177b0f9a24a87f4651 (good)
;; QUESTION SECTION:
;pihole01.loc.example.com.  IN  A

;; AUTHORITY SECTION:
loc.example.com.3600IN  SOA freeipa001.loc.example.com. 
hostmaster.loc.example.com. 1590520949 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 10.150.10.12#53(10.150.10.12)
;; WHEN: Tue May 26 14:42:15 CDT 2020
;; MSG SIZE  rcvd: 141

[andrew.meyer@jump01 ~]$

Here are the logs from bind on the freeipa server:

26-May-2020 15:27:24.686 validating asm-fedora.example.local/A: bad cache hit 
(local/DS)
26-May-2020 15:27:24.687 broken trust chain resolving 
'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:27:24.729 no valid RRSIG resolving 'asm-fedora/DS/IN': 
10.150.10.40#53
26-May-2020 15:27:24.729 no valid DS resolving 'asm-fedora/A/IN': 
10.150.10.40#53
26-May-2020 15:28:00.622 validating asm-fedora.example.local/A: bad cache hit 
(local/DS)
26-May-2020 15:28:00.622 broken trust chain resolving 
'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:28:00.636 validating asm-fedora/A: bad cache hit (asm-fedora/DS)
26-May-2020 15:28:00.636 broken trust chain resolving 'asm-fedora/A/IN': 
10.150.10.40#53
26-May-2020 15:28:03.868 validating asm-fedora.example.local/A: bad cache hit 
(local/DS)
26-May-2020 15:28:03.869 broken trust chain resolving 
'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:28:03.886 validating asm-fedora/A: bad cache hit (asm-fedora/DS)
26-May-2020 15:28:03.886 broken trust chain resolving 'asm-fedora/A/IN': 
10.150.10.40#53
26-May-2020 15:28:08.154 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no 
valid signature found
26-May-2020 15:28:08.223 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no 
valid signature found
26-May-2020 15:28:08.280 validating ocsp.swisssign.net/A: no valid signature 
found
26-May-2020 15:28:08.349   validating swisssign.net/SOA: no valid signature 
found
26-May-2020 15:28:08.350   validating ocsp.swisssign.net/NSEC: no valid 
signature found
26-May-2020 15:28:11.556 insecurity proof failed resolving 
'incoming.telemetry.mozilla.org/A/IN': 10.150.10.40#53
26-May-2020 15:28:11.556 insecurity proof failed resolving 
'incoming.telemetry.mozilla.org//IN': 10.150.10.40#53
26-May-2020 15:28:12.683 insecurity proof failed resolving 
'snippets.cdn.mozilla.net/A/IN': 10.150.10.40#53
26-May-2020 15:28:12.683 insecurity proof failed resolving 
'snippets.cdn.mozilla.net//IN': 10.150.10.40#53
26-May-2020 15:28:26.783 validating gold-server-g2.ocsp.swisssign.net/CNAME: no 
valid signature found
26-May-2020 15:28:26.897 validating gold-server-g2.ocsp.swisssign.net/CNAME: no 
valid signature found
26-May-2020 15:28:47.512 insecurity proof failed resolving 
'consent.cookiebot.com/A/IN': 10.150.10.40#53
26-May-2020 15:28:47.512 insecurity proof failed resolving 
'consent.cookiebot.com//IN': 10.150.10.40#53
26-May-2020 15:29:45.969 validating vrty.org.example.local/A: bad cache hit 
(local/DS)
26-May-2020 15:29:45.969 broken trust chain resolving 
'vrty.org.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:34:26.510 no valid RRSIG

[Freeipa-users] Re: New IPA server

2020-03-30 Thread Andrew Meyer via FreeIPA-users 
 Remove the ipv6_disabled=1 line from grub.

On Monday, March 30, 2020, 12:40:08 PM CDT, Rob Crittenden 
 wrote:  
 
 Andrew Meyer via FreeIPA-users wrote:
> I fixed it.  Figured it out.

Great! I'm curious, what did you need to do?

thanks

rob

> 
> Sent from Yahoo Mail on Android
> <https://go.onelink.me/107872968?pid=InProduct=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers⁡_wl=ym⁡_sub1=Internal⁡_sub2=Global_YGrowth⁡_sub3=EmailSignature>
> 
>    On Fri, Mar 27, 2020 at 8:45 AM, Rob Crittenden
>     wrote:
>    Andrew Meyer via FreeIPA-users wrote:
>    > I am building out a new IPA server environment and I am getting
>    the following error:
>    >
>    > [user@freeipa001 <mailto:user@freeipa001> ~]$ sudo
>    ipa-server-install --setup-dns --setup-kra --setup-adtrust
>    --auto-reverse --ssh-trust-dns --auto-forwarders --allow-zone-overlap
>    > IPv6 stack has to be enabled in the kernel and some interface has
>    to have ::1 address assigned. Typically this is 'lo' interface. If
>    you do not wish to use IPv6 globally, disable it on the specific
>    interfaces in sysctl.conf except 'lo' interface.
>    > The ipa-server-install command failed. See
>    /var/log/ipaserver-install.log for more information
>    > [user@freeipa001 <mailto:user@freeipa001> ~]$
>    >
>    > [root@freeipa001 <mailto:root@freeipa001> ~]# sudo sysctl -w
>    net.ipv6.conf.lo.disable_ipv6=0
>    > sysctl: cannot stat /proc/sys/net/ipv6/conf/lo/disable_ipv6: No
>    such file or directory
>    > [root@freeipa001 <mailto:root@freeipa001> ~]#
>    >
>    > I am using the latest CentOS 8
> 
>    IPA is looking to ensure that /proc/net/if_inet6 exists. It is
>    apparently missing on your system indicating that IPv6 support is not
>    enabled in the kernel.
> 
>    rob
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: New IPA server

2020-03-28 Thread Andrew Meyer via FreeIPA-users 
I fixed it.  Figured it out.

Sent from Yahoo Mail on Android 
 
  On Fri, Mar 27, 2020 at 8:45 AM, Rob Crittenden wrote:   
Andrew Meyer via FreeIPA-users wrote:
> I am building out a new IPA server environment and I am getting the following 
> error:
> 
> [user@freeipa001 ~]$ sudo ipa-server-install --setup-dns --setup-kra 
> --setup-adtrust --auto-reverse --ssh-trust-dns --auto-forwarders 
> --allow-zone-overlap
> IPv6 stack has to be enabled in the kernel and some interface has to have ::1 
> address assigned. Typically this is 'lo' interface. If you do not wish to use 
> IPv6 globally, disable it on the specific interfaces in sysctl.conf except 
> 'lo' interface.
> The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
> more information
> [user@freeipa001 ~]$ 
> 
> [root@freeipa001 ~]# sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0
> sysctl: cannot stat /proc/sys/net/ipv6/conf/lo/disable_ipv6: No such file or 
> directory
> [root@freeipa001 ~]# 
> 
> I am using the latest CentOS 8

IPA is looking to ensure that /proc/net/if_inet6 exists. It is
apparently missing on your system indicating that IPv6 support is not
enabled in the kernel.

rob

  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: New IPA server

2020-03-27 Thread Andrew Meyer via FreeIPA-users 
So I tried enabling but it doesn't seem like its working.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] New IPA server

2020-03-26 Thread Andrew Meyer via FreeIPA-users 
I am building out a new IPA server environment and I am getting the following 
error:

[user@freeipa001 ~]$ sudo ipa-server-install --setup-dns --setup-kra 
--setup-adtrust --auto-reverse --ssh-trust-dns --auto-forwarders 
--allow-zone-overlap
IPv6 stack has to be enabled in the kernel and some interface has to have ::1 
address assigned. Typically this is 'lo' interface. If you do not wish to use 
IPv6 globally, disable it on the specific interfaces in sysctl.conf except 'lo' 
interface.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
[user@freeipa001 ~]$ 

[root@freeipa001 ~]# sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0
sysctl: cannot stat /proc/sys/net/ipv6/conf/lo/disable_ipv6: No such file or 
directory
[root@freeipa001 ~]# 

I am using the latest CentOS 8
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ansible-freeipa client install error

2020-03-12 Thread Andrew Meyer via FreeIPA-users 
I am trying to use the ansible-playbook to install the client on CentOS 8.  I 
am getting the following error:

TASK [ipaclient : Install - Check if one of password or keytabs are set] 

fatal: [host1.example.com]: FAILED! => {"changed": false, "msg": "At least one 
of password or keytabs must be specified"}

I'm not sure what is causing this.

I have the following in my ansible-freeipa inventory hosts file:

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password="{{ ipaadmin_password }}"
ipaclient_domain=domain.example.com
ipaclient_realm=DOMAIN.EXAMPLE.COM
#ipaclient_keytab=/tmp/krb5.keytab
#ipaclient_use_otp=yes
#ipaclient_force_join=yes
#ipaclient_kinit_attempts=3
ipaclient_mkhomedir=yes
ipaclient_allow_repair=yes


When I run the playbook I have it accessing a secrets file.

Thanks in advance!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: MFA alternative

2020-03-10 Thread Andrew Meyer via FreeIPA-users 
Got it working.  Need to refine instructions.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] dhcp dynamic update

2020-02-24 Thread Andrew Meyer via FreeIPA-users 
Hello,
I was trying to search the mailing list before emailing about this but has 
anyone set this up 
https://archyslife.blogspot.com/2019/01/freeipa-integrating-your-dhcpd-dynamic.html
 OR https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update in 
their environment?  

In the past I ran into issues when making changes to /etc/named.conf so before 
I go doing this I wanted to make sure others had tried this out.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
Glad to know this will be fixed!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
[andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Failed to start smb Service
Forced start, ignoring smb Service, continuing normal operation
Starting winbind Service
Failed to start winbind Service
Forced start, ignoring winbind Service, continuing normal operation
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[andrew.meyer@freeipa01 ~]$
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
I am running CentOS 8.x and have updated to the latest version of IPA and 
CentOS 8.  I rebooted after updating and am now getting the following:  

Jan 20 12:55:29 freeipa01 server[7889]: arguments used: stop
Jan 20 12:55:30 freeipa01 systemd[1]: Stopping 389 Directory Server 
ZONE1-EXAMPLE-NET
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.169315691 
-0600] - INFO - op_thread_cleanup - slapd shutting down - signaling operation 
threads - op stack size 2 max work q size 2 max work q stack size 2
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.396008349 
-0600] - INFO - slapd_daemon - slapd shutting down - closing down internal 
subsystems and plugins
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.456826998 
-0600] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop
Jan 20 12:55:30 freeipa01 server[7889]: SEVERE: Could not contact 
[localhost:[8005]]. Tomcat may not be running.
Jan 20 12:55:30 freeipa01 server[7889]: SEVERE: Catalina.stop:
Jan 20 12:55:30 freeipa01 server[7889]: java.net.ConnectException: Connection 
refused (Connection refused)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.PlainSocketImpl.socketConnect(Native Method)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.connect(Socket.java:607)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.connect(Socket.java:556)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.(Socket.java:452)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.(Socket.java:229)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.lang.reflect.Method.invoke(Method.java:498)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:403)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Jan 20 12:55:30 freeipa01 systemd[1]: pki-tomcatd@pki-tomcat.service: Control 
process exited, code=exited status=1
Jan 20 12:55:31 freeipa01 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed 
with result 'exit-code'.
Jan 20 12:55:31 freeipa01 systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.401012956 
-0600] - INFO - dblayer_pre_close - All database threads now stopped
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.477064258 
-0600] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.485527687 
-0600] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 
2 work q stack objects - freed 2 op stack objects
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.491338592 
-0600] - INFO - main - slapd stopped.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

2019-11-15 Thread Andrew Meyer via FreeIPA-users 
So since I was using an externally registered domain.  The install script 
didn't create the SSHFP records.  I am still working on delegating DNS to my 
FIPA server.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

2019-11-14 Thread Andrew Meyer via FreeIPA-users 
Ok I have pointed the domain to my IP address (also setup DDNS with the 
registrar).  Howevver BIND still fails.

Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: starting BIND 
9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 (Extended Support Version) 
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: running on 
Linux x86_64 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: built with 
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' 
'--exec-pref>
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: running as: 
named-pkcs11 -u named -c /etc/named.conf
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: compiled by 
GCC 8.2.1 20180905 (Red Hat 8.2.1-3)
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: compiled with 
libxml2 version: 2.9.7
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: linked to 
libxml2 version: 20907
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: compiled with 
zlib version: 1.2.11
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: linked to zlib 
version: 1.2.11
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: threads 
support is enabled
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: 

Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: BIND 9 is 
maintained by Internet Systems Consortium,
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: Inc. (ISC), a 
non-profit 501(c)(3) public-benefit
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: corporation.  
Support and training for BIND 9 are
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: available at 
https://www.isc.org/support
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: 

Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: adjusted limit 
on open files from 4096 to 1048576
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: found 1 CPU, 
using 1 worker thread
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: using 1 UDP 
listener per interface
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: using up to 
21000 sockets
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: 
Configuration.cpp(94): Missing log.level in configuration. Using default value: 
INFO
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: 
ObjectStore.cpp(59): Failed to enumerate object store in 
/var/lib/ipa/dnssec/tokens
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: 
SoftHSM.cpp(507): Could not load the object store
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: initializing 
DST: PKCS#11 initialization failed
Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: exiting (due 
to fatal error)
Nov 14 20:46:28 freeipa01.asm.caprica.space systemd[1]: named-pkcs11.service: 
Control process exited, code=exited status=1
Nov 14 20:46:28 freeipa01.asm.caprica.space systemd[1]: named-pkcs11.service: 
Failed with result 'exit-code'.
Nov 14 20:46:28 freeipa01.asm.caprica.space systemd[1]: Failed to start 
Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

2019-11-14 Thread Andrew Meyer via FreeIPA-users 
Sure.  Give me a bit to gather that.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA fails to start on CentOS 8

2019-11-14 Thread Andrew Meyer via FreeIPA-users 
I am trying to migrate to CentOS 8 in my home lab.  And I have gotten FreeIPA 
installed.  However I am using caprica.space as my domain name but I don't 
think bind/named likes me using that.  Is this an issue the version in FreeIPA 
or did I do something wrong?  I found this out because FreeIPA won't start.  
Fails on named.

