[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

[Grant Janssen via FreeIPA-users]

It appears I have resolved my certificate expiration 
issue
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/KFQXY6V4UKYOWCGD4YCZTCSGFWVL3QK7/


But I have a another issue

grant@ef-idm01:~[20240229-10:11][#772]$ klist
Ticket cache: KCM:555
Default principal: gr...@production.efilm.com

Valid starting   Expires  Service principal
02/29/2024 10:11:56  03/01/2024 09:42:34  
krbtgt/production.efilm@production.efilm.com
grant@ef-idm01:~[20240229-10:12][#773]$ ipa user-find roland
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:12][#774]$ ipa server-find
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:18][#775]$ sudo systemctl status gssproxy.service
[sudo] password for grant:
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor 
preset: disabled)
   Active: active (running) since Tue 2024-02-20 13:57:40 PST; 1 weeks 1 days 
ago
  Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, 
status=0/SUCCESS)
 Main PID: 2158009 (gssproxy)
Tasks: 6 (limit: 74714)
   Memory: 10.5M
   CGroup: /system.slice/gssproxy.service
   └─2158009 /usr/sbin/gssproxy -D

Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
gssproxy.service: Succeeded.
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Stopped GSSAPI Proxy Daemon.
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Starting GSSAPI Proxy Daemon...
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Started GSSAPI Proxy Daemon.
grant@ef-idm01:~[20240229-10:18][#776]$

I searched online for some references and it was suggested I generate the 
/var/lib/ipa/gssproxy/http.keytab
The keytab file appears OKAY to me though.

I would like to get this issue behind me
thanx

- grant

--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: handling certificate expirations

[Grant Janssen via FreeIPA-users]

well, I thought I was out of the woods, but I still have some issues.
the services are running, but kinit gets me a ticket to nowhere.

"ipa: ERROR: No valid Negotiate header in server response"

grant@ef-idm01:~[20240220-14:36][#785]$ klist
Ticket cache: KCM:555
Default principal: gr...@production.efilm.com

Valid starting   Expires  Service principal
02/20/2024 14:36:12  02/21/2024 13:51:10  
krbtgt/production.efilm@production.efilm.com
grant@ef-idm01:~[20240220-14:36][#786]$ ipa server-find
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240220-14:36][#787]$ sudo systemctl status gssproxy.service
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor 
preset: disabled)
   Active: active (running) since Tue 2024-02-20 13:57:40 PST; 39min ago
  Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, 
status=0/SUCCESS)
 Main PID: 2158009 (gssproxy)
Tasks: 6 (limit: 74714)
   Memory: 4.2M
   CGroup: /system.slice/gssproxy.service
   └─2158009 /usr/sbin/gssproxy -D

Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: gssproxy.service: 
Succeeded.
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Stopped GSSAPI Proxy 
Daemon.
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Starting GSSAPI Proxy 
Daemon...
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Started GSSAPI Proxy 
Daemon.
grant@ef-idm01:~[20240220-14:37][#788]$ sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
grant@ef-idm01:~[20240220-14:37][#789]$

I looked online for some references and it was suggested I replace the 
/var/lib/ipa/gssproxy/http.keytab
The file looks OKAY to me though.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: handling certificate expirations

[Grant Janssen via FreeIPA-users]

this was definitely the hot tip.
executing a server upgrade fixed everything for me.

thanx rob
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] handling certificate expirations

[Grant Janssen via FreeIPA-users]

When I upgraded the servers to EL8 (I rebuilt from scratch using the old 
hostnames), I had neglected to assign an IPA CA renewal master after the old 
“boss” was retired.
This crime is of course it’s own punishment.

I found the documentation for handling this to actually be pretty good.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_working-with-idm-certificates#doc-wrapper

fraser’s blog was also helpful (in confirming I executed this correctly)
https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.html

I progressed through the other three IPA servers, but the last one still has a 
bad expiration on the CA cert.

[root@ef-idm01 ~]# date
Wed Feb 14 07:08:38 PST 2024
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]# ipa-cert-fix

  WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM
  Serial:  162
  Expires: 2024-01-02 15:58:28

Enter "yes" to proceed: yes
Proceeding.
Renewed IPA IPA RA certificate:
  Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM
  Serial:  1341915142
  Expires: 2026-02-03 20:18:20

Becoming renewal master.
Restarting IPA

Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.

The ipa-cert-fix command was successful
[root@ef-idm01 ~]#

I checked the cert expiration several times yesterday, but it never updated on 
this server.
I waited a full day to let certmonger do its thing, below is my result this 
morning.

[root@ef-idm01 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@ef-idm01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]# ipa-cert-fix
Nothing to do.
The ipa-cert-fix command was successful
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: 
CN=ef-idm01.production.efilm.com,O=PRODUCTION.EFILM.COM
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]#

How can I sort out this one remaining issue?
Do I just make assign another server as the renewal master?

thanx

- grant





--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To 

[Freeipa-users] log permission issues with "ipa-replica-manage re-initialize" in almalinux 8

[Grant Janssen via FreeIPA-users]

users were reporting password change issues.
ipa_check_consistency and cipa showed synchronization issues.

grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from 
ef-idm01.production.efilm.com
ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission 
denied: '/var/log/ipa/cli.log'
Update in progress, 6 seconds elapsed
Update succeeded

grant@ef-idm04:~[20230211-7:02][#212]$


I am in the middle of a migration from 7 —> 8  (3 of 5 servers are still CentOS 
7)
The almalinux 8 systems showed an issue with log permissions when I executed 
the sync.  The CentOS 7 systems did not output any error.
ipa_check_consistency and cipa show these are all “in sync” now.

what can I do to resolve these log issues, so next time I won’t see these again?

thanx

- grant

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: krblastadminunlock on user account

[Grant Janssen via FreeIPA-users]

krbLastAdminUnlock was only a part of my issue.