14-Nov-2019 13:00:43.566 zone 100.51.198.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 113.0.203.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 255.255.255.255.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: 
shutting down
14-Nov-2019 13:00:43.566 zone D.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 8.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 9.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone A.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone B.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone EMPTY.AS112.ARPA/IN: shutting down
14-Nov-2019 13:00:43.620 LDAP configuration for instance 'ipa' synchronized
14-Nov-2019 13:00:43.657 LDAP data for instance 'ipa' are being synchronized, 
please ignore message 'all zones loaded'
14-Nov-2019 13:00:43.669 managed-keys-zone: Key 20326 for zone . acceptance 
timer complete: key now trusted
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 
'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.822 zone 10.150.10.in-addr.arpa/IN: loaded serial 
1573758043
14-Nov-2019 13:00:43.822 zone caprica.space/IN: NS 
'freeipa01.asm.caprica.space' has no address records (A or )
14-Nov-2019 13:00:43.822 zone caprica.space/IN: not loaded due to errors.
14-Nov-2019 13:00:43.822 1 master zones from LDAP instance 'ipa' loaded (2 
zones defined, 0 inactive, 1 failed to load)
14-Nov-2019 13:00:43.824 zone caprica.space/IN: NS 
'freeipa01.asm.caprica.space' has no address records (A or )
14-Nov-2019 13:00:43.824 zone caprica.space/IN: not loaded due to errors.
14-Nov-2019 13:00:43.824 update_zone (syncrepl) failed for master zone DN 
'idnsname=caprica.space.,cn=dns,dc=caprica,dc=space'. Zones can be outdated, 
run `rndc reload`: bad zone
14-Nov-2019 13:01:38.383 received control channel command 'stop'
14-Nov-2019 13:01:38.384 shutting down: flushing changes
14-Nov-2019 13:01:38.384 stopping command channel on 127.0.0.1#953
14-Nov-2019 13:01:38.384 stopping command channel on ::1#953
14-Nov-2019 13:01:38.385 unloading DynDB instance 'ipa'
14-Nov-2019 13:01:38.386 zone 10.150.10.in-addr.arpa/IN: shutting down
14-Nov-2019 13:01:38.387 no longer listening on ::#53
14-Nov-2019 13:01:38.387 no longer listening on 127.0.0.1#53
14-Nov-2019 13:01:38.387 no longer listening on 10.150.10.15#53
14-Nov-2019 13:01:38.404 exiting
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ansbile-freeipa client install

2019-10-23 Thread Andrew Meyer via FreeIPA-users 
Hello I have setup ansible to use install freeipa client on my CentOS 7/8 
machines. I am
able to get the packages installed however when it goes through the 
configuration I am
getting the following:


TASK [ipaclient : Install - Ensure that IPA client packages are installed]
**
ok: [10.150.10.15]

TASK [ipaclient : Install - Set ipaclient_servers]
**
skipping: [10.150.10.15]

TASK [ipaclient : Install - Set ipaclient_servers from cluster inventory]
***
skipping: [10.150.10.15]

TASK [ipaclient : Install - Check that either principal or keytab is set]
***
skipping: [10.150.10.15]

TASK [ipaclient : Install - Set default principal if no keytab is given]

ok: [10.150.10.15]

TASK [ipaclient : Install - IPA client test]

ok: [10.150.10.15]

TASK [ipaclient : Install - Cleanup leftover ccache]

ok: [10.150.10.15]

TASK [ipaclient : Install - Configure NTP]
**
changed: [10.150.10.15]

TASK [ipaclient : Install - Disable One-Time Password for on_master]

skipping: [10.150.10.15]

TASK [ipaclient : Install - Test if IPA client has working krb5.keytab]
*
ok: [10.150.10.15]

TASK [ipaclient : Install - Disable One-Time Password for client with working 
krb5.keytab]
**
skipping: [10.150.10.15]

TASK [ipaclient : Install - Keytab or password is required for otp]
*
skipping: [10.150.10.15]

TASK [ipaclient : Install - Get One-Time Password for client enrollment]

skipping: [10.150.10.15]

TASK [ipaclient : Install - Report error for OTP generation]

skipping: [10.150.10.15]

TASK [ipaclient : Install - Store the previously obtained OTP]
**
skipping: [10.150.10.15]

TASK [ipaclient : Install - Check if principal and keytab are set]
**
skipping: [10.150.10.15]

TASK [ipaclient : Install - Check if one of password or keytabs are set]

fatal: [10.150.10.15]: FAILED! => {"changed": false, "msg":
"At least one of password or keytabs must be specified"}

TASK [ipaclient : Install - Restore original admin password if overwritten by 
OTP]
**

[Freeipa-users] Re: adding external 2FA

2019-07-26 Thread Andrew Meyer via FreeIPA-users 
Would you mind showing me how you have FreeRADIUS setup?  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and Windows AD users

2019-07-25 Thread Andrew Meyer via FreeIPA-users 
Does the user have be in both sets of IDMs?


On Thursday, July 25, 2019, 9:52:39 AM CDT, Alexander Bokovoy 
 wrote:  
 
 On to, 25 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
>I have successfully gotten FreeIPA to communicate with MS Windows Server 
>2012r2 using Active Driectory.  I am able to log in to my jump hosts via SSH.  
>However when I log using a windows user I get the following:
>fedora1 :) > ssh james.kirk@meye...@jump01.asm.meyer.local
>Password:
>Last login: Thu Jul 25 08:53:18 2019 from 10.150.254.2
>-sh-4.2$ logout
>Connection to jump01.asm.meyer.local closed.
>fedora1 :) >
>
>
>I am not getting a proper bash prompt.  I tried running 'sudo authconfig 
>--enablemkhomedir --update'.  Is there something I need to run to make this 
>work?
>I tried running 'sudo authconfig --enablemkhomedir --updateall' but that did 
>not fix the problem.
You need to assign /bin/bash as your shell in ID override for your user
in 'Default Trust View'.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/id-views

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA and Windows AD users

2019-07-25 Thread Andrew Meyer via FreeIPA-users 
I have successfully gotten FreeIPA to communicate with MS Windows Server 2012r2 
using Active Driectory.  I am able to log in to my jump hosts via SSH.  However 
when I log using a windows user I get the following:
fedora1 :) > ssh james.kirk@meye...@jump01.asm.meyer.local
Password: 
Last login: Thu Jul 25 08:53:18 2019 from 10.150.254.2
-sh-4.2$ logout
Connection to jump01.asm.meyer.local closed.
fedora1 :) > 


I am not getting a proper bash prompt.  I tried running 'sudo authconfig 
--enablemkhomedir --update'.  Is there something I need to run to make this 
work?
I tried running 'sudo authconfig --enablemkhomedir --updateall' but that did 
not fix the problem.


Regards,Andrew
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] 2FA alternatives

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
I think I have emailed about this recently before but is there a way other than 
using RADIUS to use a 3rd party 2FA provider (Duo, Authy or RSA) with the 
current version of FreeIPA?  I know that you could easily add it using 4.0 and 
4.1 ( I could be wrong on the version).  

If not is that support coming? 

Thanks,Andrew
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
 Excellent thank you!
On Monday, July 22, 2019, 12:01:53 PM CDT, François Cami  
wrote:  
 
 On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users
 wrote:
>
> [andrew.meyer@freeipa01 ~]$ id james.kirk
> id: james.kirk: no such user
> [andrew.meyer@freeipa01 ~]$ id william.riker
> id: william.riker: no such user
> [andrew.meyer@freeipa01 ~]$

Try "id user@DOMAIN" like this:
id james.kirk@AD.MEYER.LOCAL

> Unless I neec to use ipa users-find command.
>
> On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy 
>  wrote:
>
>
> On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
> > Once this is done I should be able to do id user.name and get the Active 
> > Directory user correct?
>
> Resolving users is unrelated to mapping groups.
> You should be able to resolve users already.
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
 [andrew.meyer@freeipa01 ~]$ id james.kirkid: james.kirk: no such 
user[andrew.meyer@freeipa01 ~]$ id william.rikerid: william.riker: no such 
user[andrew.meyer@freeipa01 ~]$ 
Unless I neec to use ipa users-find command.
On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy 
 wrote:  
 
 On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
> Once this is done I should be able to do id user.name and get the Active 
> Directory user correct?

Resolving users is unrelated to mapping groups.
You should be able to resolve users already.

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
 Once this is done I should be able to do id user.name and get the Active 
Directory user correct?
On Monday, July 22, 2019, 11:03:10 AM CDT, Alexander Bokovoy 
 wrote:  
 
 On ma, 22 heinä 2019, Andrew Meyer wrote:
>0;47m  Getting this:                                                           
>     
>[andrew.meyer@freeipa01 ~]$ sudo ipa trust-find                             
>---                                                              
>1 trust matched                                                              
>---                                                              
>  Realm name: ad.meyer.local                                                
>  Domain NetBIOS name: MEYERAD                                              
>  Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410      
>  Trust type: Active Directory domain                                        
>                                                
>Number of entries returned 1                                                
>                                                

So, you should be using 'MEYERAD\Domain Admins' then.

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
 Getting this:
[andrew.meyer@freeipa01 ~]$ sudo ipa trust-find ---1 trust 
matched---  Realm name: ad.meyer.local  Domain NetBIOS name: 
MEYERAD  Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410  
Trust type: Active Directory domainNumber of 
entries returned 1[andrew.meyer@freeipa01 ~]$ 


On Monday, July 22, 2019, 10:26:29 AM CDT, Alexander Bokovoy 
 wrote:  
 
 On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
> Hello,                                                                      
>I am working on setting up FreeIPA with AD integration and seem to be        
>running into an issue.  Its possible that I am also doing something wrong.  
>I am setting it up to talk to MS Windows Server 2012r2.  Following          
>directions on https://www.freeipa.org/page/Active_Directory_trust_setup      
>I have not edited the /etc/krb5.conf ( I figured that needed to happen on    
>the client machines.)                                                       
Please use official documentation instead. The page above was written
quite a few years ago by test engineers to help themselves to get
through various test scenarios. You are better to use
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index


>I am actually at this step:                                                  
>https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_and_POSIX_groups_for_trusted_domain_users
>I am getting the following error:                                            
>[andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external    
>--external 'MEYER-AD\Domain Admins'                                          
>[member user]:                                                               
>[member group]:                                                             
>  Group name: ad_admins_external                                            
>  Description: ad.meyer.local admins external map                            
>  External member: S-1-5-21-2117027177-2554619188-4034396183-512,            
>S-1-5-21-2117027177-2554619188-4034396183-1106                              
>  Member users: andrew.meyer                                                
>  Member groups: ad_admins                                                  
>  Member of groups: ad_admins, ipausers                                      
>  Indirect Member groups: ad_admins_external                                
>  Failed members:                                                           
>    member user:                                                             
>    member group: MEYER-AD\Domain Admins: invalid 'trusted domain object':  
>no trusted domain matched the specified flat name                            

This particular error message tells that there is no a trust to AD with
'MEYER-AD' as its NetBIOS name.

It might be that the trust wasn't established successfully, thus it is
not possible to use it to resolve users.

Start with 'ipa trust-find' output.

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users 
Hello,I am working on setting up FreeIPA with AD integration and seem to be 
running into an issue.  Its possible that I am also doing something wrong.
I am setting it up to talk to MS Windows Server 2012r2.  Following directions 
on https://www.freeipa.org/page/Active_Directory_trust_setup 
I have not edited the /etc/krb5.conf ( I figured that needed to happen on the 
client machines.) 
I am actually at this 
step:https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_and_POSIX_groups_for_trusted_domain_users

I am getting the following error:
[andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external 
--external 'MEYER-AD\Domain Admins'[member user]: [member group]:   Group name: 
ad_admins_external  Description: ad.meyer.local admins external map  External 
member: S-1-5-21-2117027177-2554619188-4034396183-512, 
S-1-5-21-2117027177-2554619188-4034396183-1106  Member users: andrew.meyer  
Member groups: ad_admins  Member of groups: ad_admins, ipausers  Indirect 
Member groups: ad_admins_external  Failed members:     member user:     member 
group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted 
domain matched the specified flat name-Number of 
members added 0-[andrew.meyer@freeipa01 ~]$ 
What am I doing wrong?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: adding external 2FA

2019-07-09 Thread Andrew Meyer via FreeIPA-users 
I was hoping to not use a radius server in between.

Sent from Yahoo Mail on Android 
 
  On Tue, Jul 9, 2019 at 3:59 PM, Jochen Hein wrote:   
Andrew Meyer via FreeIPA-users 
writes:

> I am trying to research how to add other 2FA providers to FreeIPA. 
> Has anyone added Duo or something else to FreeIPA/IPA in the most
> recent versions?

I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS
and have some users authenticate against RADIUS.

Jochen

-- 
This space is intentionally left blank.
  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] adding external 2FA

2019-07-09 Thread Andrew Meyer via FreeIPA-users 
I am trying to research how to add other 2FA providers to FreeIPA.  Has anyone 
added Duo or something else to FreeIPA/IPA in the most recent versions?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] mapping freeipa to local users and group

2019-07-09 Thread Andrew Meyer via FreeIPA-users 
I want to map my freeipa users to local users on a particular server.  I have 
read a few sites that say to do sss_override.  However I am running into a 
problem:
[andrew.meyer@server01 ~]$ sudo sss_override user-add andrew.meyer -n ameyer 
Other than LOCAL view already exists in domain freeipa.local.
But I remember seeing this somewhere as well:group:  files [SUCCESS=merge] 
sss
Will doing the merge satisfy what I want?
Thanks,Andrew

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ipa services continue to fail

2019-01-14 Thread Andrew Meyer via FreeIPA-users 
Currently in my environment I have 6 servers 2 in my local office and 2 in each 
region in AWS.  The AWS servers are all running CentOS 7.x with FreeIPA 4.5.x 
running on all 6.  The AWS servers are all t2.medium w/ unlimited turned on.  
Occasionally we issues with all 6 where one of the processes for freeipa stops 
working completely.  This could be the ipa.service or the named-pkcs11, or 
dir...@myrealm.org.   Sometimes it will be resource constraints, other times 
the whole system could come to a crawl for no reason whatsoever.  Looking 
through the IPA logs doesn't always tell me what was going on.  I usually have 
to restart the service or reboot the whole instance/machine to get it back to a 
working state.

Also as of right now i'm seeing that dir...@myrealm.net will not start because 
a configured resource limit was exceeded.  Here is the error i'm getting all of 
a sudden:
● dir...@example.net.service - 389 Directory Server EXAMPLE.NET.   Loaded: 
loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: 
disabled)   Active: failed (Result: resources)
Jan 14 19:55:21 freeipa01.west.example.net systemd[1]: Failed to load 
environment files: No such file or directoryJan 14 19:55:21 
freeipa01.west.example.net systemd[1]: dir...@example.net.service failed to run 
'start-pre' task: No such file or directoryJan 14 19:55:21 
freeipa01.west.example.net systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Jan 14 19:55:21 freeipa01.west.example.net systemd[1]: Unit 
dir...@example.net.service entered failed state.Jan 14 19:55:21 
freeipa01.west.example.net systemd[1]: dir...@example.net.service failed.Jan 14 
19:55:21 freeipa01.west.example.net systemd[1]: Starting 389 Directory Server 
EXAMPLE.NET[andrew.meyer@freeipa01 ~]$
Here is a snippet from the logs:/var/log/dirsrv/slapd-EXAMPLE-NET/errors
[14/Jan/2019:19:51:42.631413149 +] - NOTICE - ldbm_back_start - found 
3880412k physical memory[14/Jan/2019:19:51:42.632553293 +] - NOTICE - 
ldbm_back_start - found 3273584k available[14/Jan/2019:19:51:42.633584210 
+] - NOTICE - ldbm_back_start - cache autosizing: db cache: 
97010k[14/Jan/2019:19:51:42.634560420 +] - NOTICE - ldbm_back_start - cache 
autosizing: userRoot entry cache (3 total): 
131072k[14/Jan/2019:19:51:42.636236633 +] - NOTICE - ldbm_back_start - 
cache autosizing: userRoot dn cache (3 total): 
65536k[14/Jan/2019:19:51:42.639592221 +] - NOTICE - ldbm_back_start - cache 
autosizing: ipaca entry cache (3 total): 131072k[14/Jan/2019:19:51:42.641296133 
+] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 
65536k[14/Jan/2019:19:51:42.643594212 +] - NOTICE - ldbm_back_start - cache 
autosizing: changelog entry cache (3 total): 
131072k[14/Jan/2019:19:51:42.645241367 +] - NOTICE - ldbm_back_start - 
cache autosizing: changelog dn cache (3 total): 
65536k[14/Jan/2019:19:51:42.646916994 +] - NOTICE - ldbm_back_start - total 
cache size: 683450613 B;[14/Jan/2019:19:51:42.650449731 +] - NOTICE - 
dblayer_start - Detected Disorderly Shutdown last time Directory Server was 
running, recovering database.[14/Jan/2019:19:51:49.346656922 +] - ERR - 
schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 
seconds after the server startup![14/Jan/2019:19:51:49.544963162 +] - ERR - 
NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=net 
does not exist[14/Jan/2019:19:51:49.564630973 +] - ERR - NSACLPlugin - 
acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.584635724 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=ng,cn=compat,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.604545604 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target ou=sudoers,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.624542861 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=users,cn=compat,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.684538158 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=ad,cn=etc,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.825646593 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.844539895 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=net does not 
exist[14/Jan/2019:19:51:49.990796503 +] - ERR - NSACLPlugin - acl_parse - 
The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not 
exist[14/Jan/2019:19:52:00.365183146 +] - NOTICE - NSMMReplicationPlugin - 
changelog program - _cl5ConstructRUV - Rebuilding the replication changelog 
RUV, this may take several minutes...[14/Jan/2019:19:52:00.445692209 +] - 
NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - 
Rebuilding replication changelog

[Freeipa-users] Re: dirsrv not starting

2018-11-16 Thread Andrew Meyer via FreeIPA-users 
Please disregard for now.  I compared it to another server and found that 
dir...@example.net is incorrect.   

On Friday, November 16, 2018 2:46 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 I just noticed that I have 2 dirsrv systemctl units as well.
See below:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl list-units |grep -i dirsrv  
dirsrv@EXAMPLE-NET.service                               loaded active     
running      389 Directory Server EXAMPLE-NET.● dir...@example.net.service      
                         loaded failed     failed       389 Directory Server 
EXAMPLE.NET.  system-dirsrv.slice                                           
loaded active     active       system-dirsrv.slice  dirsrv.target               
                                  loaded active     active       389 Directory 
Server[root@freeipa02 slapd-EXAMPLE-NET]#

On Friday, November 16, 2018 2:40 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 We have 2 servers in our AWS west environment running CentOS 7.  The server 
just went unresponsive and I rebooted it.  After it came back up it won't start 
drisrv service.  I get the following errors from systemd/journalctl:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dir...@example.net -l● 
dir...@example.net.service - 389 Directory Server EXAMPLE.NET.   Loaded: loaded 
(/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)   
Active: failed (Result: resources)
Nov 16 20:27:46 freeipa02.west.example systemd[1]: dir...@example.net.service 
failed to run 'start-pre' task: No such file or directoryNov 16 20:27:46 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:27:46 freeipa02.west.example systemd[1]: Unit 
dir...@example.net.service entered failed state.Nov 16 20:27:46 
freeipa02.west.example systemd[1]: dir...@example.net.service failed.Nov 16 
20:27:46 freeipa02.west.example systemd[1]: Starting 389 Directory Server 
EXAMPLE.NETNov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to 
load environment files: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: dir...@example.net.service failed to run 
'start-pre' task: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:29:10 freeipa02.west.example systemd[1]: 
dir...@example.net.service failed.Nov 16 20:29:10 freeipa02.west.example 
systemd[1]: Starting 389 Directory Server EXAMPLE.NET[root@freeipa02 
slapd-EXAMPLE-NET]#

All the files are there.  I did a comparison to the 01 server.
Regards,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: dirsrv not starting

2018-11-16 Thread Andrew Meyer via FreeIPA-users 
I just noticed that I have 2 dirsrv systemctl units as well.
See below:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl list-units |grep -i dirsrv  
dirsrv@EXAMPLE-NET.service                               loaded active     
running      389 Directory Server EXAMPLE-NET.● dir...@example.net.service      
                         loaded failed     failed       389 Directory Server 
EXAMPLE.NET.  system-dirsrv.slice                                           
loaded active     active       system-dirsrv.slice  dirsrv.target               
                                  loaded active     active       389 Directory 
Server[root@freeipa02 slapd-EXAMPLE-NET]#

On Friday, November 16, 2018 2:40 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 We have 2 servers in our AWS west environment running CentOS 7.  The server 
just went unresponsive and I rebooted it.  After it came back up it won't start 
drisrv service.  I get the following errors from systemd/journalctl:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dir...@example.net -l● 
dir...@example.net.service - 389 Directory Server EXAMPLE.NET.   Loaded: loaded 
(/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)   
Active: failed (Result: resources)
Nov 16 20:27:46 freeipa02.west.example systemd[1]: dir...@example.net.service 
failed to run 'start-pre' task: No such file or directoryNov 16 20:27:46 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:27:46 freeipa02.west.example systemd[1]: Unit 
dir...@example.net.service entered failed state.Nov 16 20:27:46 
freeipa02.west.example systemd[1]: dir...@example.net.service failed.Nov 16 
20:27:46 freeipa02.west.example systemd[1]: Starting 389 Directory Server 
EXAMPLE.NETNov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to 
load environment files: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: dir...@example.net.service failed to run 
'start-pre' task: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:29:10 freeipa02.west.example systemd[1]: 
dir...@example.net.service failed.Nov 16 20:29:10 freeipa02.west.example 
systemd[1]: Starting 389 Directory Server EXAMPLE.NET[root@freeipa02 
slapd-EXAMPLE-NET]#

All the files are there.  I did a comparison to the 01 server.
Regards,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] dirsrv not starting

2018-11-16 Thread Andrew Meyer via FreeIPA-users 
We have 2 servers in our AWS west environment running CentOS 7.  The server 
just went unresponsive and I rebooted it.  After it came back up it won't start 
drisrv service.  I get the following errors from systemd/journalctl:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dir...@example.net -l● 
dir...@example.net.service - 389 Directory Server EXAMPLE.NET.   Loaded: loaded 
(/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)   
Active: failed (Result: resources)
Nov 16 20:27:46 freeipa02.west.example systemd[1]: dir...@example.net.service 
failed to run 'start-pre' task: No such file or directoryNov 16 20:27:46 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:27:46 freeipa02.west.example systemd[1]: Unit 
dir...@example.net.service entered failed state.Nov 16 20:27:46 
freeipa02.west.example systemd[1]: dir...@example.net.service failed.Nov 16 
20:27:46 freeipa02.west.example systemd[1]: Starting 389 Directory Server 
EXAMPLE.NETNov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to 
load environment files: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: dir...@example.net.service failed to run 
'start-pre' task: No such file or directoryNov 16 20:29:10 
freeipa02.west.example systemd[1]: Failed to start 389 Directory Server 
EXAMPLE.NET..Nov 16 20:29:10 freeipa02.west.example systemd[1]: 
dir...@example.net.service failed.Nov 16 20:29:10 freeipa02.west.example 
systemd[1]: Starting 389 Directory Server EXAMPLE.NET[root@freeipa02 
slapd-EXAMPLE-NET]#

All the files are there.  I did a comparison to the 01 server.
Regards,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

2018-11-16 Thread Andrew Meyer via FreeIPA-users 
I have this working w/o HBAC rules and not using OTP. 

On Friday, November 16, 2018 8:21 AM, Eric via FreeIPA-users 
 wrote:
 

 Any luck yet, Kevin?  No luck here yet. 


 
 
  On Fri, Nov 9, 2018 at 10:56 PM, Kevin Vasko wrote:   I’m 
following this because I’m having same issue. Since the OpenVPN client won’t 
prompt twice for the second factor I know you have to do the whole 
“password+otp” (without the +) but keep getting invalid password.

-Kevin

> On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users 
>  wrote:
> 
> Hello everyone,
> 
> I'm having an issue with OTP when logging into a vpn server that is a client 
> of FreeIPA.  I can login with no issues when OTP is disabled.
> 
> FreeIPA Setup:
> CentOS 7.5
> FreeIPA 4.5.4
> 
> HBAC Service: openvpn
> HBAC Rule:
> [root@ipa ~]# ipa hbacrule-show openvpn_access
> Rule name: openvpn_access
> Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
> Enabled: TRUE
> Users: 
> Hosts: vpnhost.localdomain.local
> Services: openvpn
> 
> User account:
> [root@ipa ~]# ipa user-show 
>  User login: 
>  First name: 
>  Last name: 
>  Home directory: /home/
>  Login shell: /bin/bash
>  Principal name: 
>  Principal alias: 
>  Email address: 
>  UID: 190963
>  GID: 190963
>  User authentication types: otp
>  Certificate: 
>  Account disabled: False
>  Password: True
>  Member of groups: vpn_users
>  Member of HBAC rule: openvpn_access
>  Indirect Member of HBAC rule: user_ipa_access
>  Kerberos keys available: True
> 
> OpenVPN server:
> /etc/pam.d/openvpn
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=200
> auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 
> 1000 quiet
> auth        [default=1 ignore=ignore success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite    pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      pam_deny.so
> 
> account    required      pam_unix.so
> account    sufficient    pam_localuser.so
> account    sufficient    pam_succeed_if.so uid < 1000 quiet
> account    [default=bad success=ok user_unknown=ignore] pam_sss.so
> account    required      pam_permit.so
> 
> password    requisite    pam_pwquality.so try_first_pass local_users_only 
> retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> 
> 
> password    required      pam_deny.so
> 
> session    optional      pam_keyinit.so revoke
> session    required      pam_limits.so
> -session    optional      pam_systemd.so
> session    optional      pam_oddjob_mkhomedir.so umask=0077
> session    [success=1 default=ignore] pam_succeed_if.so service in crond 
> quiet use_uid
> session    required      pam_unix.so
> session    optional      pam_sss.so
> 
> server.conf
> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
> 
> 
> Any help would be greatly appreciated.  Any other information that you may 
> need, please feel free to ask.  I've read multiple threads, some have gotten 
> it to work without posting answers, some have not and has stated openvpn does 
> not support multiple prompts.
> 
> Eric
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>   
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Creating proxy users for PWM. Which is better DN?

2018-11-12 Thread Andrew Meyer via FreeIPA-users 
I also had to extend the schema.  I'm not in front of my instructions right now.

Sent from Yahoo Mail on Android 
 
  On Mon, Nov 12, 2018 at 12:27, Rob Crittenden via 
FreeIPA-users wrote:   Joyce Babu via 
FreeIPA-users wrote:
> I am trying to setup PWM for allowing users to reset their password. I found 
> the following guide on setting up PWM with FreeIPA
> https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
> 
> The above guide creates the pwmproxy and pwmtest users under  
> cn=users,cn=accounts,dc=example,dc=com. 
> 
> uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com
> uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
> 
> But FreeIPA documentation does not recommend creating such accounts as normal 
> user accounts. 
> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> 
> Is it better to create the above accounts under 
> cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo?
> Or does PWM require that the pwm users also be created under the same base dn?

"Better" is a subjective thing.

The advantage of a sysaccount user is they cannot log into systems. They
can only bind to LDAP.

The disadvantage of a sysaccount user is there is no way currently to
assign permissions causing the write iss you report. The kludgy
workaround is to manually add a memberof= to
the sysaccount user.

If you want to use a real IPA user you can always set the shell to
/bin/false or something to disallow logging in.

It's more a preference thing than anything else, particularly for those
with a background in LDAP and being used to having bind-only users.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Creating proxy users for PWM. Which is better DN?

2018-11-10 Thread Andrew Meyer via FreeIPA-users 
I just did this.  I setup the pwm users under the normal account setup.

Sent from Yahoo Mail on Android 
 
  On Sat, Nov 10, 2018 at 10:57, Joyce Babu via 
FreeIPA-users wrote:   I am trying to 
setup PWM for allowing users to reset their password. I found the following 
guide on setting up PWM with FreeIPA
https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .

The above guide creates the pwmproxy and pwmtest users under  
cn=users,cn=accounts,dc=example,dc=com. 

uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com
uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com

But FreeIPA documentation does not recommend creating such accounts as normal 
user accounts. 
https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

Is it better to create the above accounts under 
cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo?
Or does PWM require that the pwm users also be created under the same base dn?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: DNs forwaders

2018-10-31 Thread Andrew Meyer via FreeIPA-users 
I remember entering a ldap command that would show me the forwaders of all the 
servers.  However ipa dnsserver-find gave me exactly what I wanted. 

On Wednesday, October 31, 2018 9:15 AM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 Please disregard. 

On Wednesday, October 31, 2018 9:04 AM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 I have configured DNS forwarders in each of my FreeIPA servers.  However I 
want to be able to go back and verify they are there.  I can't remember how to 
get that information.  I am running CentOS 7 latest with FreeIPA version 4.5.0. 
 I want to say there is an LDAP command I found.
This is not for global forwarders.
Thanks!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: DNs forwaders

2018-10-31 Thread Andrew Meyer via FreeIPA-users 
Please disregard. 