I was able to resolve this issue, but not in the manner I expected.
A careless administrator overwrote the keytabs on two FreeIPA servers while he 
was generating keytabs for MacOS hosts.
Somehow, FreeIPA still functioned, the only repercussion was that some users 
(but not all) were unable to ssh into the IPA servers.
The syslog did log this as a keytab issue.
I was able to recover the original keytabs with "ipa-getkeytab -r”

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: krblastadminunlock on user account

[Grant Janssen via FreeIPA-users]

I was able to remove this by overwriting the attribute
"ipa user-mod --setattr krblastadminunlock= waynev"

grant@ef-idm01:~[20221123-7:50][#1022]$ ipa user-show --all --raw waynev | grep 
-i krblastadminunlock
grant@ef-idm01:~[20221123-7:51][#1023]$

I’ll have the user test and we’ll see if this resolves the 'no ssh login to IPA 
servers' issue for this user.
If it’s a no, I will change his password.

thanx

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: krblastadminunlock on user account

[Grant Janssen via FreeIPA-users]

I see a slight variation, but still cannot remove the attribute.

grant@ef-idm01:~[20221123-7:19][#1018]$ ipa user-show --all --raw waynev | grep 
krblastadminunlock
grant@ef-idm01:~[20221123-7:20][#1019]$ ipa user-show --all --raw waynev | grep 
-i krblastadminunlock
  krbLastAdminUnlock: 20171006230951Z
grant@ef-idm01:~[20221123-7:20][#1020]$ ipa user-mod 
--delattr=krbLastAdminUnlock=20171006230951Z waynev
ipa: ERROR: krblastadminunlock does not contain '20171006230951Z'
grant@ef-idm01:~[20221123-7:20][#1021]$

- grant

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: krblastadminunlock on user account

[Grant Janssen via FreeIPA-users]

Alexander

Thank You for your attention, but this did not work for me.
I had tried earlier to remove this attribute in the conventional manner, but 
failed.
(example again at the tail of my output)

[root@ef-idm01 ~]# ipa -e in_server=true user-mod waynev 
--delattr=krblastadminunlock=20171006230951Z
ipa: ERROR: krblastadminunlock does not contain '20171006230951Z'
[root@ef-idm01 ~]# exit
logout
grant@ef-idm01:~[20221123-6:59][#1012]$ klist
Ticket cache: KEYRING:persistent:555:555
Default principal: gr...@production.efilm.com

Valid starting   Expires  Service principal
11/23/2022 04:43:47  11/24/2022 04:43:34  
HTTP/ef-idm01.production.efilm@production.efilm.com
11/23/2022 04:43:37  11/24/2022 04:43:34  
krbtgt/production.efilm@production.efilm.com
grant@ef-idm01:~[20221123-6:59][#1013]$ ipa user-mod 
--delattr=krblastadminunlock=20171006230951Z waynev
ipa: ERROR: krblastadminunlock does not contain '20171006230951Z'
grant@ef-idm01:~[20221123-6:59][#1014]$ ipa user-show --all waynev | grep 
krblastadminunlock
  krblastadminunlock: 20171006230951Z
grant@ef-idm01:~[20221123-DING!][#1015]$

thanx

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] krblastadminunlock on user account

[Grant Janssen via FreeIPA-users]

I have an administrative user which hasn't logged into his account in some time 
- likely over a year.
He can authenticate to any bound host, but cannot login to the FreeIPA servers. 
 I verified this wasn’t an HABC issue.

I compared his account to my own and found he had an extra attribute - 
krblastadminunlock

grant@ef-idm01:~[20221123-4:41][#1003]$ ipa user-show --all waynev | grep 
krblastadminunlock
  krblastadminunlock: 20171006230951Z
grant@ef-idm01:~[20221123-4:47][#1004]$ ipa user-show --all grant | grep 
krblastadminunlock
grant@ef-idm01:~[20221123-4:47][#1005]$

I wasn’t able to find much on this, but did find this:
https://github.com/freeipa/freeipa/commit/69b1a5fc04357d1771c527444e9ba064759afb65

How can I remove the krblastadminunlock attribute from this user without 
resetting the password?

thanx

- grant

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ghost replica for radius server

[Grant Janssen via FreeIPA-users]

that was easy - THANX Florence.

My ghost replica still doesn’t show in ipa_check_consistency.
Any ideas on that?

grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME --state=enabled
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com".

grant@radius01:~[20221118-3:57][#98]$ sudo ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#99]$ sudo ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#100]$ ipa server-state $HOSTNAME --state=hidden
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com".

grant@radius01:~[20221118-3:59][#101]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
=
Active Users349 349 349 349 OK
Stage Users 7   7   7   7   OK
Preserved Users 5   5   5   5   OK
User Groups 42  42  42  42  OK
Hosts   423 423 423 423 OK
Host Groups 23  23  23  23  OK
HBAC Rules  9   9   9   9   OK
SUDO Rules  35  35  35  35  OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  NO  OK
Anonymous BIND  YES YES YES YES OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221118-4:05][#102]$ sudo ipa-pkinit-manage status
[sudo] password for grant:
PKINIT is enabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-4:06][#103]$

When I add the _ldap._tcp and _ldaps._tcp SRV records for the radius server, 
ipa_check_consistency shows the replication is good, but it still doesn’t 
appear as a Ghost.

grant@radius01:~[20221118-4:47][#106]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04radius01
STATE
=
Active Users349 349 349 349 349 
OK
Stage Users 7   7   7   7   7   
OK
Preserved Users 5   5   5   5   5   
OK
User Groups 42  42  42  42  42  
OK
Hosts   423 423 423 423 423 
OK
Host Groups 23  23  23  23  23  
OK
HBAC Rules  9   9   9   9   9   
OK
SUDO Rules  35  35  35  35  35  
OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   ERROR   
OK
LDAP Conflicts  NO  NO  NO  NO  NO  
OK
Ghost Replicas  NO  NO  NO  NO  NO  
OK
Anonymous BIND  YES YES YES YES YES 
OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221118-4:52][#107]$

thanx

- grant


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 

[Freeipa-users] ghost replica for radius server

[Grant Janssen via FreeIPA-users]

Building a radius server, and decided this was an ideal application for a 
hidden replica.
I got some errors in the replica install, and the consistency check does not 
show a ghost replica (but does show my radius host in Replication Status.)
I run external DNS, this radius host has only has A and PTR records.

grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install --setup-ca 
--hidden-replica
Password for ad...@production.efilm.com: 
*

WARNING: 376 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: no
Run connection check to master
Connection check OK
-snip-
  [28/30]: importing IPA certificate profiles
Lookup failed: Preferred host 
radius01.production.efilm.com does not 
provide CA.
Lookup failed: Preferred host 
radius01.production.efilm.com does not 
provide CA.
Failed to import profile 'acmeIPAServerCert': Request failed with status 500: 
Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade when 
installation is completed may resolve this issue.
  [29/30]: configuring certmonger renewal for lightweight CAs
  [30/30]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: 
Server at https://ef-idm01.production.efilm.com/ipa/json failed request, will 
retry: 903 (an internal error has occurred).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
-snip-
  [7/7]: adding fallback group
Fallback group already set, nothing to do
Done.
The ipa-replica-install command was successful
grant@radius01:~[20221117-13:51][#90]$

check consistency
grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W *
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
=
Active Users349 349 349 349 OK
Stage Users 7   7   7   7   OK
Preserved Users 5   5   5   5   OK
User Groups 42  42  42  42  OK
Hosts   423 423 423 423 OK
Host Groups 23  23  23  23  OK
HBAC Rules  9   9   9   9   OK
SUDO Rules  35  35  35  35  OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  NO  OK
Anonymous BIND  YES YES YES YES OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221117-13:53][#93]$

I executed ipa-server-upgrade as suggested
grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade
[sudo] password for grant:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
Add failure attribute "cn" not allowed
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
-snip-
Migrating profile 'caAuditSigningCert'
[Ensuring presence of included profiles]
[Add default CA ACL]
[Updating ACME configuration]
[Migrating to authselect profile]
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Add r...@production.efilm.com alias to admin 
account]
Added 

[Freeipa-users] Re: Rocky Linux 9 missing groups or modules: idm:DL1

[Grant Janssen via FreeIPA-users]

I found I had to remove the ipa-client already installed from the standard repo

$ sudo yum remove ipa-client
then
$ sudo yum module install idm:DL1/server

worked for me.

- grant


> On Nov 3, 2022, at 14:01, Leo O via FreeIPA-users 
>  wrote:
> 
> CAUTION: This email originated outside Company3-Method. Do not click links or 
> open attachments unless you recognize the sender and know the content is safe.
> 
> I would like to build my Freeipa Postfix-Book plugin for Rocky Linux 9. 
> Therefore I'm following my readme instructions to setup a development 
> environment: 

> Unfortunately when executing "dnf module enable idm:DL1" on a Rocky Linux 9 
> VM, I get:
> "
> Error: Problems in request:
> missing groups or modules: idm:DL1
> "
> How can I do that on Rocky9, Rhel9?
> ___
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ID Views change sudo rules for local user

[Grant Janssen via FreeIPA-users]

what does "sudo -l -U " show?
My experience flushing sss_cache has rarely been successful.
When I experience issues with user sudo permissions, I restart sssd. Fixes it 
every time.

- grant


On Jun 17, 2022, at 00:53, Alessandro Fort via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

CAUTION: This email originated outside Company3-Method. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Hi,

I have a local user (let's call it local) that has NOPASSWD set in
/etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's
call it domain) username, UID, GID, shell and home to that of local,
whenever I try to use sudo after logging in with either domain or local,
domain's sudo rules apply and I am asked for a password. Is this
expected behaviour or a quirk of my configuration/policies? I would
expect that when logging in using domain, FreeIPA sudo rules are
applied, while if I log in using local I'd get the old /etc/sudoers
policy. Is this possible?

Thank you!
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=Q3va0%2BYtjgspG3TsTDO4NOT36XnCHjl%2FwtFC5slb%2BVI%3Dreserved=0
List Guidelines: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=GFEmjnOytC7UufKPM2NfV1HraqGVnNdppnhQlSx0VN8%3Dreserved=0
List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=zIbRCQs0aHGOOmd7ORkI1oj4MpO5IJThAvWojcnDLok%3Dreserved=0
Do not reply to spam on the list, report it: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructuredata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=eNXAWyGvXmcar7cHUFIWiG6FMHXu1X5rYvFtCKnngWo%3Dreserved=0

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

This issue has mutated substantially from the initial issue.  I can open a new 
thread for my current issue,
Once I changed the domain level to 1, ipa-replica-prepare no longer applies and 
now the method to create a replica is to promote a client.
But (as detailed) this is failing for me as well.

thanx

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

there are quite few logs for the various moving pieces.
I am looking at the http related logs

grant@ef-idm03:/var/log/httpd[20220601-13:08][#193]$ sudo more access_log
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:07:57:50 -0700] "POST /ipa/json HTTP/1.1" 200 291
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:07:57:53 -0700] "POST /ipa/json HTTP/1.1" 200 301
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:07:57:54 -0700] "POST /ipa/json HTTP/1.1" 200 307
10.1.132.27 - - [01/Jun/2022:08:03:03 -0700] "POST /ipa/json HTTP/1.1" 401 1300
10.1.132.27 - gr...@production.efilm.com 
[01/Jun/2022:08:03:03 -0700] "POST /ipa/json HTTP/1.1" 200 2555
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:07 -0700] "POST /ipa/json HTTP/1.1" 200 291
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:08 -0700] "POST /ipa/json HTTP/1.1" 200 91919
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:11 -0700] "POST /ipa/session/json HTTP/1.1" 200 291
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:11 -0700] "POST /ipa/session/json HTTP/1.1" 200 291
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:11 -0700] "POST /ipa/session/json HTTP/1.1" 200 157
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:11 -0700] "POST /ipa/session/json HTTP/1.1" 200 519
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:12 -0700] "POST /ipa/session/json HTTP/1.1" 200 193
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:50 -0700] "POST /ipa/json HTTP/1.1" 200 291
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:50 -0700] "POST /ipa/json HTTP/1.1" 200 301
10.1.132.27 - 
host/ef-idm04.production.efilm@production.efilm.com
 [01/Jun/2022:08:03:50 -0700] "POST /ipa/json HTTP/1.1" 200 307
10.1.132.31 - gr...@production.efilm.com 
[01/Jun/2022:08:23:49 -0700] "POST /ipa/json HTTP/1.1" 200 269
10.1.132.31 - gr...@production.efilm.com 
[01/Jun/2022:08:23:50 -0700] "POST /ipa/json HTTP/1.1" 200 91895
10.1.132.31 - gr...@production.efilm.com 
[01/Jun/2022:08:23:50 -0700] "POST /ipa/session/json HTTP/1.1" 200 269
10.1.132.31 - gr...@production.efilm.com 
[01/Jun/2022:08:23:50 -0700] "POST /ipa/session/json HTTP/1.1" 200 114
10.1.132.31 - - [01/Jun/2022:10:06:10 -0700] "POST /ipa/xml HTTP/1.1" 401 1300
10.1.132.31 - - [01/Jun/2022:10:06:10 -0700] "GET /ca/rest/account/login 
HTTP/1.1" 200 218
10.1.132.31 - - [01/Jun/2022:10:06:11 -0700] "GET 
/ca/rest/authorities/3dec677a-a6e1-4aa7-8606-45fab060f1e7/cert HTTP/1.1" 200 938
10.1.132.31 - - [01/Jun/2022:10:06:11 -0700] "GET /ca/rest/account/logout 
HTTP/1.1" 204 -
10.1.132.31 - - [01/Jun/2022:10:06:12 -0700] "POST 
/ca/rest/certrequests?issuer-id=3dec677a-a6e1-4aa7-8606-45fab060f1e7 HTTP/1.1" 
200 321
10.1.132.31 - - [01/Jun/2022:10:06:15 -0700] "POST /ca/agent/ca/displayBySerial 
HTTP/1.1" 200 12097
10.1.132.31 - 
host/ef-idm03.production.efilm@production.efilm.com
 [01/Jun/2022:10:06:10 -0700] "POST /ipa/xml HTTP/1.1" 200 3468
10.1.132.31 - - [01/Jun/2022:10:11:22 -0700] "POST /ipa/xml HTTP/1.1" 401 1300
10.1.132.31 - - [01/Jun/2022:10:11:23 -0700] "GET /ca/rest/account/login 
HTTP/1.1" 200 218
10.1.132.31 - - [01/Jun/2022:10:11:23 -0700] "GET 
/ca/rest/authorities/3dec677a-a6e1-4aa7-8606-45fab060f1e7/cert HTTP/1.1" 200 938
10.1.132.31 - - [01/Jun/2022:10:11:23 -0700] "GET /ca/rest/account/logout 
HTTP/1.1" 204 -
10.1.132.31 - - [01/Jun/2022:10:11:24 -0700] "POST 
/ca/rest/certrequests?issuer-id=3dec677a-a6e1-4aa7-8606-45fab060f1e7 HTTP/1.1" 
200 321
10.1.132.31 - - 