On Wednesday, October 31, 2018 9:04 AM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 I have configured DNS forwarders in each of my FreeIPA servers.  However I 
want to be able to go back and verify they are there.  I can't remember how to 
get that information.  I am running CentOS 7 latest with FreeIPA version 4.5.0. 
 I want to say there is an LDAP command I found.
This is not for global forwarders.
Thanks!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] DNs forwaders

2018-10-31 Thread Andrew Meyer via FreeIPA-users 
I have configured DNS forwarders in each of my FreeIPA servers.  However I want 
to be able to go back and verify they are there.  I can't remember how to get 
that information.  I am running CentOS 7 latest with FreeIPA version 4.5.0.  I 
want to say there is an LDAP command I found.
This is not for global forwarders.
Thanks!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] pwm

2018-09-04 Thread Andrew Meyer via FreeIPA-users 
Hello,I am working on getting pwm setup with FreeIPA.  However I'm running into 
some issues.  I have it pretty much configured but I am getting error in the 
logs for pwm.
Sep  4 11:09:21 pwm01 server: 2018-09-04T11:09:21Z, ERROR, 
cluster.ClusterMachine, 5093 ERROR_CLUSTER_SERVICE_ERROR (error writing 
database cluster heartbeat: 5079 ERROR_LDAP_DATA_ERROR (error writing cluster 
data: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 
attribute "pwmresponseset" not allowed

I was also getting this:Sep  4 09:54:47 pwm01 server: 2018-09-04T09:54:47Z, 
ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' 
to user uid=pwmtest,cn=users,cn=accounts,dc=example,dc=net: 
com.novell.ldapchai.exception.ChaiOperationException: 
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - unknown 
object class "pwmUser"

To resolve the above error I removed the pwmUser from the config in pwm.  Not 
sure if that was wise or not.  
I have not extended the schema as 
suggested:https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a

When I did this dirsrv threw an error on my dev environment.  
However in my single server at home this worked fine.
What I want to know is, once I restart dirsrv and ipa service is there a way to 
validate the attribute and objectClasses are showing up in FreeIPA?
Also if anyone has set this up in the past and has any recommendations I will 
gladly take them.
Thank you,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] adding users

2018-08-31 Thread Andrew Meyer via FreeIPA-users 
So we are starting the final phase of our migration and I am trying to add all 
the users to FreeIPA.  But i'm getting an error and i'm not sure why.  I've 
also never gotten this in the past when adding users.
[root@freeipa01 ~]# ipa user-add user.name --first=User --last=name --email 
user.n...@example.com --password basicpasswordtobechangedipa: ERROR: command 
'user_add' takes at most 1 argument[root@freeipa01 ~]#___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pwm - password reset portal

2018-08-30 Thread Andrew Meyer via FreeIPA-users 
SELinux is disabled.  I try to keep it enabled and work through it.  But not 
this time.
[root@pwm01 pwm]# getenforceDisabled[root@pwm01 pwm]# 

On Thursday, August 30, 2018 1:41 PM, Yuri Krysko via FreeIPA-users 
 wrote:
 

 Andrew,
Are you using SELinux? 

On Aug 30, 2018, at 2:39 PM, Andrew Meyer via FreeIPA-users 
 wrote:
Has anyone setup the self service password module?I have it setup and working 
on tomcat on a seperate server.
If so I have a few questions:

1) did you install this on the freeipa main server or another server?
2)  Did you have allow anonymous searching for pwm?  I have a user account 
setup for this and I was able to test auth but test account doesn't want to 
work.  I'm not sure why.  I'm still looking through the logs.  
I have been following this user's suggestions on getting this working:PWM setup 
for FreeIPA (with LDAP and MySQL userdata store)


| 
| 
| 
|  |  |

 |

 |
| 
|  | 
PWM setup for FreeIPA (with LDAP and MySQL userdata store)
PWM setup for FreeIPA (with LDAP and MySQL userdata store) - 1. PWM-FreeIPA.txt 
|  |

 |

 |


Obviously not using the MySQL setup but FreeIPA (99pwm.ldif and PWMacis.ldif).
I am running the 99pwm on a test environment and its not allowing me to add the 
99pwm.ldif file.  The dirsrv service complains that it can't read the file.  
But the permissions are correct.
[root@freeipa02-dev schema]# 
pwd/etc/dirsrv/slapd-EXAMPLE-LOCAL/schema[root@freeipa02-dev schema]# ls -la | 
grep -i 99pwm-rw-r-. 1 dirsrv dirsrv   2036 Aug 30 12:57 
99pwm.ldif[root@freeipa02-dev 
schema]#___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org




LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail 
and any files transmitted with it to be protected, proprietary or privileged 
information intended solely for the use of the named recipient(s). Any 
disclosure of this material or the information contained herein, in whole or in 
part, to anyone outside of the intended recipient or affiliates is strictly 
prohibited. M. C. Dean, Inc. accepts no liability for the content of this 
e-mail or for the consequences of any actions taken on the basis of the 
information contained in it, unless that information is subsequently confirmed 
in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any 
rights of the recipient; any such communication violates company policy. If you 
are not the intended recipient, any disclosure, copying, distribution, or 
action taken or omitted in reliance on this information is strictly prohibited 
by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, 
delete this communication and destroy all copies.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] pwm - password reset portal

2018-08-30 Thread Andrew Meyer via FreeIPA-users 
Has anyone setup the self service password module?I have it setup and working 
on tomcat on a seperate server.
If so I have a few questions:

1) did you install this on the freeipa main server or another server?
2)  Did you have allow anonymous searching for pwm?  I have a user account 
setup for this and I was able to test auth but test account doesn't want to 
work.  I'm not sure why.  I'm still looking through the logs.  
I have been following this user's suggestions on getting this working:PWM setup 
for FreeIPA (with LDAP and MySQL userdata store)

  
|  
|   
|   
|   ||

   |

  |
|  
||  
PWM setup for FreeIPA (with LDAP and MySQL userdata store)
 PWM setup for FreeIPA (with LDAP and MySQL userdata store) - 1. 
PWM-FreeIPA.txt  |   |

  |

  |

 
Obviously not using the MySQL setup but FreeIPA (99pwm.ldif and PWMacis.ldif).
I am running the 99pwm on a test environment and its not allowing me to add the 
99pwm.ldif file.  The dirsrv service complains that it can't read the file.  
But the permissions are correct.
[root@freeipa02-dev schema]# 
pwd/etc/dirsrv/slapd-EXAMPLE-LOCAL/schema[root@freeipa02-dev schema]# ls -la | 
grep -i 99pwm-rw-r-. 1 dirsrv dirsrv   2036 Aug 30 12:57 
99pwm.ldif[root@freeipa02-dev schema]#___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: dns discovery failed

2018-08-27 Thread Andrew Meyer via FreeIPA-users 
Hi,Thanks for the reply.  I figured out what the issue was.  I had to change my 
DHCP settings to point everything to the new IP address.  Not sure why but that 
worked.

On Monday, August 27, 2018 2:37 AM, Florence Blanc-Renaud via FreeIPA-users 
 wrote:
 

 On 08/26/2018 03:29 AM, Andrew Meyer via FreeIPA-users wrote:
> So I decided to rebuild my setup at home.  I am running this on CentOS 7 
> latest and have gotten the server working just fine.  I am trying to 
> setup a client server and getting the following:
> 
> [ameyer@jump01 vmware-tools-distrib]$ sudo ipa-client-install
> [sudo] password for ameyer:
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): ^CThe 
> ipa-client-install command failed. See /var/log/ipaclient-install.log 
> for more information
> [ameyer@jump01 vmware-tools-distrib]$
> 
> My /etc/resolv.conf is pointed at the FreeIPA server and I am able to 
> resolve DNS.  I can telnet to port 53.
Hi,

DNS discovery is trying to find a FreeIPA server based on the client's 
FQDN. If the client is named client.sub2.sub1.domain.com, discovery will 
look for a FreeIPA server for sub2.sub1.domain.com, or for 
sub1.domain.com, or for domain.com. Is the client properly named?

The other thing to check is the firewall configuration. The ports listed 
in [1] must be available for IdM client to contact the server.

HTH,
flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#prereq-ports
> 
> I'm seeing the fact that I can't connect to LDAP in my error logs.  
> However I can get to the web ui.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] dns discovery failed

2018-08-25 Thread Andrew Meyer via FreeIPA-users 
So I decided to rebuild my setup at home.  I am running this on CentOS 7 latest 
and have gotten the server working just fine.  I am trying to setup a client 
server and getting the following:
[ameyer@jump01 vmware-tools-distrib]$ sudo ipa-client-install [sudo] password 
for ameyer: DNS discovery failed to determine your DNS domainProvide the domain 
name of your IPA server (ex: example.com): ^CThe ipa-client-install command 
failed. See /var/log/ipaclient-install.log for more information[ameyer@jump01 
vmware-tools-distrib]$ 
My /etc/resolv.conf is pointed at the FreeIPA server and I am able to resolve 
DNS.  I can telnet to port 53.
I'm seeing the fact that I can't connect to LDAP in my error logs.  However I 
can get to the web ui.___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: accessing the api

2018-08-20 Thread Andrew Meyer via FreeIPA-users 
Sounds good.  My work laptop is an apple and the yeah you are right with the -k 
however the browsers already trust it.  I have downloaded the ca.crt but its 
not accepting it in my curl command.   

On Monday, August 20, 2018 3:58 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> So everything regarding the auth should be ok?  I can use those KRB
> variables?  

They are irrelevant. They just to where the keytab or ccache are. You
can use them or not.

> I've seen other sites that say it should be /ipa/session/login_kerberos 
> 
> Should I go that route or login_password?  Just making sure.

You can use either but login_kerberos is recommended. Just follow more
closely the example in the "GSSAPI authentication" section and beyond.

You also should need -k with curl. If you need it then your machine
isn't configured to trust the IPA CA.

rob

> 
> 
> On Monday, August 20, 2018 3:26 PM, Rob Crittenden via FreeIPA-users
>  wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> Hello,
>> I'm having some difficulty accessing the API.  Following the directions
>> shown here:  
>>
>> Far away to be identical
>> <https://vda.li/en/docs/freeipa-management-in-a-nutshell/>
>>
>>    
>>
>>
>>    Far away to be identical
>>
>> Identity management chaos or a development of a fun
>>    
>>
>> <https://vda.li/en/docs/freeipa-management-in-a-nutshell/>
>>
>>
>> I am trying to use the following curl commands:
>> curl -kv -H Referer:https://$IPASERVER1/ipa
> <https://%24ipaserver1/ipa>-c $COOKIEJAR -b $COOKIEJAR
>> --negotiate -u : -X POST https://$IPASERVER1/ipa/ui
> <https://%24ipaserver1/ipa/ui>
>> <https://%24ipaserver1/ipa/ui>
> 
> You are using the wrong URI here (/ipa/ui, you never need that). You
> have to get the session first (which you successfully do with your
> second request) and then use that cookie to use the json API.
> 
> 
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YUNA5LAS7V327YNI2I6D6VT2FEOHAXM7/
> 
> 
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JVX3Q5OGOJXBVIVELQEMEA3MXXISXFYB/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WTC52BGJPUQQ73K7QVPBFCOGTKT3OEVJ/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Q6ZKP6C3MO7ZT3HM6PIHAMO2HBHK2KQZ/

[Freeipa-users] Re: accessing the api

2018-08-20 Thread Andrew Meyer via FreeIPA-users 
So everything regarding the auth should be ok?  I can use those KRB variables?  
I've seen other sites that say it should be /ipa/session/login_kerberos 
Should I go that route or login_password?  Just making sure. 

On Monday, August 20, 2018 3:26 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Hello,
> I'm having some difficulty accessing the API.  Following the directions
> shown here:  
> 
> Far away to be identical
> <https://vda.li/en/docs/freeipa-management-in-a-nutshell/>
> 
>     
> 
> 
>    Far away to be identical
> 
> Identity management chaos or a development of a fun
>     
> 
> <https://vda.li/en/docs/freeipa-management-in-a-nutshell/>
> 
> 
> I am trying to use the following curl commands:
> curl -kv -H Referer:https://$IPASERVER1/ipa -c $COOKIEJAR -b $COOKIEJAR
> --negotiate -u : -X POST https://$IPASERVER1/ipa/ui
> <https://%24ipaserver1/ipa/ui>

You are using the wrong URI here (/ipa/ui, you never need that). You
have to get the session first (which you successfully do with your
second request) and then use that cookie to use the json API.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YUNA5LAS7V327YNI2I6D6VT2FEOHAXM7/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JVX3Q5OGOJXBVIVELQEMEA3MXXISXFYB/

[Freeipa-users] accessing the api

2018-08-20 Thread Andrew Meyer via FreeIPA-users 
Hello,I'm having some difficulty accessing the API.  Following the directions 
shown here:  
Far away to be identical
  
|  
|   |  
Far away to be identical
 Identity management chaos or a development of a fun  |  |

  |

 

I am trying to use the following curl commands:curl -kv -H 
Referer:https://$IPASERVER1/ipa -c $COOKIEJAR -b $COOKIEJAR --negotiate -u : -X 
POST https://$IPASERVER1/ipa/ui

I get the following output:
Andrews-MacBook-Pro :) > curl -kv -H Referer:https://$IPASERVER1/ipa -c 
$COOKIEJAR -b $COOKIEJAR --negotiate -u : -X POST https://$IPASERVER1/ipa/ui*   
Trying 10.1.6.250...* TCP_NODELAY set* Connected to $IPASERVER1 (10.1.6.250) 
port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: 
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set 
certificate verify locations:*   CAfile: /etc/ssl/cert.pem  CApath: none* 
TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, 
Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 
(IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, 
Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* 
TLSv1.2 (OUT), TLS change cipher, Client hello (1):* TLSv1.2 (OUT), TLS 
handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Client hello (1):* 
TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / 
ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server 
certificate:*  subject: O=EXAMPLE.NET; CN=$IPASERVER1*  start date: Mar  6 
21:52:54 2018 GMT*  expire date: Mar  6 21:52:54 2020 GMT*  issuer: 
O=EXAMPLE.NET; CN=Certificate Authority*  SSL certificate verify result: self 
signed certificate in certificate chain (19), continuing anyway.> POST /ipa/ui 
HTTP/1.1> Host: $IPASERVER1> User-Agent: curl/7.54.0> Accept: */*> 
Referer:https://$IPASERVER1/ipa>< HTTP/1.1 301 Moved Permanently< Date: Mon, 20 
Aug 2018 19:50:50 GMT< Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 
mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5* Added cookie 
ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794650< 
Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< X-Frame-Options: 
DENY< Content-Security-Policy: frame-ancestors 'none'< Location: 
https://$IPASERVER1/ipa/ui/< Cache-Control: max-age=31536000< Expires: Tue, 20 
Aug 2019 19:50:50 GMT< Cache-Control: no-cache* Replaced cookie ipa_session="" 
for domain $IPASERVER1, path /ipa, expire 1534794650< Set-Cookie: 
ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< Content-Length: 255< 
Content-Type: text/html; charset=iso-8859-1<301 Moved 
PermanentlyMoved PermanentlyThe document has 
moved https://$IPASERVER1/ipa/ui/;>here.* 
Connection #0 to host $IPASERVER1 left intactAndrews-MacBook-Pro :) >
Then I run this:Andrews-MacBook-Pro :) > curl -kv -H 
referer:https://$IPASERVER1/ipa -H "Content-Type:application/json" -H 
"Accept:applicaton/json" -c $COOKIEJAR -b $COOKIEJAR -d $JSON_PAYLOAD -X POST 
https://$IPASERVER1/ipa/session/json* Rebuilt URL to: POST/*   Trying 
104.16.143.73...* TCP_NODELAY set* Connected to POST (104.16.143.73) port 80 
(#0)> POST / HTTP/1.1> Host: POST> User-Agent: curl/7.54.0> 
referer:https://$IPASERVER1/ipa> Content-Type:application/json> 
Accept:applicaton/json> Content-Length: 2>* upload completely sent off: 2 out 
of 2 bytes< HTTP/1.1 403 Forbidden< Date: Mon, 20 Aug 2018 19:53:36 GMT< 
Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: 
close* skipped cookie with bad tailmatch domain: post< Set-Cookie: 
__cfduid=d805f1a1676001cf1532cc7c25208107f1534794816; expires=Tue, 20-Aug-19 
19:53:36 GMT; path=/; domain=.post; HttpOnly< Cache-Control: max-age=15< 
Expires: Mon, 20 Aug 2018 19:53:51 GMT< X-Frame-Options: SAMEORIGIN< Server: 
cloudflare-nginx< CF-RAY: 44d76832d2d654e6-ORD<  Direct IP access not 
allowed | Cloudflarebody{margin:0;padding:0}




      Please 
enable cookies.                            Error          1003          Ray 
ID: 44d76832d2d654e6  2018-08-20 19:53:36 UTC                
Direct IP access not allowed      
      
                 
                   What happened?            You've 
requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to 
reach the desired website.          

                      What can I do?            If you are 
interested in learning more about Cloudflare, please visit our website.          
              
            Cloudflare Ray ID: 
44d76832d2d654e6        Your IP: 209.116.32.50        Performance  security by https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer; 
id="brand_link" target="_blank">Cloudflare
  

      
    window._cf_translation = {};


* Closing connection 0*   Trying 10.1.6.250...* TCP_NODELAY set* 
Connected to $IPASERVER1 (10.1.6.250) port 443 (#1)* ALPN, offering h2* ALPN, 
offering http/1.1* Cipher selection:

[Freeipa-users] Re: Documented monitoring best practices

2018-08-13 Thread Andrew Meyer via FreeIPA-users 
I know this is an old thread, but there are no changes to FreeIPA that 
cnmonitor might conflict with are there? 

On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein  > wrote:
> 
>    I'm using https://github.com/peterpakos/checkipaconsistency
>     to monitor
>    my replicas.
> 
> 
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.

There are not that many plugins doing this that I know of.

I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.

For a more full-blown view there is http://cnmonitor.sourceforge.net/

389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.html

The team has talked about a monitoring script but for now Peter's script
is filling the void.

> 
> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
> 
> Any way we can help this happen?
> 
>    Right now we had some problems with certificates not/halfway renewing,
>    so some tool to check LDAP against the different cert-stores might be
>    helpful.
> 
> 
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
> 
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.

Server certs in IPA are good for 2 years.

We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UIEJ5BBTMILSUB67A6GJWD2HR5PRESLL/

[Freeipa-users] DNS Forwarders

2018-08-02 Thread Andrew Meyer via FreeIPA-users 
Is it possible to have a per server zone forwarder in /etc/named.conf and NOT 
break replication?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LBUVX7GLIMKVZYF4BO63JZUOH2MJGEZV/

[Freeipa-users] DNS issues

2018-08-02 Thread Andrew Meyer via FreeIPA-users 
So I've had my FreeIPA setup for about 6 months now at my company.  As of 
recently i'm seeing some issues where if I try to dig against the servers I get 
nothing back.  I do not have a global forwarder setup because it should 
automatically go outbound if its not in its own table, correct?
This only seems to be an issue on 2 out of 4 of my servers.  
Also my forwarding policy is forward first.  
My environment has 2 IPA servers in my local office and 2 IPA server in my AWS 
VPC.  We have a legacy domain that I am forwarding to our legacy nameservers 
until those get turned off.
There is not much in the logs to tell me if there is an issue (at least that I 
can see).  Usually a reboot helps but that can't be the answer all the time.
Any thoughts?
All 4 servers are running CentOS 7.4FreeIPA version 4.5.0
Thanks!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BORVNVIPJPURS65OTXL7MQNHOUITZFJX/

[Freeipa-users] Re: keycloak

2018-06-07 Thread Andrew Meyer via FreeIPA-users 
Thanks for the clarification!

On Thursday, June 7, 2018 2:32 PM, Jochen Hein via FreeIPA-users 
 wrote:
 

 Rob Crittenden via FreeIPA-users 
writes:

> I don't know where Keycloak upstream is.

Look at http://www.keycloak.org

Jochen
-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/46G7R54DGCO4PTA4S65EMTDJ5HB7BH3B/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/I6TASNHUKVRXWPKL3H4LGSESIW54UR56/

[Freeipa-users] keycloak

2018-06-07 Thread Andrew Meyer via FreeIPA-users 
what is the difference between keycloak and freeipa?
Is there a free version of this?  Is that what ipsilon is?  If not is there a 
repo for this?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4H7YVHCDSZ4W3J5ETHETY3P7LJKPDUXX/

[Freeipa-users] ipsilon

2018-06-06 Thread Andrew Meyer via FreeIPA-users 
Not sure if this is the right place for support w/ ipsilon.  But I got it 
installed and I'm able to browse the to website and login now.  However when I 
go to the login stack there are some button to the right of the login plugins, 
and they say   that's it.  What does that mean?  Also I've enabled 
saml2, form, ipa, gssapi and secure as security providers yet I only see saml2. 
 Is this normal?
Has anyone configured this with any atlassian products?

Regards,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/W7BS5AOHMP6R62XMP37PUPLSZ4YUZCY5/

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Andrew Meyer via FreeIPA-users 
What about on CentOS 7? 

On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users 
 wrote:
 

 On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 17 touko 2018, Andrew Meyer wrote:
> > So I followed the directions to add it to my dev freeipa servers,
> > restarted the httpd.  But when I go to log in  at
> > https://myserver/idp as admin or myself, I get 401 Unauthorized no
> > matter what.  This is what I need to install the server: sudo
> > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
> I do not run Ipsilon on the same machine as IPA master and do not
> recommend that. Use a separate IPA client.

It used to work fairly well in 2015:

    https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine

and I've used it for number of demos and testing.

However, at least with Fedora 28, it will fail simply because FreeIPA
is python3 and Ipsilon is python2, and wsgi does not like mixing the
two.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FTZKURPBI2H2YFEQKA36TSUX735CXX4A/

[Freeipa-users] authoritative name-server

2018-05-17 Thread Andrew Meyer via FreeIPA-users 
In my current freeipa setup when I go in to the dns zone I see the 
authoritative name server is incorrect.  When I removed the server shouldn't it 
have changed it?
Also when I go look at the bind config in 
/var/named/dyndb-ldap/master/example.net/raw the SOA line shows the correct 
server.  Where else would I look to see why the GUI is not showing the right 
information?
Thank you!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BTCUM37LSLJAJXXSKNVF3XZQF5FFRRRK/

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Andrew Meyer via FreeIPA-users 
ers@lists.fedorahosted.org> wrote:
 

 On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote:
>Has anyone installed this on their prod FreeIPA installation?  I need
>to hook FreeIPA into some other auth systems that don't support LDAP.
I'm using FreeIPA with Ipsilon for quite a few years for my home setup.
I even added integration for Ipsilon to HackMD:
https://github.com/hackmdio/hackmd/pull/732


-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Z6M4UWGBYZANLDZ5HPJCPWUHWVAI5T2Q/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AZZ4LAUNDEYLHBVJDWZMS4AXRWDFOSD3/

[Freeipa-users] ipsilon

2018-05-17 Thread Andrew Meyer via FreeIPA-users 
Has anyone installed this on their prod FreeIPA installation?  I need to hook 
FreeIPA into some other auth systems that don't support LDAP.___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4HPLFGZ5XCW35QSCOXURMK72IS3774R3/

[Freeipa-users] auth to pther providers still using freeipa

2018-05-16 Thread Andrew Meyer via FreeIPA-users 
My company is wanting to use FreeIPA for everything.  However we also utilize 
other external services that have their own auth system but can support oauth, 
or gsuite/facebook etc etc.  Is this possible w/ FreeIPA?
Also,Searching through google I found this - Ipsilon.  Would you recommend I 
use that?
  
|  
|   |  
Ipsilon
 By Ipsilon Project Ipsilon identity provider project homepage  |  |

  |

 

Thank you!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding users to other user groups

2018-05-14 Thread Andrew Meyer via FreeIPA-users 
Ok.  I will check this out.
Thank you!

On Monday, May 14, 2018 10:59 AM, Alexander Bokovoy via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 On ma, 14 touko 2018, Andrew Meyer via FreeIPA-users wrote:
>Hello,I am trying to add a new user to another group.  This group was
>setup for another user.  When I create the user is seems to do the same
>thing as when I create them on a local system.  I get a User and a
>group for the user as well.  However when I go to add another user to
>that newly created group I can't find it.  If I go to create the group
>with the same name FIPA says its already created.    Any reason its
>doing this?  Am I doing something wrong?
>I am running CentOS 7.4, FreeIPA 4.5.x.
By what you describe you are dealing with user private groups. The
concept of a user private group is that it is automatically managed
for the user -- it has the same GID as that user's UID, you cannot
create a group with the same name manually and so on. It is not supposed
to be used for *other* users.

If you really are willing to use that group for other purposes, you need
to disassociate the group from the original user:

$ ipa help group-detach
Usage: ipa [global-options] group-detach GROUP-NAME [options]

Detach a managed group from a user.
Options:
  -h, --help  show this help message and exit

See RHEL IdM doucmentation.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#user-private-groups

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] adding users to other user groups

2018-05-14 Thread Andrew Meyer via FreeIPA-users 
Hello,I am trying to add a new user to another group.  This group was setup for 
another user.  When I create the user is seems to do the same thing as when I 
create them on a local system.  I get a User and a group for the user as well.  
However when I go to add another user to that newly created group I can't find 
it.  If I go to create the group with the same name FIPA says its already 
created.   
Any reason its doing this?  Am I doing something wrong?
I am running CentOS 7.4, FreeIPA 4.5.x.
Thank you,
Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: A record discrepency

2018-05-11 Thread Andrew Meyer via FreeIPA-users 
I think I figured out the issue.  I had the /etc/named.conf setup to do some 
forward zones only on my FreeIPA server.   I think this was causing the server 
not to update.  However after removing the zones from /etc/named.conf I no 
longer see the zone file on that server.  I go to look in 
/var/named/dyndb-ldap/ipa/master/zone.net/ and try to cat the raw file and its 
not there...  I did a ipa-replica-manage re-initialize thinking that would 
bring it over and it didn't.  
BTW,This is CentOS 7.4 and FreeIPA 4.5.x.
Thank you! 

On Friday, May 11, 2018 8:27 AM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 On one of my FreeIPA servers I have an A record that points to the correct IP 
in the web ui, but when I go look at the raw file in 
/var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect.  I have done a 
kinit admin, and then ipa-replica-manage re-initialize --from 
know.working.server.net.  However the change is not reflected in BIND.
Should it not be changed?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] A record discrepency

2018-05-11 Thread Andrew Meyer via FreeIPA-users 
On one of my FreeIPA servers I have an A record that points to the correct IP 
in the web ui, but when I go look at the raw file in 
/var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect.  I have done a 
kinit admin, and then ipa-replica-manage re-initialize --from 
know.working.server.net.  However the change is not reflected in BIND.
Should it not be changed?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] clients-per-query

2018-04-27 Thread Andrew Meyer via FreeIPA-users 
So in my logs on I am getting the following:
   
   -23-Apr-2018 01:25:20.041 clients-per-query decreased to 14

I have not seen this on any other DNS server I have come across. IS this normal 
fro FreeIPA? Can the limits be increased by default?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] IPA Error 4203 DatabaseError

2018-04-23 Thread Andrew Meyer via FreeIPA-users 
I seem to have 1 server that constantly gets out of sync with the other 3 
servers.  Currently I am getting this error when I try to add a user:Server is 
unwilling to perform: Managed Entry Plugin rejected add operation (see errors 
log).

I am trying to find the log files and figure out what I need to do to fix this. 
 I'm willing to bet that if I re-initialize the database from another server it 
will fix it temporarily.  However can someone please confirm?
Thank you___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: sudo command group

2018-04-18 Thread Andrew Meyer via FreeIPA-users 
Rob, For this are you referring to the search limit size? 

On Friday, April 6, 2018 9:29 AM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> So I'm having an issue with sudo policies where I have about ~200
> commands in my sudoers, I added those commands to a group and I got an
> error in the WebUI:
> 
> Search result has been truncated: Configured size limit exceeded
> 
> Also when I run the ipa sudocmdgroup-show I don't see all the commands. 
> Is there a limit to number of commands?

There is a general size limit, by default 100 IIRC. Look in the IPA
config. I forget where that is in the UI, on the command-line it is ipa
config-show/mod.

Set sizelimit to say 250.

We keep this small because enumeration is generally a bad idea, to
prevent the equivalent of cat /etc/passwd |grep foo. This makes no sense
when you have 10k users :-)

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: sudoers questions

2018-04-18 Thread Andrew Meyer via FreeIPA-users 
Yes, but what about adding the hostgroup to the sudo policy?  Do I still need 
to add the netgroup instead? 

On Wednesday, April 18, 2018 10:17 AM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Hello, 
> I have been doing a lot of research on trying to get host groups to work
> with sudoers policies.  However I'm finding that this can't be done and
> the only achieved by using netgroups.  Is this true?    I just would
> like some validation/confirmation before I go to far down the rabbit hole.