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

I have attached the ipareplica-install.log
Let me figure out how to add a SAN to the web server certs.

- grant



On Jun 1, 2022, at 12:12, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

-snip-

Can you share ipareplica-install.log?

I don't know that this will fix it but you'll want a SAN for the web
server as well in any case.

rob



ipareplica-install.log.gz
Description: ipareplica-install.log.gz
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

a cascade of issues

• I needed to set the domainlevel to 1 in order to join my client.
grant@ef-idm01:~[20220601-8:14][#1041]$ ipa domainlevel-get
---
Current domain level: 0
---
grant@ef-idm01:~[20220601-8:14][#1042]$ ipa domainlevel-set 1
---
Current domain level: 1
---
grant@ef-idm01:~[20220601-8:14][#1043]$

• the new client requires the IPA certs have the hostname(s) as Subject 
Alternative Name
I did this to the IPA servers
sudo ipa-getcert resubmit -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM -n 
Server-Cert -D `hostname`
then restarted IPA

sudo certutil -L -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM -n Server-Cert
now shows a SAN entry

Things have changed though, it appears I no longer do a prepare, and instead 
promote a client:

grant@ef-idm03:~[20220601-10:35][#215]$ sudo ipa-replica-prepare 
ef-idm04.production.efilm.com

Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.

The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.

To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified

'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.
grant@ef-idm03:~[20220601-10:36][#216]$

But promoting the client fails

grant@ef-idm04:~[20220601-10:37][#70]$ sudo ipa-replica-install --setup-ca
[sudo] password for grant:
Password for ad...@production.efilm.com: 
**
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [PRODUCTION]:


WARNING: 340 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: yes
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/38]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=production,dc=efilm,dc=com ...
Perform post-installation tasks ...
  [2/38]: tune ldbm plugin
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configure password logging
  [7/38]: configuring replication version plugin
  [8/38]: enabling IPA enrollment plugin
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: configuring topology plugin
  [16/38]: creating indices
  [17/38]: enabling referential integrity plugin
  [18/38]: configuring certmap.conf
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache and keytab
  [21/38]: enabling SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: creating DS keytab
  [24/38]: ignore time skew for initial replication
  [25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 12 seconds elapsed
Update succeeded

  [26/38]: prevent time skew after initial replication
  [27/38]: adding sasl mappings to the directory
  [28/38]: updating schema
  [29/38]: setting Auto Member configuration
  [30/38]: enabling S4U2Proxy delegation
  [31/38]: initializing group membership
  [32/38]: adding master entry
  [33/38]: initializing domain level
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: activating sidgen plugin
  [37/38]: activating extdom plugin
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done 

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

Okay.  Let me do the updates - then try again.

grant@ef-idm01:~[20220601-5:02][#1010]$  rpm -qa | grep ipa-server
ipa-server-dns-4.5.0-22.el7.centos.noarch
ipa-server-common-4.5.0-22.el7.centos.noarch
ipa-server-4.5.0-22.el7.centos.x86_64
grant@ef-idm01:~[20220601-5:53][#1011]$

Yous assistance on this is appreciated.

- grant


On Jun 1, 2022, at 05:45, Florence Blanc-Renaud 
mailto:f...@redhat.com>> wrote:


CAUTION: This email originated outside Company3-Method. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Hi,

On Wed, Jun 1, 2022 at 2:10 PM Grant Janssen via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
I’m on the march to move beyond CentOS 7.  My plan was to build more replicas, 
then retire the old systems.
I haven’t built a replica since 2019, but the commands I used then are failing 
now.

grant@ef-idm01:~[20220601-4:39][#1003]$ sudo ipa-replica-prepare 
ef-idm04.production.efilm.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fef-idm04.production.efilm.com%2F=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=NGgF1JAbxYS6c7OC%2BjHEuWMaIa5WFi5pPKZEYXTTi3I%3D=0>
Directory Manager (existing master) password: **

Preparing replica for 
ef-idm04.production.efilm.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fef-idm04.production.efilm.com%2F=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=NGgF1JAbxYS6c7OC%2BjHEuWMaIa5WFi5pPKZEYXTTi3I%3D=0>
 from 
ef-idm01.production.efilm.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fef-idm01.production.efilm.com%2F=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=X1FZZg1EXDSp1qhrv1axsjwYGlQqqpEFsA8ZyhvpLuA%3D=0>
Constraint violation: Password reuse not permitted
The ipa-replica-prepare command failed.
grant@ef-idm01:~[20220601-4:40][#1004]$

This error message is rather laconic, so I don’t understand the nature of the 
issue and why I would get a password error.