A hostgroup automatically creates a netgroup of the same name. Lookups
are done on the end system as a netgroup so you need to be sure that the
NIS domainname is set (should be done automatically by ipa-client-install).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] sudoers questions

2018-04-18 Thread Andrew Meyer via FreeIPA-users 
Hello, I have been doing a lot of research on trying to get host groups to work 
with sudoers policies.  However I'm finding that this can't be done and the 
only achieved by using netgroups.  Is this true?    I just would like some 
validation/confirmation before I go to far down the rabbit hole.___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] modifying ttl on dns records

2018-04-10 Thread Andrew Meyer via FreeIPA-users 
I am trying to modify the TTL for records in my zone.  When I try to do this I 
am getting the following error:
[gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. 
andrew-test.stl1 --ttl=300No option to modify specific record provided.Current 
DNS record contents:
SSHFP record: 1 1 8F38BD27234E2F419E8179607096D497DABAB293, 1 2 
3536330BFFF12A9E135FB1C0AD0592B85AF6DE4B806386CDAFB8A907 46C55DC0, 3 1 
593EA53A72596B89549FE7C342EC6207CBE4B1A5, 3 2 
CCD421DBE0FF48127B1360F463506FBD07D1751E9C0694398B14624E D925F2B0, 4 1 
3B50D596C462184636194EBBD6D7142D964CAE4F, 4 2 
4C7B1BA7E6108EC2225DBF1D85DA60CDFEDCCF11FC140A2C068A4804 E2813CB8A record: 
10.1.6.200
Modify SSHFP record '1 1 8F38BD27234E2F419E8179607096D497DABAB293'? Yes/No 
(default No): Yipa: ERROR: invalid 'name': must be Unicode 
text[gatewayblend@freeipa01-dev ~]$___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] authoritative nameserver

2018-04-10 Thread Andrew Meyer via FreeIPA-users 
A while ago I removed my original 2 FreeIPA server after adding 4 new ones.  
However in the DNS zone for my FreeIPA server in the authoritative nameserver 
entry I still have the original nameserver.  Should this have been changed when 
I removed it?  Does this have to be changed manually?
Authoritative nameserver: infra-test-ipa.gatewayblend.net.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] dns recursion

2018-04-06 Thread Andrew Meyer via FreeIPA-users 
Another issue i'm having is that we have DNS setup with split horizon/views in 
R53.  We want to be able to get a copy of the internal zone from R53 from my 
local FIPA servers.  Is this possible?  I have zone forwards setup in FIPA so 
that if you are up in AWS VPC you can query R53.  However I can't do that form 
my local office.  We are trying to figure out how to get a copy of the internal 
zone down to my local FIPA servers.  From what I have read this is NOT possible 
since I can't recursively talk to R53.  
I can't remember if I have asked this before but has anyone else done this?
Thank you, Andrew
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] sudo command group

2018-04-06 Thread Andrew Meyer via FreeIPA-users 
So I'm having an issue with sudo policies where I have about ~200 commands in 
my sudoers, I added those commands to a group and I got an error in the WebUI:
Search result has been truncated: Configured size limit exceeded

Also when I run the ipa sudocmdgroup-show I don't see all the commands.  Is 
there a limit to number of commands?
Thanks!___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: NTP

2018-04-04 Thread Andrew Meyer via FreeIPA-users 
So I made the change to 2 server, 1 in Amazon and 1 in my local office.  I am 
seeing high offset/drift from ntp in prometheus (alerting system).  And 
anything to my local office from AWS has high delay and offset.  However when I 
check out the local office I see the exact opposite.
[centos@freeipa03 ~]$ sudo ntpq -p     remote           refid      st t when 
poll reach   delay   offset  
jitter==
 freeipa03.east. .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
192.5.41.40     .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
freeipa04.east. .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
192.5.41.41     .INIT.          16 u    - 1024    0    0.000    0.000   
0.000*freeipa01.stl1. 192.5.41.41      2 u  773 1024  377   33.174  572.967 
301.884 freeipa03.stl1. LOCAL(0)        11 u  595 1024  377   32.821  -59.250 
700.218 LOCAL(0)        .LOCL.          10 l   5h   64    0    0.000    0.000   
0.000[centos@freeipa03 ~]$ sudo ntpq -pn     remote           refid      st t 
when poll reach   delay   offset  
jitter==
 10.10.0.31      .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
192.5.41.40     .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
10.10.0.32      .INIT.          16 u    - 1024    0    0.000    0.000   0.000 
192.5.41.41     .INIT.          16 u    - 1024    0    0.000    0.000   
0.000*10.1.6.250      192.5.41.41      2 u  775 1024  377   33.174  572.967 
301.884 10.1.6.251      LOCAL(0)        11 u  597 1024  377   32.821  -59.250 
700.218 127.127.1.0     .LOCL.          10 l   5h   64    0    0.000    0.000   
0.000[centos@freeipa03 ~]$


LOCAL OFFICE:
[user@freeipa01 ~]$ sudo ntpq -pn     remote           refid      st t when 
poll reach   delay   offset  
jitter==
 10.1.6.250      .INIT.          16 u    - 1024    0    0.000    0.000   
0.000*192.5.41.41     .PTP.            1 u  105  256  377   39.809  981.095  
12.736 10.10.0.31      10.1.6.250       3 u   75  256  377   32.452  -480.57 
113.553+192.5.41.40     .PTP.            1 u  130  256  377   42.934  984.052  
18.382 10.10.0.32      10.1.6.250       3 u   57  256  377   32.957  -801.93  
17.604x10.1.6.251      LOCAL(0)        11 u   84  256  377    0.136  -560.34 
1178.40 127.127.1.0     .LOCL.          10 l 157m   64    0    0.000    0.000   
0.000[user@freeipa01 ~]$
This is a client server:sudo ntpq -p     remote           refid      st t when 
poll reach   delay   offset  
jitter==
 freeipa04.east. 10.1.6.250       3 u   53   64   37    0.413  1316.74  69.142 
freeipa03.east. 10.1.6.250       3 u   50   64   37    0.330  1523.74  32.815 
freeipa01.stl1. 192.5.41.41      2 u   52   64   37   33.011  2118.44  76.063 
freeipa03.stl1. 10.1.6.250       3 u   51   64   37   33.218  2922.96  
19.715*LOCAL(0)        .LOCL.           5 l   57   64   37    0.000    0.000   
0.000

 

On Tuesday, April 3, 2018 1:27 PM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Thank you sir.  I'll mix up the order of public ntp servers and see what 
happens. 

On Tuesday, April 3, 2018 1:24 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer wrote:
> This is a mix of VMware VMs an AWS instances.  All CentOS 7.

It was VMware that had the poor time keeping but this was 7 or 8 years
ago in the Fedora 11/12 time period. I'd find it hard to believe the
same time problems exist today but some googling might turn up something
for you.

rob

> 
> 
> On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
> 
>> I need some clarification on this.  I have my FreeIPA server in
>> talking.  NTP is working.  However Some servers are getting ntp drift. 
>> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
>> at the bottom of the file.
>>
>> ### Added by IPA Installer ###
>> server 127.127.1.0 iburst
>> fudge 127.127.1.0 stratum 10
>> server 1.2.3.4   # added by /sbin/dhclient-script
>> server 5.6.7.8   # added by /sbin/dhclient-script
>> server 9.0.1.2   # added by /sbin/dhclient-script
>> server 3.4.5.6   # added by /sbin/dhclient-script
>> [centos@freeipa03 <mailto:centos@freeipa03> ~]$
>>
>> But under the public servers at the top should I leave the the centos
>> public ntp servers?  Should I add the FreeIPA servers?
> 
> 
> The theory for making IPA an NTP server was that even if time was off on
> the IPA master it would be sharing its same incorrect ti

[Freeipa-users] Re: NTP

2018-04-03 Thread Andrew Meyer via FreeIPA-users 
This is a mix of VMware VMs an AWS instances.  All CentOS 7. 

On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden <rcrit...@redhat.com> 
wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> I need some clarification on this.  I have my FreeIPA server in
> talking.  NTP is working.  However Some servers are getting ntp drift. 
> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
> at the bottom of the file.
> 
> ### Added by IPA Installer ###
> server 127.127.1.0 iburst
> fudge 127.127.1.0 stratum 10
> server 1.2.3.4   # added by /sbin/dhclient-script
> server 5.6.7.8   # added by /sbin/dhclient-script
> server 9.0.1.2   # added by /sbin/dhclient-script
> server 3.4.5.6   # added by /sbin/dhclient-script
> [centos@freeipa03 ~]$
> 
> But under the public servers at the top should I leave the the centos
> public ntp servers?  Should I add the FreeIPA servers?

The theory for making IPA an NTP server was that even if time was off on
the IPA master it would be sharing its same incorrect time with all its
clients so they would all be in the same time universe and things would
continue to work.

It wouldn't hurt if you re-ordered things (I think). Just keep an eye on
it for a while.

Is this real hardware or VMs? In the past (like many moons ago) one
particular VM tech was particularly bad at time keeping so extra work
was needed on the VM host to ensure its RTC was passed into the VMs.

I wonder if connectivity to the centos pool is a problem, or if a VM, it
has bad timing.

rob


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] NTP

2018-04-03 Thread Andrew Meyer via FreeIPA-users 
I need some clarification on this.  I have my FreeIPA server in talking.  NTP 
is working.  However Some servers are getting ntp drift.  If I go into 
/etc/ntp.conf I see that at the bottom FreeIPA adds server at the bottom of the 
file.
### Added by IPA Installer ###server 127.127.1.0 iburstfudge 127.127.1.0 
stratum 10server 1.2.3.4   # added by /sbin/dhclient-scriptserver 5.6.7.8   # 
added by /sbin/dhclient-scriptserver 9.0.1.2   # added by 
/sbin/dhclient-scriptserver 3.4.5.6   # added by 
/sbin/dhclient-script[centos@freeipa03 ~]$
But under the public servers at the top should I leave the the centos public 
ntp servers?  Should I add the FreeIPA servers?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] directory sync

2018-03-26 Thread Andrew Meyer via FreeIPA-users 
So today I come in to work and find that one of my FreeIPA servers isn't 
synching with the rest of the cluster.  I have a policy set to to go in a big 
square.  I tried doing a ipa-replica-manage force-sync --verbose and then tried 
doing a re-initialize.  I have the networks wide open to allow communication to 
all the servers. When I telnet to port 636 from a remote system it works fine.  
I have applications that are using ldaps so I know its working.  Any reason I 
would not be able to communicate over ldaps?

[root@freeipa04 ~]# ipa-replica-manage force-sync --from 
freeipa03.east.gatewayblend.net --verboseTraceback (most recent call last):  
File "/sbin/ipa-replica-manage", line 1615, in     main(options, args)  
File "/sbin/ipa-replica-manage", line 1564, in main    options.nolookup)  File 
"/sbin/ipa-replica-manage", line 1234, in force_sync    repl = 
replication.ReplicationManager(realm, fromhost, dirman_passwd)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 222, 
in __init__    self.conn.gssapi_bind()  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1124, in 
gssapi_bind    '', auth_tokens, server_controls, client_controls)  File 
"/usr/lib64/python2.7/contextlib.py", line 35, in __exit__    
self.gen.throw(type, value, traceback)  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1005, in 
error_handler    error=info)NetworkError: cannot connect to 
'ldaps://freeipa03.east.gatewayblend.net:636':Unexpected error: cannot connect 
to 'ldaps://freeipa03.east.gatewayblend.net:636':[root@freeipa04 ~]#
[root@freeipa04 ~]# ipa-replica-manage re-initialize --from 
freeipa03.east.gatewayblend.net --verboseTraceback (most recent call last):  
File "/sbin/ipa-replica-manage", line 1615, in     main(options, args)  
File "/sbin/ipa-replica-manage", line 1558, in main    options.nolookup)  File 
"/sbin/ipa-replica-manage", line 1200, in re_initialize    repl = 
replication.ReplicationManager(realm, fromhost, dirman_passwd)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 222, 
in __init__    self.conn.gssapi_bind()  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1124, in 
gssapi_bind    '', auth_tokens, server_controls, client_controls)  File 
"/usr/lib64/python2.7/contextlib.py", line 35, in __exit__    
self.gen.throw(type, value, traceback)  File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1005, in 
error_handler    error=info)NetworkError: cannot connect to 
'ldaps://freeipa03.east.gatewayblend.net:636':Unexpected error: cannot connect 
to 'ldaps://freeipa03.east.gatewayblend.net:636':[root@freeipa04 ~]#
[root@freeipa04 ~]# ipa-replica-manage re-initialize --from 
freeipa03.stl1.gatewayblend.net --verboseipa: INFO: Setting agreement 
cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=replica,cn=dc\=gatewayblend\,dc\=net,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synchipa: INFO: Deleting 
schedule 2358-2359 0 from agreement 
cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=replica,cn=dc\=gatewayblend\,dc\=net,cn=mapping
 tree,cn=configUpdate in progress, 14 seconds 
elapsed[ldaps://freeipa03.stl1.gatewayblend.net:636] reports: Update failed! 
Status: [-1  - LDAP error: Can't contact LDAP server]
[root@freeipa04 ~]#___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] replica unable to communicate

2018-03-21 Thread Andrew Meyer via FreeIPA-users 
I need some help with this.  I am working with FreeIPA runnning on CentOS 7.4 
verssion 4.5.0-22.  I have 2 servers in my AWS VPC and 2 servers at my local 
office.  
For some reason I am not seeing replication happen (over ldaps?) from 1 server 
in my local office to the two servers up there.
AWS servers:
[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v 
freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (0) Replica acquired successfully: Incremental update succeeded  
last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: 
replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  
last update status: Error (0) Replica acquired successfully: Incremental update 
succeeded  last update ended: 2018-03-21 
02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) 
Replica acquired successfully: Incremental update succeeded  last update ended: 
2018-03-21 02:30:31+00:00[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v 
freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (-1) Problem connecting to replica - LDAP error: Can't contact 
LDAP server (connection error)  last update ended: 1970-01-01 
00:00:00+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) 
Problem connecting to replica - LDAP error: Can't contact LDAP server 
(connection error)  last update ended: 1970-01-01 
00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) 
Problem connecting to replica - LDAP error: Can't contact LDAP server 
(connection error)  last update ended: 1970-01-01 
00:00:00+00:00[centos@freeipa03 ~]$
[root@freeipa04 log]# ipa-replica-manage list -v 
freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (-1) Problem connecting to replica - LDAP error: Can't contact 
LDAP server (connection error)  last update ended: 1970-01-01 
00:00:00+00:00freeipa04.east.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) 
Problem connecting to replica - LDAP error: Can't contact LDAP server 
(connection error)  last update ended: 1970-01-01 
00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) 
Problem connecting to replica - LDAP error: Can't contact LDAP server 
(connection error)  last update ended: 1970-01-01 00:00:00+00:00[root@freeipa04 
log]# ipa-replica-manage list -v 
freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (0) Replica acquired successfully: Incremental update succeeded  
last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: 
replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  
last update status: Error (0) Replica acquired successfully: Incremental update 
succeeded  last update ended: 2018-03-21 
02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (0) 
Replica acquired successfully: Incremental update succeeded  last update ended: 
2018-03-21 02:30:31+00:00[root@freeipa04 log]#
Local office:server 1
[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v 
freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (0) Replica acquired successfully: Incremental update succeeded  
last update ended: 2018-03-21 13:24:41+00:00freeipa03.stl1.gatewayblend.net: 
replica  last init status: None  last init ended: 1970-01-01 00:00:00+00:00  
last update status: Error (0) Replica acquired successfully: Incremental update 
succeeded  last update ended: 2018-03-21 
13:24:32+00:00freeipa03.east.gatewayblend.net: replica  last init status: None  
last init ended: 1970-01-01 00:00:00+00:00  last update status: Error (-1) 
Problem connecting to replica - LDAP error: Can't contact LDAP server 
(connection error)  last update ended: 1970-01-01 
00:00:00+00:00[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v 
freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica  last 
init status: None  last init ended: 1970-01-01 00:00:00+00:00  last update 
status: Error (0) Replica acquired

[Freeipa-users] replication broken

2018-03-20 Thread Andrew Meyer via FreeIPA-users 
So for some reason yesterday my replication broke.  Checked out the logs and 
found this:Mar 20 14:16:02 freeipa01 systemd: ipa-dnskeysyncd.service: main 
process exited, code=exited, status=1/FAILUREMar 20 14:16:02 freeipa01 systemd: 
Unit ipa-dnskeysyncd.service entered failed state.Mar 20 14:16:02 freeipa01 
systemd: ipa-dnskeysyncd.service failed.Mar 20 14:17:02 freeipa01 systemd: 
ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 20 14:17:02 
freeipa01 systemd: Started IPA key daemon.Mar 20 14:17:02 freeipa01 systemd: 
Starting IPA key daemon...Mar 20 14:17:05 freeipa01 ipa-dnskeysyncd: ipa        
 : INFO     LDAP bind...Mar 20 14:17:05 freeipa01 ipa-dnskeysyncd: ipa         
: INFO     Commencing sync processMar 20 14:17:05 freeipa01 ipa-dnskeysyncd: 
ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO     Initial LDAP dump is done, 
sychronizing with ODS and BINDMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: 
Traceback (most recent call last):Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: 
File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in Mar 20 14:17:09 
freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, 
msgid=ldap_search):Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in 
syncrepl_pollMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: 
self.syncrepl_refreshdone()Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in 
syncrepl_refreshdoneMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: 
self.hsm_replica_sync()Mar 20 14:17:09 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in 
hsm_replica_syncMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: 
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 20 14:17:09 freeipa01 
ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", 
line 512, in runMar 20 14:17:09 freeipa01 ipa-dnskeysyncd: raise 
CalledProcessError(p.returncode, arg_string, str(output))Mar 20 14:17:09 
freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command 
'/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 20 
14:17:09 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, 
code=exited, status=1/FAILUREMar 20 14:17:09 freeipa01 systemd: Unit 
ipa-dnskeysyncd.service entered failed state.Mar 20 14:17:09 freeipa01 systemd: 
ipa-dnskeysyncd.service failed.Mar 20 14:17:39 freeipa01 su: (to root) 
gatewayblend on pts/0Mar 20 14:17:39 freeipa01 dbus[742]: [system] Activating 
service name='org.freedesktop.problems' (using servicehelper)Mar 20 14:17:39 
freeipa01 dbus-daemon: dbus[742]: [system] Activating service 
name='org.freedesktop.problems' (using servicehelper)Mar 20 14:17:39 freeipa01 
dbus[742]: [system] Successfully activated service 
'org.freedesktop.problems'Mar 20 14:17:39 freeipa01 dbus-daemon: dbus[742]: 
[system] Successfully activated service 'org.freedesktop.problems'Mar 20 
14:18:09 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, 
scheduling restart.Mar 20 14:18:09 freeipa01 systemd: Started IPA key 
daemon.Mar 20 14:18:09 freeipa01 systemd: Starting IPA key daemon...Mar 20 
14:18:13 freeipa01 ipa-dnskeysyncd: ipa         : INFO     LDAP bind...Mar 20 
14:18:13 freeipa01 ipa-dnskeysyncd: ipa         : INFO     Commencing sync 
processMar 20 14:18:13 freeipa01 ipa-dnskeysyncd: 
ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO     Initial LDAP dump is done, 
sychronizing with ODS and BINDMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: 
Traceback (most recent call last):Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: 
File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in Mar 20 14:18:17 
freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, 
msgid=ldap_search):Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in 
syncrepl_pollMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: 
self.syncrepl_refreshdone()Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in 
syncrepl_refreshdoneMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: 
self.hsm_replica_sync()Mar 20 14:18:17 freeipa01 ipa-dnskeysyncd: File 
"/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in 
hsm_replica_syncMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: 
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 20 14:18:17 freeipa01 
ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", 
line 512, in runMar 20 14:18:17 freeipa01 ipa-dnskeysyncd: raise 
CalledProcessError(p.returncode, arg_string, str(output))Mar 20 14:18:17 
freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command 
'/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 20 
14:18:17 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, 
code=exited, status=1/FAILUREMar 20

[Freeipa-users] remote udate vectors

2018-03-20 Thread Andrew Meyer via FreeIPA-users 
While doing some troubleshooting on replication I found that I have an old 
server in my replica list-ruvs.  How would I go about removing that?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA in AWS

2018-03-20 Thread Andrew Meyer via FreeIPA-users 
So I made the changes to the SecurityGroup in AWS and my local FreeIPA servers 
can't talk up.  I suspect this is something on the AWS side.  :-( 

On Tuesday, March 20, 2018 9:17 AM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Thank you sir!  I will added the additional ports and let you know if I run 
into any other issues! 

On Tuesday, March 20, 2018 9:03 AM, Alexander Bokovoy via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 On ti, 20 maalis 2018, Andrew Meyer via FreeIPA-users wrote:
>I have FreeIPA setup on CentOS 7 in AWS.  However we are looking to
>lock down communication over our VPN tunnel.  Trying to do some
>research to see what ports I need.  I've gotten most of them,
>80,443,88,464,389,636,123.  I have it setup to allow UDP/TCP for both
>sides.  However in the amazon security groups I have found that if I
>remove 0.0.0.0/0 from the inbound I lose communication to the remote
>FreeIPA servers.  However the server in AWS can talk back.   This email
>thread might not be relevant here but I wanted to see what kind of
>response i'd get.
>Are there ports similar to what needs to be opened for AD ?
>I found this on Amazon's website:How to Connect Your On-Premises Active
>Directory to AWS Using AD Connector | Amazon Web Services
All ports are described in RHEL guides for IdM, though they are split
around two big guides.

Last year I tried to gather all details about our firewall requirements
in a single place to provide input to RHEL documentation writers. Though
they haven't yet published their updates to the official documentation,
you can peruse my draft:
https://vda.li/drafts/firewall-considerations.txt

It is dense but it is the best source about IPA communication flows I know.

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA in AWS

2018-03-20 Thread Andrew Meyer via FreeIPA-users 
I have FreeIPA setup on CentOS 7 in AWS.  However we are looking to lock down 
communication over our VPN tunnel.  Trying to do some research to see what 
ports I need.  I've gotten most of them, 80,443,88,464,389,636,123.  I have it 
setup to allow UDP/TCP for both sides.  However in the amazon security groups I 
have found that if I remove 0.0.0.0/0 from the inbound I lose communication to 
the remote FreeIPA servers.  However the server in AWS can talk back.  
This email thread might not be relevant here but I wanted to see what kind of 
response i'd get.
Are there ports similar to what needs to be opened for AD ?
I found this on Amazon's website:How to Connect Your On-Premises Active 
Directory to AWS Using AD Connector | Amazon Web Services

Thanks,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Using different distros

2018-03-12 Thread Andrew Meyer via FreeIPA-users 
Thanks for the response, I don't think we will be issuing SSL certs from 
FreeIPA to systems in AWS running Amazon Linux 2. 

On Monday, March 12, 2018 10:54 AM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> I have emailed in previously fro issues w/ Amazon Linux 2 as a replica
> server but I am wondering If I can use Amazon Linux 2 as a client
> machine to FreeIPA.  Will I run into the same issues with SSL (NSS vs
> OpenSSL) that I did with the replica?

Hard to say without knowing what their packaging looks like.

That said the client is mostly a tool to help ensure the environment is
sane and if so writes a bunch of configuration files. SSSD does all the
heavy lifting post-install. So there is perhaps some more room for
differences.

I'll note that the client uses curl as well via xmlrpc-c during
enrollment and using certmonger assuming you get a cert on this host.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Using different distros

2018-03-12 Thread Andrew Meyer via FreeIPA-users 
I have emailed in previously fro issues w/ Amazon Linux 2 as a replica server 
but I am wondering If I can use Amazon Linux 2 as a client machine to FreeIPA.  
Will I run into the same issues with SSL (NSS vs OpenSSL) that I did with the 
replica?
Thank you,Andrew___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] removing a replica

2018-03-07 Thread Andrew Meyer via FreeIPA-users 
I am trying to follow  HowTo/Remove replica in a managed topology - FreeIPA to 
remove replica servers correctly.  However when I do this I am running into an 
error:
[andrew.meyer@infra-test-ipa ~]$ ipa topologysegment-delSuffix name: 
domainSegment name: 
freeipa01.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.netipa: ERROR: 
Server is unwilling to perform: Removal of Segment disconnects 
topology.Deletion not allowed.[andrew.meyer@infra-test-ipa ~]$
However I came across this - Issue #6266: Cannot uninstall server in 
disconnected topology - freeipa - Pagure

  
|  
|   |  
Issue #6266: Cannot uninstall server in disconnected topology - freeipa - Pagure
   |  |

  |

 
Can I use the workaround or is there a better method?
In this case I do not have any topology disconnected:
[andrew.meyer@infra-test-ipa ~]$ ipa topologysegment-find domain 
--all--6 segments matched--  dn: 
cn=freeipa01.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
freeipa01.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net  Left node: 
freeipa01.east.gatewayblend.net  Right node: freeipa01.stl1.gatewayblend.net  
Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: 
iparepltoposegment, top
  dn: 
cn=freeipa01.east.gatewayblend.net-to-infra-test-ipa2.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
freeipa01.east.gatewayblend.net-to-infra-test-ipa2.gatewayblend.net  Left node: 
freeipa01.east.gatewayblend.net  Right node: infra-test-ipa2.gatewayblend.net  
Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: 
iparepltoposegment, top
  dn: 
cn=freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net  Left node: 
freeipa01.stl1.gatewayblend.net  Right node: freeipa03.stl1.gatewayblend.net  
Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: 
iparepltoposegment, top
  dn: 
cn=freeipa03.east.gatewayblend.net-to-infra-test-ipa.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
freeipa03.east.gatewayblend.net-to-infra-test-ipa.gatewayblend.net  Left node: 
freeipa03.east.gatewayblend.net  Right node: infra-test-ipa.gatewayblend.net  
Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: 
iparepltoposegment, top
  dn: 
cn=infra-test-ipa.gatewayblend.net-to-infra-freeipa1-aws.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
infra-test-ipa.gatewayblend.net-to-infra-freeipa1-aws.gatewayblend.net  Left 
node: infra-test-ipa.gatewayblend.net  Right node: 
infra-freeipa1-aws.gatewayblend.net  Connectivity: left-right  
iparepltoposegmentstatus: autogen  objectclass: iparepltoposegment, top
  dn: 
cn=infra-test-ipa.gatewayblend.net-to-infra-test-ipa2.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net
  Segment name: 
infra-test-ipa.gatewayblend.net-to-infra-test-ipa2.gatewayblend.net  Left node: 
infra-test-ipa.gatewayblend.net  Right node: infra-test-ipa2.gatewayblend.net  
Connectivity: both  iparepltoposegmentstatus: autogen  objectclass: 
iparepltoposegment, topNumber of entries returned 
6[andrew.meyer@infra-test-ipa ~]$___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] client machines and server related questions

2018-03-07 Thread Andrew Meyer via FreeIPA-users 
I have a few more questions regarding joining client machines to the domain.
If I manually specify a FreeIPA server when joining the client to it, can I go 
back and add the _srv_ to the line in /etc/sssd/sssd.conf ?  Will doing that 
work just like if I did autodiscover?
Can I specify more than 1 server in the ipa_server line?
If I have locations turned on and replica servers in the location groups, when 
I add a client server to the FreeIPA domain why doesn't the join script look 
for the closest FreeIPA server?  Or is this not part of the join script?
As I get this ready for prime time we are going to have it replicate from our 
main office to our AWS environment.  We will be using CentOS for all the 
servers.  But If the VPN connection between AWS and my main office is severed 
and updates are made should it be able to replicate the correct information 
around once the connection is re-established?  I am verifying this for 
management.  (With all the reading i've done the database should self-heal, 
correct?)___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: new client setup

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
Florence,Thanks yeah I was able to telnet to port 389.  It was the TTL of the 
DNS records.  It finally flushed and worked.
Cheers! 