The issue looks very similar to 
https://pagure.io/freeipa/issue/7181<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7181=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=81eR36UgFinGV1jNE0TsmWVcdnSTXvJDOq9hhNO8mcA%3D=0>.
 The workaround is described in the ticket, but the issue was fixed a while ago 
(in IPA 4.6.8) and I'm wondering which version you have?
flo

- grant

___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zBvrVFGccPgJRLOh4gvNkWWmO9VXY9GjCvKU9WlzCFE%3D=0>
List Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=ccwo012DfPl3Yr4WqopAVXcoA2TVwcW9zTtKXzUWg0E%3D=0>
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org=05%7C01%7Cgrant.janssen%40company3.com%7C2cff803c36e74b2e68af08da43cc9a40%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637896843310284466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik

[Freeipa-users] Password reuse not permitted on ipa-replica-prepare

[Grant Janssen via FreeIPA-users]

I’m on the march to move beyond CentOS 7.  My plan was to build more replicas, 
then retire the old systems.
I haven’t built a replica since 2019, but the commands I used then are failing 
now.

grant@ef-idm01:~[20220601-4:39][#1003]$ sudo ipa-replica-prepare 
ef-idm04.production.efilm.com
Directory Manager (existing master) password: **

Preparing replica for 
ef-idm04.production.efilm.com from 
ef-idm01.production.efilm.com
Constraint violation: Password reuse not permitted
The ipa-replica-prepare command failed.
grant@ef-idm01:~[20220601-4:40][#1004]$

This error message is rather laconic, so I don’t understand the nature of the 
issue and why I would get a password error.

- grant

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

[Grant Janssen via FreeIPA-users]

this is normal (and desirable), the user is added in both users/accounts tree 
and the compat tree.
I have had issues with nested groups when I fail to use the compat tree in my 
LDAP integrations.

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Jira LDAP integration with JIRA

[Grant Janssen via FreeIPA-users]

I’ve been through this a few times
use the compat tree

- grant

On Mar 6, 2021, at 03:03, Kaspars Tuna via FreeIPA-users 
 wrote:

CAUTION: This email originated outside Company3-Method. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

I am working on integrating a Jira instance with a freeIPA instance trough LDAP 
to retrieve all the users being stored in the freeIPA user directory. I can 
manage to retrieve all the user, but I cannot seem to be able to retrieve the 
user groups/memberships, the "Test get user's memberships : Failed" seems to 
fail all the time with no particular info in the 
jira-software/logs/atlassian-jira.log file. No luck finding any other resources 
online, has anybody encountered such issues if so what did you do?



The schema I am using is bellow :

Directory type : LDAP, OpenLDAP (have also attempted to use LDAP with internal 
authentication, which doesn't give me any groups either)

base DN:cn=users,cn=accounts,dc=example,dc=io

Read Only, with Local groups checked and adding to jira-software -users by 
default.

Use schema - all user info is being retrieved, so no issue

Group Schema

Group Object Class : groupOfNames

Group Object Filter:(objectclass=groupOfNames)

Group Name attribute: cn

Group Description attribute : description



Membership schema

Group Memebers attribute : Member

User Membership attribute: memberOf

freeIPA user has fields memberOf: cn=group-example, cn=groups, cn=accounts, 
dc=example, dc=com
and groups has member:cn=usere, cn=accounts, cn=users, dc=example, dc=com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=04%7C01%7CGrant.Janssen%40company3.com%7Cd5251cd8d09943356ffd08d8e08f8e08%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637506254462123857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=XNsnudv7wFWuMjjKE7a2ZhUuZRyVHIVLLYQdH7CU32w%3Dreserved=0
List Guidelines: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=04%7C01%7CGrant.Janssen%40company3.com%7Cd5251cd8d09943356ffd08d8e08f8e08%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637506254462133816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=g3mjhmWWgCVLADEowYWOetBsAKH%2BDoCHYylWN5h8lRM%3Dreserved=0
List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=04%7C01%7CGrant.Janssen%40company3.com%7Cd5251cd8d09943356ffd08d8e08f8e08%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637506254462133816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=v028CLG1MLE5duEKf3Hwzz97tNX445ppGdcyvhqz5FY%3Dreserved=0
Do not reply to spam on the list, report it: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructuredata=04%7C01%7CGrant.Janssen%40company3.com%7Cd5251cd8d09943356ffd08d8e08f8e08%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637506254462133816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ZXsUwCpHhad6lifnXy%2FLI%2Bal2i34qp5%2BNaD6eJ86XOI%3Dreserved=0

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] FreeIPA server host keytab was deleted

[Grant Janssen via FreeIPA-users]

an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM server. 
(ugh!)

I had thought ipa-getkeytab was retrieving the keytab, but now see I 
regenerated it and SHOULD have used the -r flag.

ipa-getkeytab(1)
IPA Manual Pages
   ipa-getkeytab(1)

NAME
   ipa-getkeytab - Get a keytab for a Kerberos principal

SYNOPSIS
   ipa-getkeytab  -p  principal-name -k keytab-file [ -e encryption-types ] 
[ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password 
PASSWORD ] [ --cacert CACERT ] [
   -H|--ldapuri URI ] [ -Y|--mech GSSAPI|EXTERNAL ] [ -r ]

DESCRIPTION
   Retrieves a Kerberos keytab.

-snip-
   WARNING: retrieving the keytab resets the secret for the Kerberos 
principal.  This renders all other keytabs for that principal invalid.

-snip-


grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s 
ef-idm01.production.efilm.com -p 
host/ef-idm01.production.efilm.com -k 
~/ef-idm01.krb5.keytab
Keytab successfully retrieved and stored in: /home/grant/ef-idm01.krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av 
~/ef-idm01.krb5.keytab /etc/krb5.keytab
sending incremental file list
ef-idm01.krb5.keytab

sent 521 bytes  received 31 bytes  1104.00 bytes/sec
total size is 418  speedup is 0.76
grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab
-rw--- 1 grant grant 418 Mar  2 15:40 /etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root 
/etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:41][#1013]$

What are the possible repercussions of regenerating this keytab?
I don’t see any issues.  Am I missing anything?

thanx

- grant











___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: mkhomedir recommendation?

[Grant Janssen via FreeIPA-users]

if you forgot the —mkhomedir option, you can use authconfig
authconfig --enablemkhomedir —update

- grant

On Jan 19, 2021, at 03:33, Dominik Vogt via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

CAUTION: This email originated outside Company3-Method. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

ipa-client-install has the --mkhomedir option based on
pam_mkhomedir.  RHEL8 seems to prefer oddjob-mkhomedir instead.
What's the recommended method for RHEL8.x please?

Ciao

Dominik ^_^  ^_^

--

Dominik Vogt
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] macOS-X bound to freeIPA - mkhomedir

[Grant Janssen via FreeIPA-users]

I’ve been running a number of macs bound to FreeIPA for years now.  The biggest 
nuisance is that I haven’t found a way to make home directory when one doesn’t 
exist.
Without a home directory, a users logs in, the beachball spins forever and the 
user never gets a desktop because there is no user home directory.

"createhomedir -c -a" functions (on most systems), but I’d rather not run this 
in cron.

Has anyone found the PAM secret to have this function like mkhomedir on a 
CentOS host?

CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$

I wish there were an authconfig on os-x

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] macOS-X bound to freeIPA - mkhomedir

[Grant Janssen via FreeIPA-users]

I’ve been running a number of macs bound to FreeIPA for years now.  The biggest 
nuisance is that I haven’t found a way to make home directory when one doesn’t 
exist.
Without a home directory, a users logs in, the beachball spins forever and the 
user never gets a desktop because there is no user home directory.

"createhomedir -c -a" functions (on most systems), but I’d rather not run this 
in cron.

Has anyone found the PAM secret to have this function like mkhomedir on a 
CentOS host?

CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$

I wish there were an authconfig on os-x

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [389-users] How to invalidate local cache after user changed their password

[Grant Janssen via FreeIPA-users]

you might want to take a look at the man page for sss_cache

We use this sss_cache occationally to flush such problems.

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

[Grant Janssen via FreeIPA-users]

I recently performed this on my servers.
what does “ipa —version” show ?
after the yum update, did you run “ipa-server-upgrade”  ?

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

[Grant Janssen via FreeIPA-users]

I recently performed this on my servers.
what does “ipa —version” show ?
after the yum update, did you run “ipa-server-upgrade”  ?

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: new replica does not post properly in ipa_check_consistency

[Grant Janssen via FreeIPA-users]

I never thought to dissect the ipa_check_consistency script.
I wasn’t going to add the SRV record until everything tested perfectly - didn’t 
want authorizations going
to server that wasn’t functioning.

added the SRV record.  now THAT was an easy fix.

grant@ef-idm03:~[20181219-11:37][#111]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W 
FreeIPA servers:ef-idm01ef-idm02ef-idm03STATE
=
Active Users129 129 129 OK
Stage Users 7   7   7   OK
Preserved Users 0   0   0   OK
User Groups 22  22  22  OK
Hosts   158 158 158 OK
Host Groups 16  16  16  OK
HBAC Rules  5   5   5   OK
SUDO Rules  14  14  14  OK
DNS Zones   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  OK
Anonymous BIND  YES YES YES OK
Replication Status  ef-idm02 0  ef-idm01 0  ef-idm01 0
ef-idm03 0
=
grant@ef-idm03:~[20181220-5:42][#112]$

thanx
& merry christmas

- grant


This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] new replica does not post properly in ipa_check_consistency

[Grant Janssen via FreeIPA-users]

  New replica looks to be fully joined.  I can add users, and I have verified 
by log examination
that the new replica is actually the server adding the user.

  I cannot detect any issues, BUT the 3rd replica does not appear as a column 
when I execute the
ipa_check_consistency script.

grant@ef-idm03:~[20181219-11:35][#103]$ ipa-replica-manage list
ef-idm03.production.efilm.com: master
ef-idm02.production.efilm.com: master
ef-idm01.production.efilm.com: master
grant@ef-idm03:~[20181219-11:35][#104]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W 
FreeIPA servers:ef-idm01ef-idm02STATE
=
Active Users129 129 OK
Stage Users 7   7   OK
Preserved Users 0   0   OK
User Groups 22  22  OK
Hosts   158 158 OK
Host Groups 16  16  OK
HBAC Rules  5   5   OK
SUDO Rules  14  14  OK
DNS Zones   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  OK
Ghost Replicas  NO  NO  OK
Anonymous BIND  YES YES OK
Replication Status  ef-idm02 0  ef-idm01 0
ef-idm03 0
=
grant@ef-idm03:~[20181219-11:35][#105]$ ipa user_find | grep entries
Number of entries returned 129
grant@ef-idm03:~[20181219-11:35][#106]$ ipa group_find | grep entries
Number of entries returned 22
grant@ef-idm03:~[20181219-11:35][#107]$ ipa host_find | grep entries
Number of entries returned 155
grant@ef-idm03:~[20181219-11:36][#108]$ ipa hostgroup_find | grep entries
Number of entries returned 16
grant@ef-idm03:~[20181219-11:36][#109]$ ipa hbacrule-find | grep entries
Number of entries returned 5
grant@ef-idm03:~[20181219-11:37][#110]$ ipa sudorule-find | grep entries
Number of entries returned 14
grant@ef-idm03:~[20181219-11:37][#111]$

what does this indicate?

thanx

- grant

This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: new replica has no dnarange

[Grant Janssen via FreeIPA-users]

feeling the squeeze of the python.
as it turns out, I was barking up the right tree on this mod_wsgi issue.

when I tried to remove:
 python36u-mod_wsgi python36u python36u-libs python36u-setuptools
yum wanted to take ipa-server and ipa-server-dns with it.
- nope, didn’t want to do that

I installed mod_wsgi-3.4-12

then ran my remove of the python36u bits.

I rebooted the host.  I came up with:
grant@ef-idm03:~[20181206-16:39][#22]$ ipa-replica-manage dnarange-show
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission 
denied: u'/var/log/ipa/cli.log'
ef-idm01.production.efilm.com: 457200144-457300499
ef-idm02.production.efilm.com: 457300502-45739
ef-idm03.production.efilm.com: No range set
grant@ef-idm03:~[20181206-16:39][#23]$

the web interface loads now.