On Tuesday, March 6, 2018 3:34 PM, Florence Blanc-Renaud via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 On 06/03/2018 21:39, Andrew Meyer via FreeIPA-users wrote:
> I am trying to add another client in my main location and getting the 
> following information:
> [user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net 
> --realm=stl1.example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe 
> ipa-client-install command failed. See /var/log/ipaclient-install.log 
> for more information
> [user@freeipa01 ipa]$
> 
> 
> [user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net 
> --realm=example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net: cannot verify if this is an IPA server
> Skip infra-test-ipa2.example.net: cannot verify if this is an IPA server
> Skip freeipa03.east.example.net: cannot verify if this is an IPA server
> Skip freeipa01.east.example.net: cannot verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe 
> ipa-client-install command failed. See /var/log/ipaclient-install.log 
> for more information
> [user@freeipa01 ~]$
> 
> I have checked my /etc/resolv.conf and made sure that they are pointed 
> at the current local FreeIPA nameservers/resolvers.
> 
> Here is the output /var/log/ipaclient-install.log
> 
> [user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG Logging to /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG ipa-client-install was invoked with arguments 
> [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': 
> False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name': 
> 'stl1.example.net', 'force_ntpd': False, 'on_master': False, 
> 'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': None, 
> 'keytab': None, 'no_ntp': False, 'domain_name': 'stl1.example.net', 
> 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 
> 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
> 'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True, 
> 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
> 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': 
> None, 'unattended': False, 'quiet': False, 'nisdomain': None, 
> 'prompt_password': False, 'host_name': None, 'permit': False, 
> 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 
> 'log_file': None, 'uninstall': False}
> 2018-03-06T20:29:32Z DEBUG IPA version 4.5.0-22.el7.centos
> 2018-03-06T20:29:32Z DEBUG Loading Index file from 
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-enabled chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=disabled
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=3
> 2018-03-06T20:29:32Z DEBUG stdout=unknown
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:37Z DEBUG [IPA Discovery]
> 2018-03-06T20:29:37Z DEBUG Starting IPA discovery with 
> domain=stl1.example.net, servers=None, hostname=freeipa01.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search for LDAP SRV record in stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
> _ldap._tcp.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
> infra-test-ipa.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
> infra-test-ipa2.example.net.stl1.example.net.
> 2018-03-06T2

[Freeipa-users] new client setup

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
I am trying to add another client in my main location and getting the following 
information:[user@freeipa01 ipa]$ sudo ipa-client-install 
--domain=stl1.example.net --realm=stl1.example.net --mkhomedir 
--enable-dns-updatesSkip infra-test-ipa.example.net.stl1.example.net: LDAP 
server is not responding, unable to verify if this is an IPA serverSkip 
infra-test-ipa2.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverSkip 
infra-test-ipa.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverSkip 
infra-test-ipa2.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverProvide your IPA server name (ex: 
ipa.example.com): ^CThe ipa-client-install command failed. See 
/var/log/ipaclient-install.log for more information[user@freeipa01 ipa]$

[user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net 
--realm=example.net --mkhomedir --enable-dns-updatesSkip 
infra-test-ipa.example.net: cannot verify if this is an IPA serverSkip 
infra-test-ipa2.example.net: cannot verify if this is an IPA serverSkip 
freeipa03.east.example.net: cannot verify if this is an IPA serverSkip 
freeipa01.east.example.net: cannot verify if this is an IPA serverProvide your 
IPA server name (ex: ipa.example.com): ^CThe ipa-client-install command failed. 
See /var/log/ipaclient-install.log for more information[user@freeipa01 ~]$
I have checked my /etc/resolv.conf and made sure that they are pointed at the 
current local FreeIPA nameservers/resolvers.  
Here is the output /var/log/ipaclient-install.log
[user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log2018-03-06T20:29:32Z 
DEBUG Logging to /var/log/ipaclient-install.log2018-03-06T20:29:32Z DEBUG 
ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': 
False, 'force': False, 'verbose': False, 'ip_addresses': None, 
'configure_firefox': False, 'realm_name': 'stl1.example.net', 'force_ntpd': 
False, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': False, 
'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 
'stl1.example.net', 'request_cert': False, 'fixed_primary': False, 'no_ac': 
False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 
'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': 
False, 'host_name': None, 'permit': False, 'automount_location': None, 
'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': 
False}2018-03-06T20:29:32Z DEBUG IPA version 
4.5.0-22.el7.centos2018-03-06T20:29:32Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'2018-03-06T20:29:32Z DEBUG 
Starting external process2018-03-06T20:29:32Z DEBUG 
args=/usr/sbin/selinuxenabled2018-03-06T20:29:32Z DEBUG Process finished, 
return code=12018-03-06T20:29:32Z DEBUG stdout=2018-03-06T20:29:32Z DEBUG 
stderr=2018-03-06T20:29:32Z DEBUG Starting external process2018-03-06T20:29:32Z 
DEBUG args=/bin/systemctl is-enabled chronyd.service2018-03-06T20:29:32Z DEBUG 
Process finished, return code=12018-03-06T20:29:32Z DEBUG stdout=disabled
2018-03-06T20:29:32Z DEBUG stderr=2018-03-06T20:29:32Z DEBUG Starting external 
process2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active 
chronyd.service2018-03-06T20:29:32Z DEBUG Process finished, return 
code=32018-03-06T20:29:32Z DEBUG stdout=unknown
2018-03-06T20:29:32Z DEBUG stderr=2018-03-06T20:29:37Z DEBUG [IPA 
Discovery]2018-03-06T20:29:37Z DEBUG Starting IPA discovery with 
domain=stl1.example.net, servers=None, 
hostname=freeipa01.stl1.example.net2018-03-06T20:29:37Z DEBUG Search for LDAP 
SRV record in stl1.example.net2018-03-06T20:29:37Z DEBUG Search DNS for SRV 
record of _ldap._tcp.stl1.example.net2018-03-06T20:29:37Z DEBUG DNS record 
found: 0 100 389 
infra-test-ipa.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG DNS 
record found: 0 100 389 
infra-test-ipa2.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG 
[Kerberos realm search]2018-03-06T20:29:37Z DEBUG Kerberos realm 
forced2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
_kerberos._udp.stl1.example.net2018-03-06T20:29:37Z DEBUG DNS record found: 0 
100 88 infra-test-ipa.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG 
DNS record found: 0 100 88 
infra-test-ipa2.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG [LDAP 
server check]2018-03-06T20:29:37Z DEBUG Verifying that 
infra-test-ipa.example.net.stl1.example.net (realm stl1.example.net) is an IPA 
server2018-03-06T20:29:37Z DEBUG Init LDAP connection to: 
ldap://infra-test-ipa.example.net.stl1.example.net:3892018-03-06T20:29:37Z 
DEBUG LDAP Error: cannot connect to

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
Agreed.  Going to try and get direct management to move forward w/ CentOS 7 up 
there.Thanks to you and your team for all their help.   FreeIPA is so awesome.

On Tuesday, March 6, 2018 1:31 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer wrote:
> We got it fixed.  But one of the servers became severely out of sync
> causing other issues.  We got it fixed and replication is now working
> once again.  Now it is just figuring out if we truly can use Amazon
> Linux 2 as a FreeIPA replica or if we need to stick w/ CentOS 7.

If they use a different release of curl who knows what else is
different. Do you want to trust your intrastructure with that?

IPA herds many cats and it can be difficult to keep so many dependent
packages in-line. With so many moving parts even small changes can
sometimes cause a tremendous amount of grief.

rob

> 
> 
> On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> After getting the feedback previously from the mailing list (thank you
>> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
>> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
>> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
>> it I get the following error:
>>
>> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
>> --setup-dns --forwarder=10.10.0.2
>>
>> 2018-03-05T21:33:57Z DEBUG stderr=
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2018-03-05T21:33:57Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
>> Estimated time: 3 minutes
>> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
>> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
>> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
>> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master
> [attempt 1/5]
>> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
>> url=ldap://infra-test-ipa.gatewayblend.net:389
>> conn=
>> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
>> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>>     method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1192, in __setup_replication
>>     repl.setup_cs_replication(self.master_host)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1814, in setup_cs_replication
>>     raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
>> replication
>> 2018-03-05T21:34:14Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>     return_value = self.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
>> 333, in run
>>     cfgr.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 368, in run
>>     self.execute()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 392, in execute
>>     for _nothing in self._executor():
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>>     step()
>>   File "

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
We got it fixed.  But one of the servers became severely out of sync causing 
other issues.  We got it fixed and replication is now working once again.  Now 
it is just figuring out if we truly can use Amazon Linux 2 as a FreeIPA replica 
or if we need to stick w/ CentOS 7. 

On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> After getting the feedback previously from the mailing list (thank you
> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
> it I get the following error:
> 
> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
> --setup-dns --forwarder=10.10.0.2
> 
> 2018-03-05T21:33:57Z DEBUG stderr=
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2018-03-05T21:33:57Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes
> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
> url=ldap://infra-test-ipa.gatewayblend.net:389
> conn=
> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 504, in start_creation
>     run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 494, in run_step
>     method()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1192, in __setup_replication
>     repl.setup_cs_replication(self.master_host)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1814, in setup_cs_replication
>     raise RuntimeError("Failed to start replication")
> RuntimeError: Failed to start replication
> 
> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
> replication
> 2018-03-05T21:34:14Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>     return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 333, in run
>     cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 368, in run
>     self.execute()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 392, in execute
>     for _nothing in self._executor():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>     step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in 
>     step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>     value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 658, in _configure
>     next(executor)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/i

[Freeipa-users] Re: error when promoting new client to replica

2018-03-05 Thread Andrew Meyer via FreeIPA-users 
I think I figured out my problem.  I think its the Amazon Linux replica.  
named-pkcs11 keeps dying which is causing my issues. 

On Monday, March 5, 2018 3:40 PM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 After getting the feedback previously from the mailing list (thank you for all 
your help) I have deployed a CentOS 7 image in AWS.  I was able to add teh 
client machine to the FreeIPA domain.  The CentOS 7 instance is a t2.medium 
which is a 2 proc by 4GB RAM.  But when I go to promote it I get the following 
error:
ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra 
--setup-dns --forwarder=10.10.0.2

2018-03-05T21:33:57Z DEBUG stderr=2018-03-05T21:33:57Z DEBUG Loading StateFile 
from '/var/lib/ipa/sysupgrade/sysupgrade.state'2018-03-05T21:33:57Z DEBUG 
Saving StateFile to 
'/var/lib/ipa/sysupgrade/sysupgrade.state'2018-03-05T21:33:57Z DEBUG Loading 
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'2018-03-05T21:33:57Z 
DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'2018-03-05T21:33:57Z DEBUG 
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server 
db2018-03-05T21:33:57Z DEBUG   duration: 0 seconds2018-03-05T21:33:57Z DEBUG   
[2/27]: setting up initial replication2018-03-05T21:33:57Z DEBUG Fetching 
nsDS5ReplicaId from master [attempt 1/5]2018-03-05T21:33:57Z DEBUG retrieving 
schema for SchemaCache url=ldap://infra-test-ipa.gatewayblend.net:389 
conn=2018-03-05T21:33:58Z DEBUG Successfully updated 
nsDS5ReplicaId.2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):  
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, 
in start_creation    run_step(full_msg, method)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in 
run_step    method()  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1192, 
in __setup_replication    repl.setup_cs_replication(self.master_host)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1814, 
in setup_cs_replication    raise RuntimeError("Failed to start 
replication")RuntimeError: Failed to start replication
2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start 
replication2018-03-05T21:34:14Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute 
   return_value = self.run()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run   
 cfgr.run()  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 368, in run    self.execute()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in 
execute    for _nothing in self._executor():  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in 
__runner    exc_handler(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in 
_handle_execute_exception    self._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in 
__runner    step()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in 
    step = lambda: next(self.__gen)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in 
run_generator_with_yield_from    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in 
run_generator_with_yield_from    value = gen.send(prev_value)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in 
_configure    next(executor)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in 
__runner    exc_handler(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in 
_handle_execute_exception    self._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in 
_handle_exception    self.__parent._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in 
_handle_exception    super(ComponentBase, self)._handle_exception(exc_info)  
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/insta

[Freeipa-users] error when promoting new client to replica

2018-03-05 Thread Andrew Meyer via FreeIPA-users 
After getting the feedback previously from the mailing list (thank you for all 
your help) I have deployed a CentOS 7 image in AWS.  I was able to add teh 
client machine to the FreeIPA domain.  The CentOS 7 instance is a t2.medium 
which is a 2 proc by 4GB RAM.  But when I go to promote it I get the following 
error:
ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra 
--setup-dns --forwarder=10.10.0.2

2018-03-05T21:33:57Z DEBUG stderr=2018-03-05T21:33:57Z DEBUG Loading StateFile 
from '/var/lib/ipa/sysupgrade/sysupgrade.state'2018-03-05T21:33:57Z DEBUG 
Saving StateFile to 
'/var/lib/ipa/sysupgrade/sysupgrade.state'2018-03-05T21:33:57Z DEBUG Loading 
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'2018-03-05T21:33:57Z 
DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'2018-03-05T21:33:57Z DEBUG 
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server 
db2018-03-05T21:33:57Z DEBUG   duration: 0 seconds2018-03-05T21:33:57Z DEBUG   
[2/27]: setting up initial replication2018-03-05T21:33:57Z DEBUG Fetching 
nsDS5ReplicaId from master [attempt 1/5]2018-03-05T21:33:57Z DEBUG retrieving 
schema for SchemaCache url=ldap://infra-test-ipa.gatewayblend.net:389 
conn=2018-03-05T21:33:58Z DEBUG Successfully updated 
nsDS5ReplicaId.2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):  
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, 
in start_creation    run_step(full_msg, method)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in 
run_step    method()  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1192, 
in __setup_replication    repl.setup_cs_replication(self.master_host)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1814, 
in setup_cs_replication    raise RuntimeError("Failed to start 
replication")RuntimeError: Failed to start replication
2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start 
replication2018-03-05T21:34:14Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute 
   return_value = self.run()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run   
 cfgr.run()  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 368, in run    self.execute()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in 
execute    for _nothing in self._executor():  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in 
__runner    exc_handler(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in 
_handle_execute_exception    self._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in 
__runner    step()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in 
    step = lambda: next(self.__gen)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in 
run_generator_with_yield_from    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in 
run_generator_with_yield_from    value = gen.send(prev_value)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in 
_configure    next(executor)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in 
__runner    exc_handler(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in 
_handle_execute_exception    self._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in 
_handle_exception    self.__parent._handle_exception(exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in 
_handle_exception    super(ComponentBase, self)._handle_exception(exc_info)  
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in 
_handle_exception    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in 
__runner    step()  File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in 
    step = lambda: next(self.__gen)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in 
run_generator_with_yield_from    six.reraise(*exc_info)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in 
run_generator_with_yield_from    value = gen.send(prev_value)  File 
"/usr/lib/python2.7/site-packages/ipapython/install/common.py", line

[Freeipa-users] Re: snmp monitoring

2018-03-05 Thread Andrew Meyer via FreeIPA-users 
My apologies.
V4/Tool to Check Status of All Replicas - FreeIPA

  
|  
|   
|   
|   ||

   |

  |
|  
|   |  
V4/Tool to Check Status of All Replicas - FreeIPA
   |   |

  |

  |

 
 

On Monday, March 5, 2018 10:28 AM, Alexander Bokovoy via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 On ma, 05 maalis 2018, Andrew Meyer via FreeIPA-users wrote:
>When reading about monitoring replication I see that I can get this
>setup using --setup-snmp, however on CentOS 7.x (latest) I don't have
>that option.  Is it not in 4.5.0?
Can you point to your sources? It is quite hard to understand what are
you reading and what are you looking for. Below is my take on your
questions, tell me if I'm completely off the bases with my
interpretation.

Are you reading 389-ds documentation and talking about IPA replica
setup? IPA replicas don't set up all plugins you could potentially
enable in 389-ds. If you need something more, like SNMP support in
389-ds, you should consult 389-ds (RHDS) documentation and in general
"know what you are doing".

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

  1   2   >