I added a user on the new replica, and verified it was created locally by 
checking the logs.
I have my dnarange now on replica 3:

grant@ef-idm03:~[20181206-16:40][#24]$ ipa-replica-manage dnarange-show
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission 
denied: u'/var/log/ipa/cli.log'
ef-idm01.production.efilm.com: 457200144-457250499
ef-idm02.production.efilm.com: 457300502-45739
ef-idm03.production.efilm.com: 457250501-457300499
grant@ef-idm03:~[20181206-16:40][#25]$

all appears in order now with the exception of the ipa_check_consistency.  I 
expected another column for the new replica.

grant@ef-idm03:~[20181206-16:49][#29]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W ***
FreeIPA servers:ef-idm01ef-idm02STATE
=
Active Users127 127 OK
Stage Users 7   7   OK
Preserved Users 0   0   OK
User Groups 22  22  OK
Hosts   158 158 OK
Host Groups 16  16  OK
HBAC Rules  5   5   OK
SUDO Rules  14  14  OK
DNS Zones   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  OK
Ghost Replicas  NO  NO  OK
Anonymous BIND  YES YES OK
Replication Status  ef-idm02 0  ef-idm01 0
ef-idm03 0
=
grant@ef-idm03:~[20181206-16:49][#30]$

the consistency check and the log error appear to be the sole remaining issues. 
 Not deal breakers, but I’d like it to run clean.

 if anyone has a suggestion on these remaining issues, I’m listening.

thank you for your help rob.

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: new replica has no dnarange

[Grant Janssen via FreeIPA-users]

it appears your suspician was correct

/var/log/httpd/error_log from the new replica [10.1.132.31]:
[Thu Dec 06 08:17:17.119449 2018] [auth_gssapi:error] [pid 31454] [client 
10.1.132.31:43394] Failed to unseal session data!, referer: 
https://ef-idm03.production.efilm.com/ipa/xml
[Thu Dec 06 08:17:17.119476 2018] [auth_gssapi:error] [pid 31454] [client 
10.1.132.31:43394] NO AUTH DATA Client did not send any authentication headers, 
referer: https://ef-idm03.production.efilm.com/ipa/xml
[Thu Dec 06 08:17:17.131578 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394] mod_wsgi (pid=31446): Failed to exec Python script file 
'/usr/share/ipa/wsgi.py'.
[Thu Dec 06 08:17:17.131653 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394] mod_wsgi (pid=31446): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'.
[Thu Dec 06 08:17:17.131802 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394] Traceback (most recent call last):
[Thu Dec 06 08:17:17.131848 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394]   File "/usr/share/ipa/wsgi.py", line 26, in 
[Thu Dec 06 08:17:17.131855 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394] from ipaplatform.paths import paths
[Thu Dec 06 08:17:17.131890 2018] [wsgi:error] [pid 31446] [remote 
10.1.132.31:43394] ModuleNotFoundError: No module named 'ipaplatform'

/var/log/httpd/error_log from the first replica:
[Thu Dec 06 08:17:17.138321 2018] [:warn] [pid 14292] [client 
10.1.132.31:44768] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: 
https://ef-idm01.production.efilm.com/ipa/xml
[Thu Dec 06 08:17:17.154228 2018] [:error] [pid 13610] ipa: INFO: 
[jsonserver_session] gr...@production.efilm.com: ping(): SUCCESS
[Thu Dec 06 08:17:17.165320 2018] [:warn] [pid 14292] [client 
10.1.132.31:44768] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: 
https://ef-idm01.production.efilm.com/ipa/xml
[Thu Dec 06 08:17:17.178384 2018] [:error] [pid 13609] ipa: INFO: 
[jsonserver_session] gr...@production.efilm.com: 
command_defaults/1(u'user_add/1', params=(u'cn',), kw={u'givenname': u'Wiki', 
u'sn': u'User22'}, version=u'2.228'): SUCCESS
[Thu Dec 06 08:17:43.935632 2018] [:warn] [pid 14292] [client 
10.1.132.31:44768] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: 
https://ef-idm01.production.efilm.com/ipa/xml
[Thu Dec 06 08:17:44.109673 2018] [:error] [pid 13610] ipa: INFO: 
[jsonserver_session] gr...@production.efilm.com: user_add/1(u'wikiuser22', 
givenname=u'Wiki', sn=u'User22', homedirectory=u'/home/wikiuser22', 
loginshell=u'/bin/tcsh', mail=(u'grant.jans...@efilm.com',), 
userpassword=u'', gidnumber=1110, version=u'2.228'): SUCCESS

I see an indication of “NO AUTH DATA”, but I can pull a ticket on the replica:
grant@ef-idm03:~[20181206-13:59][#9]$ kinit
Password for gr...@production.efilm.com: 
grant@ef-idm03:~[20181206-13:59][#10]$ klist
Ticket cache: KEYRING:persistent:555:555
Default principal: gr...@production.efilm.com

Valid starting   Expires  Service principal
12/06/2018 13:59:56  12/07/2018 13:59:54  
krbtgt/production.efilm@production.efilm.com
grant@ef-idm03:~[20181206-13:59][#11]$


I found a reference on the mod_wsgi as it relates to IPA.
https://pagure.io/freeipa/issue/7161

The new server is a build vs the older ones upgraded to 4.5 so perhaps I have a 
library tug-o-war.

original master:
grant@ef-idm01:~[20181206-14:15][#764]$ ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
grant@ef-idm01:~[20181206-14:15][#765]$ rpm -qa | grep mod_wsgi
mod_wsgi-3.4-12.el7_0.x86_64
grant@ef-idm01:~[20181206-14:15][#766]$

replica:
grant@ef-idm03:~[20181206-14:15][#16]$ ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
grant@ef-idm03:~[20181206-14:15][#17]$ rpm -qa | grep mod_wsgi
python36u-mod_wsgi-4.6.2-1.ius.el7.x86_64
grant@ef-idm03:~[20181206-14:15][#18]$

do you suppose that removing python36u and installing mod_wsgi-3.4-12 would 
remedy this issue?

should I manually add the dnarange to idm03?

thank you

- grant

> On Dec 6, 2018, at 13:35, Rob Crittenden  wrote:
>
> Ok, so this confirms the ipa-replica-manage output. These are the
> starting values which means that this server may have never allocated a
> user (even though you added one).
>
> If you want to get to the bottom of which master added the user find the
> user_add in /var/log/httpd/error_log on one of the masters. I suspect it
> was not idm03.
>
> rob
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, 

[Freeipa-users] Re: new replica has no dnarange

[Grant Janssen via FreeIPA-users]

rob - thank you so much for your quick attention.

with the exception of the dnaMaxValue and dnaNextValue the config appears to be 
identical on all 3 servers.

grant@ef-idm03:~[20181206-10:10][#5]$ ldapsearch -x -D 'cn=Directory Manager' 
-W -b "cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config"
Enter LDAP Password: **
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=production,dc=efilm,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
 aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=production,dc=efilm,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=production,dc=efilm,dc=co
 m
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
grant@ef-idm03:~[20181206-10:11][#6]$


> On Dec 6, 2018, at 10:09, Rob Crittenden  wrote:
>
> You might want to look at the actual config to see if it is a tooling issue:
>
> $ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=Posix
> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>
> This is a per-master setting.
>
> rob
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] new replica has no dnarange

[Grant Janssen via FreeIPA-users]

when I added another replica, all appeared to go smooth.  But the new server 
did not receive a dnarange.
I reviewed the man page and this indicated:
"New IPA masters do not automatically get a DNA range assignment. A range 
assignment is
done only when a user or POSIX group is added on that master.”

no problemo.  I added a user on the new replica, this new user appears on all 
the servers when queried - but still my dna range shows “no range set”

grant@ef-idm03:~[20181206-8:25][#118]$ ipa-replica-manage list
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission 
denied: u'/var/log/ipa/cli.log'
ef-idm03.production.efilm.com: master
ef-idm02.production.efilm.com: master
ef-idm01.production.efilm.com: master
grant@ef-idm03:~[20181206-8:28][#119]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W 
FreeIPA servers:ef-idm01ef-idm02STATE
=
Active Users126 126 OK
Stage Users 7   7   OK
Preserved Users 0   0   OK
User Groups 22  22  OK
Hosts   158 158 OK
Host Groups 16  16  OK
HBAC Rules  5   5   OK
SUDO Rules  14  14  OK
DNS Zones   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  OK
Ghost Replicas  NO  NO  OK
Anonymous BIND  YES YES OK
Replication Status  ef-idm02 0  ef-idm01 0
ef-idm03 0
=
grant@ef-idm03:~[20181206-8:36][#120]$ ipa-replica-manage dnarange-show
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission 
denied: u'/var/log/ipa/cli.log'
ef-idm01.production.efilm.com: 457200144-457300499
ef-idm02.production.efilm.com: 457300502-45739
ef-idm03.production.efilm.com: No range set
grant@ef-idm03:~[20181206-8:36][#121]$

should I manually add a range?

also, I had anticipated another column appearing in the consistency check.

and the web interface comes up blank - the page never loads

thanx

- grant

This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replication sync issues

[Grant Janssen via FreeIPA-users]

I’ve tried both force-sync AND re-initialize on both hosts.
I do have a question about the error in the log.
though the error posts on the “master”, it appears to indicate an issue with 
the slave.
the slave syslog is clean.

when the log indicates “The replica must be reinitialized” is it meant to be 
the localhost - or the remote replica?

Nov  2 09:14:12 ef-idm01 ns-slapd: [02/Nov/2018:09:14:12.421134348 -0700] 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389) - Can't locate CSN 5afd965100020060 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be reinitialized.
Nov  2 09:14:12 ef-idm01 ns-slapd: [02/Nov/2018:09:14:12.422583035 -0700] 
NSMMReplicationPlugin - changelog program - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): CSN 5afd965100020060 not found, we aren't as up to date, or 
we purged
Nov  2 09:14:12 ef-idm01 ns-slapd: [02/Nov/2018:09:14:12.423155007 -0700] 
NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): Data required to update replica has been purged from the 
changelog. The replica must be reinitialized.

thanx

- grant

On Nov 2, 2018, at 08:26, Christophe TREFOIS  wrote:


Hi,

Have you look at the reinitialize option rather than force-sync?

At least, it is the option we always use.

Best,




This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] replication sync issues

[Grant Janssen via FreeIPA-users]

I have these errors in the syslog of the primary, the syslog on the secondary 
is clean.

Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389) - Can't locate CSN 5afd965100020060 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105088278 -0700] 
NSMMReplicationPlugin - changelog program - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): CSN 5afd965100020060 not found, we aren't as up to date, or 
we purged
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105750108 -0700] 
NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" 
(ef-idm02:389): Data required to update replica has been purged from the 
changelog. The replica must be reinitialized.

I initiated a resync, but the errors continue to pile up on the primary.

grant@ef-idm02:~[20181030-9:36][#115]$ ipa-replica-manage force-sync --from 
ef-idm01.production.efilm.com
Directory Manager password: 

ipa: INFO: Setting agreement 
cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping
 tree,cn=config
grant@ef-idm02:~[20181030-9:37][#116]$

thanx

- grant



This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

[Grant Janssen via FreeIPA-users]

  The resolv.conf is identical on both systems, DNS is solid.  SRV records are 
functioning as expected.
  I looked at everything and failing to find a resolution, sought advice here 
on the board.
  Now that these are out of sync, how would one manually initiate a sync?  I 
haven’t found this in the documentation.

- grant

Grant,

Any ideas on this?  Everything appears to be in order, yet there is a disparity 
between the master and replica on the host count.

What's going on with DNS on these two hosts?  Are they pointing to the same DNS 
server?  Are there kerberos and ldap records.

mpapet

This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

[Grant Janssen via FreeIPA-users]

Any ideas on this?  Everything appears to be in order, yet there is a disparity 
between the master and replica on the host count.

On Jul 25, 2017, at 09:11, Grant Janssen 
> wrote:

grant@ef-idm02:~[20170725-9:05][#56]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W mypa$$w0rD
FreeIPA servers:ef-idm01ef-idm02STATE
=
Active Users45  45  OK
Stage Users 0   0   OK
Preserved Users 0   0   OK
User Groups 18  18  OK
Hosts   47  66  FAIL
Host Groups 4   4   OK
HBAC Rules  1   1   OK
SUDO Rules  3   3   OK
DNS Zones   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  OK
Ghost Replicas  NO  NO  OK
Anonymous BIND  YES YES OK
Replication Status  ef-idm02 0  ef-idm01 18
=
grant@ef-idm02:~[20170725-9:05][#57]$

How would one go about resolving this?

- grant

This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org